August 29, 2017

Azure Stack - Initial Configuration - Part 3

Now then. Probably best to come up for air and contemplate things. Nah? Okay, let's keep going. Let's get App Services up and running. This will take some time, and, depending on your mood, some beverages. We assume you've done the previous steps, like installing and registering the SQL Provider.

  1. Download a couple of files:
    This and this
  2. Complete instructions are here.
  3. From your Azure Stack connected PowerShell environment, let's run the first set of tools, the Create-AppServiceCerts.ps1 (which you got from the above downloads).15-1
  4. Now, you're going to run the MSI file. This is a pretty complex process and the "Complete Instructions" bit above has example screenshots. Walk through the wizard with that. I didn't repeat all of those screenshots because they are pretty generic.
  5. Once you kick off the installation, it will start creating VMs - 5 of them in total. In order for the process to complete prior to the timeout value set by the installer (because we're running in Azure, not supported land), and to avoid a nasty recurring BSOD of HOST, as each VM comes online, I log into the console from HyperV manager and do these things:
    A. Disable Windows Defender by adding C:(star dot star) to the exclusion list in Settings.
    B. Open up task manager and watch closely for each step to move through the process, there were a few instances where things would get stuck causing me to need to reboot them but in general, NO TOUCH. For you, likely be okay.
    C. Monitor CN01. When the Web Farm Controller icon lands on the desktop, you will be able to monitor the distributed installation status. There are some reboots in there so don't stress.
  6. Once the installation completes, log out of console for each of those VMs if you are still logged in and return to your PowerShell screen.
  7. Run the 'Create-IdentityApp.ps1' script. This script requires several parameters and also has you putting passwords in the clear, so I've cleaned it up a tad:
    A. Before running the script, log in to Azure also with the same PowerShell window (not just Azure Stack) - just "Login-AzureRMAccount" with an identity that is Tenant Owner. In my case, it is also an account that is an Azure Stack admin.
    B. $creds = Get-Credential (use your creds that you use to log in to Azure Stack as an admin in UPN format)
    C. .\Create-IdentityApp.ps1 -DirectoryTenantName <yoursomething> -CertififaceFilePath "fully qualified path to" -CertificatePassword "the password" -TenantArmEndpoint management.local.azurestack.external -DomainName local.azurestack.external -AzureStackCredential $creds
    D. The above command outputs several things that you need: an AppID and a PS script called UpdateConfigOnController.ps1 which will need to be run as an administrator on the CN0-VM. You'll also want to grab the sso...pfx file. I copied them in to that VM with Explorer networking from within the CN0-VM by connecting to the C$ on HOST. Don't run this script yet! Just move stuff over.
  8. Login to and go to AAD/App Registration and find the App that the above script created from step C. It's "Name" value will be 'App Service'. Click it. Open the Keys blade, create a new key called Functions Portal and set the Expiration Date to Never Expires and then copy the generated key to Notepad.
  9. In the Settings Blad, click Required Permissions, then click Grant Permission, then click Yes. Log out of Azure Portal (
  10. You should still be logged in via RDP to CN0-VM. Open the Web Console and then go to Settings and "Edit" the ApplicationClientSecret setting and paste in the key that you got from step E above.
  11. Now, run that script you copied up in step D:
    .\UpdateConfigOnController.ps1 -CertificateFilePath "fully qualified path to sso.appservice...pfx" -CertificatePassword "the password"
    This will do lots of stuff right quick and will then kick off a repair on several of the VMs. This is good.

After those servers come back online, AND NOT BEFORE, you are ready to try things out! In my final post, we'll do just that. Check back soon!