URL Rewrite (redirect) of HTTP to HTTPS with Powershell script

When deploying Web Application Proxy as a frontend to for example ADFS and Windows Azure Pack, or other services, the current version of Web AppProxy only supports HTTPS urls. It’s possible to use the “URL Rewrite” module for IIS to redirect users from HTTP to HTTPS. There are plenty of guides on internet on how to do that.
But I wanted to add that configuration to my WebApplication Proxy configuration script, and couldn’t find any powershell examples, so here is the script I’ve made.

It will use Web Platform installer to install the URL Rewrite module, then add the IIS Web Management tools, and in the end create a Global Rule redirecting all HTTP requests to HTTPS without the user noticing it.

 

 

Automatically Assign Availability Set Names to VMs with Powershell

This blog-post is about using System Center Virtual Machine Manager (SCVMM) Availability Sets to spread similar VM’s to different Hyper-V Hosts to increase reliability both when using Failover Clustering, and when using stand-alone Hyper-V hosts.

First of all, what is Availability Sets?
In SCVMM 2012 SP1, Microsoft added Availability Sets. Failover Cluster Manager users are probably familiar with AntiAffinityClassNames, and Availability Sets are a very similar concept. This allow the user to specify a set of VMs which they would prefer to keep on separate hosts, and the Intelligent Placement engine works hard to make sure that all our features respect that preference.

Attempting to place multiple VMs with the same Availability Set onto a single host will generate a placement warning, meaning that the host will be prioritized last in the placement dialog

  • When placing a VM with an Availability Set into a cloud placement or as part of a service will avoid hosts with another VM from the same Availability Set, and warn the user if that was the only choice.
  • Dynamic Optimization will never move 2 VMs from the same Availability Set onto the same host. It will also actively attempt to separate any VMs with the same Availability Set that are on the same host.
  • Power Optimization will never power off a host that would lead to 2 VMs with the same Availability Set sharing a host.
  • Putting a host in maintenance mode will attempt to spread VMs with the same availability set to different target hosts.
  • If your VMs are highly available and hosted on a Hyper-V failover cluster, VMM will create AntiAffinityClassNames on the VMs with an Availability Set, so that even during cluster failover, SCVMM opt to failover to different hosts, if possible.

You can manually create ASCVMM2vailability Sets through SCVMM by selecting Properties on a VM.
Just click Create to make a new Name and assign it to the VM’s you want to keep on separate Hosts. When a Availability Set is not assigned to a VM any longer, the Availability Set will be deleted automatically, thus cleaning up the list for you.

For example, for your SQL Server Cluster, you may want to create a Availability Set name called SQL and assign it to your SQL Server Nodes. Easy!
Also, if you are using Service Templates, you can opt in to automatically create Availability Set names for your services.

Though I like to control things like SCVMM1that automatically. Depending on your naming convention for your Virtual Servers, this might or might not be possible for you.
In our case we have a strict naming policy to name servers with:
PREFIX FUNCTION NUMBER as seen in this picture:

Which makes it very easy for me to define that all servers called CLAZSQ* are similar and should be kept on different servers.

But, if all servers were called SRV0001-SRV9999 it would not be possible to utilize the ServerName for setting Availability Set names, and you would have to query the CMDB for info first.

Also, in our environment we have multiple Tenants, who could each have servers called DomainController01 and DomainController02. So just having a availability set called DomainController, would not be enough. I have to make it DomainController_TenantName or something similar.

I wrote this quick and short Powershell script to automatically assign a Availability Set to all VM’s. It will remove Numbers from the VM Name, and use the VMName + UserID (Tenant Subscription id) as the Availability Set Name. Clean, simple and easy, just schedule it to run regularly, or even make a SMA Job to trigger when a VM is created through AzurePack.

And then trigger an Host Cluster Optimization of all Clusters in the Environment if you don’t want to wait for the normal one.

 

 

Set or change Owner on a VMM for SCVMM and Azure Pack

Here is a updated script for modifying the owner of a VM, and/or to make it show up in Azure Pack. For a VM that’s been created in VMM to show up in AzurePack, it has to be assigned to a (not part of these scripts) Cloud and a subscription has to be added as owner to the VM (this is done by the scripts below).

Here is the original post: http://www.isolation.se/script-for-importing-existing-vms-into-azure-pack/

And here are the updated scripts:

The script will ask you for a Cloud and list the subscriptions you can choose from, and then ask which VM to set the Owner on.

The difference here is that it will also set the VMM Administrators as an Owner so you can do maintenance tasks on the VM from VMM without modifying ownership back and forth.

And then a second script that will just set the same Owner on all VMs in a cloud. It’s nice when you have a lot of existing VM’s in an environment and would like to assign them to one specific user/subscription in one go.

Both of the script are written to be executed on the VMM Server, though you can probably change the $ENV:COMPUTERNAME to point to your VMM Server and then execute the script remotely.

 

Unable to Connect to VMM in AzurePack after UR install

After upgrading to Update Release 6 (UR6) we got the same issue as seen in earlier UR’s. It’s not possible to connect to VMM in AzurePack so you can’t see your Virtual Machines, Clouds or Networks.

It turned out that when UR6 gets applied to SPF, the bindings are once again messed up. To fix this, just logon to the server hosting SPF and in IIS check the bindings as seen here;

SPF1

The SPF Website is not running and you can see two Bindings.
In my case, one has a certificate and the other doesn’t. So I just remove the binding without a certificate. Then start the Website and everything is working as expected again.

In earlier UR’s I’ve also seen how there is no bindings at all listed here. So you may have to create some binding then.

 

The request size exceeded the configured MaxEnvelopeSize quota

Today when I was updating our AzurePack WebSites Servers, I got an error which prevented the upgrade of most of the WebSite Roles like these;
Management Servers, Publishing Servers, Front End Servers and all the Web Workers. Yes, everyone except the Web Sites Controller.
Resulting in some unexpected downtime.  Luckily, all that was affected was this blogsite.

The error message I got was;
The WinRM client sent a request to the remote WS-Management service and was notified that the request size exceeded the configured MaxEnvelopeSize quota.
And I could also see that the files being copied to c:\windows\temp (WebFarmAgent.msi) were broken.

I also had an error “Failed to copy role artifacts to agent” in the logfile seen on Windows Azure Pack Websites Controller.

First of all, I ran this command in an Elevated Command prompt on the server hosting the Controller Role;
C:\Windows\system32>winrm g winrm/config

winrm1

And then the same command on one of the failing servers;
C:\Windows\system32>winrm g winrm/config

winrm2

Notice the difference in MaxEnvelopeSizekb between the servers. One of the other servers had MaxEnvelopeSizeKB set to 700.

I don’t know why it’s different between the servers or what has suddenly changed it, my guess it’s some Windows Update patch. Though it’s the same patches being installed on all the servers, and I’ve seen three different values. Wicked.
So by using the same value on all the servers I got the setup to work. And as you can see, this blog site is now also running. YAY!

I chose to set the value to the same as on the Controller Server which is the one trying to run the commands and copy the files to the other servers.
winrm set winrm/config @{MaxEnvelopeSizekb=”8192″}
It will now take 5-60 minutes for all update and repair jobs to complete.

I couldn’t find any Group Policy object to use to set that value as a default value on all AzurePack WebSites servers. So I’ve got to come up with another longterm solution. Maybe doing it with Desire State Configuration (DSC) or via Configuration Manager?

Azure Pack: Add a new user to a plan automatically

Update: It looks like SMA is not executing the script when a new Tenant is created, but rather when a subscription is added to the user.
Trying to get it confirmed from Microsoft if that is a bug that’s been introduced in one of the latest updates. See comments for more details.

Problem: When a new employee for TrueSec (our company) is logging into Azure Pack he has to be added to the “Tenants – TrueSec Employees” plan manually.

Solution: One way is to add a “signup code” to the plan and tell new employees to manually join the plan with that specific code. It could work, but does not feel like the most optimal solution.

The desired way would be if all new employees could be added to that plan automatically. Is that possible?
– Of course it is, with the help of SMA! Let me show one way to do this.

Pre-Requisits: Connection Asset, SMA Runbook, Link Runbook to a tasma_asset1sk.

In my case, I’m using the MgmtSvcAdmin asset which looks like this. But you can also create other types of Connections with working credentials. Just notice that you have to enter the name of the Admin Site server in the Asset, as the script will use that info. And the useraccount specified obviously need access to use the Admin site (to modify the subscriptions).

Add a new Runbook with the script below. In my case, I’m using ADFS to connect to the Admin site, so the script has to generate a ADFS token first.
if you are not using ADFS, you will have to modify the script to use a normal Windows authentication. It’s the most common way to authenticate, so there shouldn’t be any problems finding example code for.

Though, please note that the script is currently matching the new users e-mail address to (in our case) @truesec.com or @truesec.se. If you don’t use ADFS, it’s possible for a user to type any name they want during registration and then possibly get added to a plan they should not have access too.

And finally, add a new Automation Task, you do that under Clouds -> Automation.
Object: SPF Tenant
Action: Create
Runbook: New-Tenant

The script:

I hope this helps you automating things in your environment. If you can think of any other great usages for SMA or have need for automating something. Please make a comment, maybe I’ll be able to assist.

Azure Pack: SMA Script to set a Static MAC Address for New Virtual NICs

When a user is using AzurePack to add additional Virtual Network Adapters to a Virtual Machine, they end up with a Dynamic MAC Address. This is regardless of what the settings are in the VM Template that were used to create the VM. The NIC(s) created at deployment of the VM, will honor the setting in the Template. It’s just when additional NICs are added this happens.

vmnic1

We have had some issues with VM’s using Dynamic MAC Addresses, where they got a new MAC Address after migrating to another host, resulting in Linux machines being unhappy and som other servers getting new DHCP Addresses.

I figured that this could be an excellent task to get more familiar with SMA and use that cool feature of Azure Pack. So I made a script which will execute when a new Network Adapter is added to a VM through AzurePack, and will set the MAC Address to a Static entry and let SCVMM pick one from the pool.

You will need to create a new Runbook called New-NetworkAdapter with tag SPF, and paste the above code into that runbook.

sma1And also add a SMA Connection Asset, with credentials for connecting to SCVMM.
Name the connection VmmConnection. The script will look for a connection object called VmmConnection, use that Username + Password to connect to the SCVMM Server specified in the same connection object.
vmm1

And finally, create an Automated Task of this information. sma2

Please let me know if you find this useful, if you have any issues or suggestions on how to improve my script.

Azure Pack: Failed to load virtual machine templates for subscription …

Problem: When a user login to Azure Pack, they sometimes get the error message: “Failed to load virtual machine templates for subscription <subscription ID>”.
And if the user tries to deploy a a Virtual Machine, there is no templates to choose from.

Cause: I’m not sure what the real cause is, but it seems to be a bug where Azure Pack forgets that information. The template information is there, it’s just Azure Pack that does not read it.

Workaround: Until this is solved by Microsoft in a hotfix or next updated you will have to handle this by yourself.
You can as an Administrator touch the Plans so they are re-synced and it will immediately start working again. Or you can schedule a powershell script to run regularly, touching the plans.

Here is the powershell command I’ve setup for our environment.

First of all, notice that it’s using a file for the password, to make this automatic.
Use this command once to creat the password.txt file

And it’s using the Get-AdfsToken function to get the a ADFS Token from our ADFS Server (more info: Get-AdfsToken Function), but you can modify the above script to use a normal Windows Token too if you rather want to use the Windows Authentication site than ADFS. Then use this command (replace line 17 in the script above with this line):

 

Get-MgmtSvcToken to get a ADFS Token is broken

Last week, I spent hours trying to get Get-MgmtSvcToken to get a Admin Token from our ADFS server without succeeding.

Get-MgmtSvcToken

Creates an identity token.
Syntax

I tried every possible combination with both “-type WindowsADFS” and “-type ADFS” in combination with various URL’s that should have worked, but didn’t.

With the help of @vNiklas and @_marcvaneijk on Twitter, I was pointed to TechNet where there is a documented bug/error/problem with the Get-mgmtSvcToken command.
By writing this blog, I hope someone will find it through a search and save themselves some time as that TechNet article never showed up when I was searching.

Technet Article: Why can’t I get a token with the Get-MgmtSvcToken cmdlet?

And the solution is to use your own function instead like this;