Set Custom URLs for WAP Admin and Tenant Sites

Hello again folks, I just recently put up a guide on deploying WAP and SPF and thought this little addition would be useful.

The first thing I wanted to do when I spun up my first WAP server was to have the admin and tenant sites respond over port 443 and change the URLs to something more friendly. I was very happy to find out that this is something that can be done without “too” much effort

The first thing you’ll want to do is decide on the URLs for each of the sites listed in the table below. Once that decision has been made, you’ll want to add them into DNS, for the purposes of this guide I’m doing this all internally but the theory is the same for making these sites available to the internet.

Create your new records in DNS, one for each of the sites in the table below (I’ve included the URLs I’ll be using as an example):

SiteSite Name in IISNew URLNew PortDefault Port
Tenant PortalMgmtSvc-TenantSiteDFLabPortal.domain.com44330081
Tenant Portal AuthMgmtSvc-AuthSiteDFLabPortalAuth.domain.com44330071
Admin PortalMgmtSvc-AdminSiteDFLabAdminPortal.domain.com44330091
Admin Portal AuthMgmtSvc-WindowsAuthSiteDFLabAdminPortalAuth.domain.com44330072

Obtain an SSL certificate that contains the SANs for the URLs you’ve configured in DNS. In my testing, I created two certificates from my CA, one that contained the Common Name for both Tenant sites and another that contained the Common Name for both Admin sites. For production use, this should be a certificate trusted by both you and your tenants.

Import SSL Certificate into IIS

Armed with a .PFX of your certificate, we’ll want to import it into IIS on your WAP server.

Log onto your WAP server and launch IIS (Start menu, inetmgr)
Highlight your server on the left and double-click “Server Certificates” in the main window


Click “Import” on the right hand pane.
Browse to your .PFX, enter it’s password and click “OK”


Modify WAP Site Bindings Within IIS

With the SSL certificate imported, we now need to modify the bindings for the 4 sites I listed earlier. As we’re looking to target port 443 for all 4 sites, we’ll have to make use of “Server Name Identification”, we’ll also be changing the SSL certificate each site uses.

Still within IIS on WAP, click on “Sites”, right-click on “MgmtSvc-TenantSite” and select “Bindings”

  • Highlight the binding and select “Edit”
  • Change the port from 30081 to 443
  • Enter the hostname you configured in DNS for the tenant site
  • Place a tick in “Require Server Name Identification”
  • Click “Select”, choose the SSL certificate you just imported to IIS.
  • Click “OK” and “Close”

Repeat the above process for the following sites (refer to the table at the top guide if you’re not sure which site serves which purpose):

  • MgmtSvc-AuthSite
  • MgmtSvc-AdminSite
  • MgmtSvc-WindowsAuthSite

OK, that’s us finished within IIS…ON TO THE POWERSHELLS!

Change URLs and Ports in WAP Database

So, we’ve made the necessary changes in IIS but we also need to reflect these changes within the WAP database itself.

From your WAP server, launch the “Windows Azure Pack Administrator PowerShell” console.

Run the following commands to change all necessary URLs in the WAP database, the script will prompt for some information when run.

$TenantSite = Read-Host "Please enter the new FQDN of your Tenant Site (What you set in DNS)"
$TenantAuthSite = Read-Host "Please enter the new FQDN of your Tenant Auth Site (What you set in DNS)"
$AdminSite = Read-Host "Please enter the new FQDN of your Admin Site (What you set in DNS)"
$AdminAuthSite = Read-Host "Please enter the new FQDN of your Admin Auth Site (What you set in DNS)"
$SQLServer = Read-Host "Please enter the FQDN of the SQL server that holds your WAP databases"
$SQL_SA_Password  = Read-Host "Please enter the password for your SQL server SA account"

# Create SQL connecting string based off user inserted values
$ConnectionString = [string]::Format('Data Source={0};Initial Catalog=Microsoft.MgmtSvc.Store;User ID=sa;Password={1}', $SQLServer, $SQL_SA_Password)

# Modify FQDNs for Tenant and Tenant Auth Sites
Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName $TenantSite -Port 443 -Server $SQLServer
Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName $TenantAuthSite -Port 443 -Server $SQLServer
Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint "https://$TenantAuthSite`:443/FederationMetadata/2007-06/FederationMetadata.xml" -ConnectionString $ConnectionString
Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint "https://$TenantSite`:443/FederationMetadata/2007-06/FederationMetadata.xml" -ConnectionString $ConnectionString

# Modify FQDNs for Admin and Admin Auth Sites
Set-MgmtSvcFqdn -Namespace "AdminSite" -FullyQualifiedDomainName $AdminSite -Port 443 -Server $SQLServer
Set-MgmtSvcFqdn -Namespace "WindowsAuthSite" -FullyQualifiedDomainName $AdminAuthSite -Port 443 -Server $SQLServer
Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint "https://$AdminAuthSite`:443/FederationMetadata/2007-06/FederationMetadata.xml" -ConnectionString $ConnectionString
Set-MgmtSvcIdentityProviderSettings -Target Windows -MetadataEndpoint "https://$AdminSite`:443/FederationMetadata/2007-06/FederationMetadata.xml" -ConnectionString $ConnectionString

Now type “iisreset” to restart IIS.

Now, open a browse and target your tenant or admin sites and you’ll notice that not only do they work but you no longer receive any SSL warnings or errors


Good job, coffee time. See you in the next guide


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.