Creating users in Windows Azure Pack
Introduction
In this blog post, I will give you an overview on how to create users in WAP and have them sign in. As you might already know, the Authentication and Authorization processes are separated into their own entities making the stack flexible enough to plug in your own custom Authentication system (eg. AD FS).
In an Express installation, the authentication is performed at the Admin and Tenant Authentication Sites (where the users enter their credentials) and the authorization is performed at the Service Management API layer. Hence, information about a user needs to be added at both these locations for users to be able to both sign in and get access to their subscriptions.
This blog will give you information on how to create a user in the Tenant Authentication Site and in the Service Management API layer.
Note: If you have other Identity Providers plugged into your system, you should create users appropriately in that system apart from creating the user in the Service Management API layer. The section on creating users in the Tenant Authentication site will not apply to you.
You can download the sample at https://go.microsoft.com/fwlink/?LinkId=324039 . The ‘UserSignUp’ projectis what we will be discussing in this post.
Creating users in the Authentication system
As mentioned in the note above, if you have a custom Identity Provider plugged into your WAP stack, you should follow the appropriate steps to add the user into that identity system. This section is applicable only if you use the out-of-the-box Tenant Authentication Site.
The Tenant Authentication Site uses an out-of-the-box ASP.NET Membership Provider to provide identities. Therefore, you can use the standard ASP.NET Membership APIs to create users in the database. You can find more info on Membership Provider here: https://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.aspx
The information required by the ASP.NET Membership API is specified in the App.Config. This includes specifying the Connection String to the Membership Database and some information that describes the configuration of the ASP.Net Membership Provider. Replace the Connection String in the code below to point to your database and use the appropriate authentication method.
1: <connectionStrings>
2: <!-- Modify the connection string to point to the Windows Azure Pack Membership Database -->
3: <add name="WapMembershipDatabase" connectionString="Data Source=DatabaseName;User Id=sa; Password=password; Initial Catalog=Microsoft.MgmtSvc.PortalConfigStore;" />
4: </connectionStrings>
5: <system.web>
6: <membership defaultProvider="SqlProvider" hashAlgorithmType="HMACSHA256">
7: <providers>
8: <clear />
9: <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider"
10: enablePasswordRetrieval="false"
11: enablePasswordReset="true"
12: requiresQuestionAndAnswer="false"
13: requiresUniqueEmail="false"
14: maxInvalidPasswordAttempts="5"
15: minRequiredPasswordLength="8"
16: minRequiredNonalphanumericCharacters="0"
17: passwordAttemptWindow="30"
18: applicationName="/"
19: passwordCompatMode="Framework40"
20: connectionStringName="WapMembershipDatabase"
21: passwordFormat="Hashed" />
22: </providers>
23: </membership>
Note: If you have been using the Preview version of the Windows Azure Pack, you have to update your user creation logic to use SHA-256 encryption for your password hashes (specified by the ‘hashAlgorithmType’ value in the App.Config.
Once this is done you have to call the CreateUser() method to create the user in the Membership Database. Note that I am specifying the email address as the username as expected by the ASP.Net Membership Provider.
1: Membership.CreateUser(emailAddress, password, emailAddress);
Creating users in the Service Management API
This is the second step that enables authorization of the user. Windows Azure Pack provides you with PowerShell cmdlets that facilitate user creation in the API layer. That apart, you can also use the Admin APIClient interfaces that are available as a part of the Sample code found at https://www.microsoft.com/en-us/download/details.aspx?id=41146
Both the methods involve getting an Identity token for the Administrator, and posting a create user call to the Service Management API layer.
PowerShell
You can use the Get-MgmtSvcToken token to get the token from the Windows Authentication Site. If you are using other identity Providers, you must obtain the token appropriately.
1: $token = Get-MgmtSvcToken -Type 'Windows' -AuthenticationSite 'https://myenvironment:30072' -ClientRealm 'https://azureservices/AdminSite'
Once you have the identity token, you can use the Add-MgmtSvcUser cmdlet to create a Tenant user.
1: Add-MgmtSvcUser -AdminUri 'https://myenvironment:30004' -Token $token -Name 'user@address.com' -email 'user@address.com' -State 'Active'
Note: If you are using this snippet in a test environment with self-signed certificates, don’t forget to use the – DisableCertificateValidation parameter. you shouldn’t need this in production environments that have certificates from a trusted CA
C#
The Admin API Client Sample provides you with an easy interface to perform all the Admin actions for the Windows Azure Pack. As mentioned above, you can download the API Client from the Windows Azure Pack: Service Management API Samples page. The following example will use a method found as a part of the API Client solution. Apart from using the API Client, you can also make a raw Http call directly to the API layer using the reference at How to Create a Windows Azure Pack Tenant User.
Use the App.Config file to specify the application settings (Alternatively, you can specify these within the main method).
1: <appSettings>
2: <add key="windowsAuthEndpoint" value="https://myenvironment:30072" />
3: <add key="adminDomainName" value="domain" />
4: <add key="adminUsername" value="administrator" />
5: <add key="adminPassword" value="password" />
6: <add key="adminApiEndpoint" value="https://myenvironment:30004" />
7: </appSettings>
Read the values from the App.Config and use the snippet below to create a user in the API layer.
Note: The TokenIssuer.GetWindowsAuthToken() method is present in the API Clients solution that can be downloaded from the Windows Azure Pack: Service Management API Samples page.
1: string windowsAuthEndpoint = ConfigurationManager.AppSettings["windowsAuthEndpoint"];
2: string adminDomainName = ConfigurationManager.AppSettings["adminDomainName"];
3: string adminUsername = ConfigurationManager.AppSettings["adminUsername"];
4: string adminPassword = ConfigurationManager.AppSettings["adminPassword"];
5: string adminApiEndpoint = ConfigurationManager.AppSettings["adminApiEndpoint"];
6: string username;
7: string password;
8: var token = TokenIssuer.GetWindowsAuthToken(windowsAuthEndpoint, adminDomainName, adminUsername, adminPassword);
9: using (var myAdminClient = new AdminManagementClient(new Uri(adminApiEndpoint), token))
10: {
11: var userInfo = new User()
12: {
13: Name = emailAddress,
14: Email = emailAddress,
15: State = UserState.Active,
16: };
17: return myAdminClient.CreateUserAsync(userInfo).Result;
18: }
In Summary, Creation of users in WAP involves two steps:
- Creating users in the Authentication system – requires username, password and other information required to identify the user
- Creating users in the Service Management API layer – requires the username that will be provided by the Authentication system
Comments
- Anonymous
May 19, 2014
Thanks Shriram,
We really appreciate such posts.
I’m not familiar with programing API (Playing with ASP.NET and similar). The article was clear, I have to modify the connection string (on the membership section) to point on my database then call the CreateUser() method. I’m confused since I don’t know how to proceed. My questions are the following:
- Where do I change the connection string ? It says in the app.config file (maybe web.config for the ASP.NET): Where can I find this file. I found different links talking about but I cannot figure out a clear one.
- My aim is to create a system center orchestrator runbook that, based on input (Name, Email, Password), create a user. The second step is easy since it uses powershell. But the first one is not clear for me. Do i need to use the Run .NET Script activity, which include running scripts using C#.
Infinite thanks - Anonymous
May 25, 2014
原文地址: http://blogs.technet.com/b/privatecloud/archive/2014/02/03/creating-users-in-windows-azure-pack - Anonymous
July 08, 2014
I can create a tenant account using PowerShell, but I can't see how to set the password of that login. The tenant can't log in. What's the point if I have to go log into the GUI to set the password? - Anonymous
September 24, 2014
The comment has been removed