部署 Azure Stack 上的应用服务的先决条件Prerequisites for deploying App Service on Azure Stack

适用于: Azure Stack 集成系统和 Azure Stack 开发工具包Applies to: Azure Stack integrated systems and Azure Stack Development Kit

在 Azure Stack 上部署 Azure 应用服务之前,必须完成本文中的先决条件步骤。Before you deploy Azure App Service on Azure Stack, you must complete the prerequisite steps in this article.

Important

请将 1904 更新应用于 Azure Stack 集成系统,或部署最新的 Azure Stack 开发工具包 (ASDK),然后部署 Azure 应用服务 1.6。Apply the 1904 update to your Azure Stack integrated system or deploy the latest Azure Stack Development Kit (ASDK) before you deploy Azure App Service 1.6.

下载安装程序与帮助器脚本Download the installer and helper scripts

  1. 下载 Azure Stack 上的应用服务部署帮助器脚本Download the App Service on Azure Stack deployment helper scripts.

  2. 下载 Azure Stack 上的应用服务安装程序Download the App Service on Azure Stack installer.

  3. 提取帮助器脚本 .zip 文件中的文件。Extract the files from the helper scripts .zip file. 会提取以下文件和文件夹:The following files and folders are extracted:

    • Common.ps1Common.ps1
    • Create-AADIdentityApp.ps1Create-AADIdentityApp.ps1
    • Create-ADFSIdentityApp.ps1Create-ADFSIdentityApp.ps1
    • Create-AppServiceCerts.ps1Create-AppServiceCerts.ps1
    • Get-AzureStackRootCert.ps1Get-AzureStackRootCert.ps1
    • Remove-AppService.ps1Remove-AppService.ps1
    • 模块文件夹Modules folder
      • GraphAPI.psm1GraphAPI.psm1

从 Azure 市场下载项Download items from the Azure Marketplace

Azure Stack 上的应用服务需要从 Azure 市场下载项,以便在 Azure Stack 市场中提供这些项。Azure App Service on Azure Stack requires items to be downloaded from the Azure Marketplace, making them available in the Azure Stack Marketplace. 必须先下载这些项,然后才能开始部署或升级 Azure Stack 上的 Azure 应用服务:These items must be downloaded before you start the deployment or upgrade of Azure App Service on Azure Stack:

  1. 最新版本的 Windows Server 2016 Datacenter 虚拟机映像。The latest version of Windows Server 2016 Datacenter virtual machine image.
  2. 自定义脚本扩展 v1.9.1 或更高版本。Custom Script Extension v1.9.1 or greater. 这是一个虚拟机扩展。This is a virtual machine extension.

获取证书Get certificates

Azure Stack 的 Azure 资源管理器根证书Azure Resource Manager root certificate for Azure Stack

在计算机上打开一个提升的 PowerShell 会话,该计算机可以访问 Azure Stack 集成系统或 ASDK 主机上的特权终结点。Open an elevated PowerShell session on a computer that can reach the privileged endpoint on the Azure Stack Integrated System or ASDK Host.

从帮助器脚本提取到的文件夹运行 Get-AzureStackRootCert.ps1 脚本。Run the Get-AzureStackRootCert.ps1 script from the folder where you extracted the helper scripts. 此脚本在应用服务所需的、用于创建证书的脚本所在的同一文件夹中创建一个根证书。The script creates a root certificate in the same folder as the script that App Service needs for creating certificates.

运行以下 PowerShell 命令时,必须为 AzureStack\CloudAdmin 提供特权终结点和凭据。When you run the following PowerShell command, you have to provide the privileged endpoint and the credentials for the AzureStack\CloudAdmin.

    Get-AzureStackRootCert.ps1

Get-AzureStackRootCert.ps1 脚本参数Get-AzureStackRootCert.ps1 script parameters

参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
PrivilegedEndpointPrivilegedEndpoint 必须Required AzS-ERCS01AzS-ERCS01 特权终结点Privileged endpoint
CloudAdminCredentialCloudAdminCredential 必须Required AzureStack\CloudAdminAzureStack\CloudAdmin Azure Stack 云管理的域帐户凭据Domain account credential for Azure Stack cloud admins

Azure 应用服务的 ASDK 部署所需的证书Certificates required for ASDK deployment of Azure App Service

Create-AppServiceCerts.ps1 脚本配合 Azure Stack 证书颁发机构运行,创建应用服务所需的四个证书。The Create-AppServiceCerts.ps1 script works with the Azure Stack certificate authority to create the four certificates that App Service needs.

文件名File name 用途Use
.appservice.local.azurestack.external.pfx.appservice.local.azurestack.external.pfx 应用服务默认 SSL 证书App Service default SSL certificate
api.appservice.local.azurestack.external.pfxapi.appservice.local.azurestack.external.pfx 应用服务 API SSL 证书App Service API SSL certificate
ftp.appservice.local.azurestack.external.pfxftp.appservice.local.azurestack.external.pfx 应用服务发布者 SSL 证书App Service publisher SSL certificate
sso.appservice.local.azurestack.external.pfxsso.appservice.local.azurestack.external.pfx 应用服务标识应用程序证书App Service identity application certificate

若要创建证书,请执行以下步骤:To create the certificates, follow these steps:

  1. 使用 AzureStack\AzureStackAdmin 帐户登录到 ASDK 主机。Sign in to the ASDK host using the AzureStack\AzureStackAdmin account.
  2. 打开提升的 PowerShell 会话。Open an elevated PowerShell session.
  3. 从帮助器脚本提取到的文件夹运行 Create-AppServiceCerts.ps1 脚本。Run the Create-AppServiceCerts.ps1 script from the folder where you extracted the helper scripts. 此脚本在应用服务所需的、用于创建证书的脚本所在的同一文件夹中创建四个证书。This script creates four certificates in the same folder as the script that App Service needs for creating certificates.
  4. 输入密码来保护 .pfx 文件,并记下该密码。Enter a password to secure the .pfx files, and make a note of it. 必须在 Azure Stack 上的应用服务安装程序中输入此密码。You have to enter it in the App Service on Azure Stack installer.

Create-AppServiceCerts.ps1 脚本参数Create-AppServiceCerts.ps1 script parameters

参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
pfxPasswordpfxPassword 必须Required NullNull 帮助保护证书私钥的密码Password that helps protect the certificate private key
DomainNameDomainName 必须Required local.azurestack.externallocal.azurestack.external Azure Stack 区域和域后缀Azure Stack region and domain suffix

Azure 应用服务的 Azure Stack 生产部署所需的证书Certificates required for Azure Stack production deployment of Azure App Service

若要在生产环境中运行资源提供程序,必须提供以下证书:To run the resource provider in production, you must provide the following certificates:

  • 默认域证书Default domain certificate
  • API 证书API certificate
  • 发布证书Publishing certificate
  • 标识证书Identity certificate

默认域证书Default domain certificate

默认域证书放在前端角色上。The default domain certificate is placed on the front-end role. 对 Azure 应用服务发出通配符或默认域请求的用户应用使用此证书。User apps for wildcard or default domain request to Azure App Service use this certificate. 该证书还用于源代码管理操作 (Kudu)。The certificate is also used for source control operations (Kudu).

该证书必须采用 .pfx 格式,并且应该是包含三个使用者的通配符证书。The certificate must be in .pfx format and should be a three-subject wildcard certificate. 此要求允许一个证书同时涵盖用于源代码管理操作的默认域和 SCM 终结点。This requirement allows one certificate to cover both the default domain and the SCM endpoint for source control operations.

格式Format 示例Example
*.appservice.<region>.<DomainName>.<extension> *.appservice.redmond.azurestack.external
*.scm.appservice.<region>.<DomainName>.<extension> *.scm.appservice.redmond.azurestack.external
*.sso.appservice.<region>.<DomainName>.<extension> *.sso.appservice.redmond.azurestack.external

API 证书API certificate

API 证书放在“管理”角色上。The API certificate is placed on the Management role. 资源提供程序使用它来帮助保护 API 调用。The resource provider uses it to help secure API calls. 用于发布的证书必须包含匹配 API DNS 条目的使用者。The certificate for publishing must contain a subject that matches the API DNS entry.

格式Format 示例Example
api.appservice.<region>.<DomainName>.<extension>api.appservice.<region>.<DomainName>.<extension> api.appservice.redmond.azurestack.externalapi.appservice.redmond.azurestack.external

发布证书Publishing certificate

“发布者”角色的证书在应用所有者上传内容时保护其 FTPS 流量。The certificate for the Publisher role secures the FTPS traffic for app owners when they upload content. 用于发布的证书必须包含匹配 FTPS DNS 条目的使用者。The certificate for publishing must contain a subject that matches the FTPS DNS entry.

格式Format 示例Example
ftp.appservice.<region>.<DomainName>.<extension>ftp.appservice.<region>.<DomainName>.<extension> ftp.appservice.redmond.azurestack.externalftp.appservice.redmond.azurestack.external

标识证书Identity certificate

标识应用的证书可以实现:The certificate for the identity app enables:

  • Azure Active Directory (Azure AD) 或 Active Directory 联合身份身份验证服务 (AD FS) 目录、Azure Stack 与应用服务 之间的集成,以支持与计算资源提供程序的集成。Integration between the Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS) directory, Azure Stack, and App Service to support integration with the compute resource provider.
  • Azure Stack 上的 Azure 应用服务中的高级开发人员工具的单一登录方案。Single sign-on scenarios for advanced developer tools within Azure App Service on Azure Stack.

用于标识的证书必须包含匹配以下格式的使用者。The certificate for identity must contain a subject that matches the following format.

格式Format 示例Example
sso.appservice.<region>.<DomainName>.<extension>sso.appservice.<region>.<DomainName>.<extension> sso.appservice.redmond.azurestack.externalsso.appservice.redmond.azurestack.external

验证证书Validate certificates

在部署应用服务资源提供程序之前,应使用 PowerShell 库中提供的 Azure Stack 准备情况检查器工具来验证要使用的证书Before deploying the App Service resource provider, you should validate the certificates to be used by using the Azure Stack Readiness Checker tool available from the PowerShell Gallery. Azure Stack 准备情况检查器工具验证生成的 PKI 证书是否适用于应用服务部署。The Azure Stack Readiness Checker Tool validates that the generated PKI certificates are suitable for App Service deployment.

作为最佳做法,当使用任何所需的 Azure Stack PKI 证书时,如果需要,应当计划留出足够的时间来测试和重新颁发证书。As a best practice, when working with any of the necessary Azure Stack PKI certificates, you should plan enough time to test and reissue certificates if necessary.

虚拟网络Virtual network

Note

预先创建自定义虚拟网络是可选操作,因为 Azure Stack 上的 Azure 应用服务可以创建所需的虚拟网络,但之后需要通过公共 IP 地址来与 SQL 和文件服务器通信。The precreation of a custom virtual network is optional as the Azure App Service on Azure Stack can create the required virtual network but will then need to communicate with SQL and File Server via public IP addresses.

Azure Stack 上的 Azure 应用服务允许将资源提供程序部署到现有的虚拟网络,或者允许在部署时创建虚拟网络。Azure App Service on Azure Stack lets you deploy the resource provider to an existing virtual network or lets you create a virtual network as part of the deployment. 使用现有虚拟网络可以通过内部 IP 连接到 Azure Stack 上的 Azure 应用服务所需的文件服务器和 SQL Server。Using an existing virtual network enables the use of internal IPs to connect to the file server and SQL Server required by Azure App Service on Azure Stack. 在 Azure Stack 上安装 Azure 应用服务之前,必须为虚拟网络配置以下地址范围和子网:The virtual network must be configured with the following address range and subnets before installing Azure App Service on Azure Stack:

虚拟网络 - /16Virtual network - /16

子网Subnets

  • ControllersSubnet /24ControllersSubnet /24
  • ManagementServersSubnet /24ManagementServersSubnet /24
  • FrontEndsSubnet /24FrontEndsSubnet /24
  • PublishersSubnet /24PublishersSubnet /24
  • WorkersSubnet /21WorkersSubnet /21

所需文件服务器和 SQL Server 的许可问题Licensing concerns for required file server and SQL Server

Azure Stack 上的 Azure 应用服务需要文件服务器和 SQL Server 才能运行。Azure App Service on Azure Stack requires a file server and SQL Server to operate. 可以使用 Azure Stack 部署外部预先存在的资源,也可以将资源部署在其 Azure Stack 默认提供程序订阅的内部。You're free to use pre-existing resources located outside of your Azure Stack deployment or deploy resources within their Azure Stack Default Provider Subscription.

如果选择将资源部署在 Azure Stack 默认提供程序订阅内部,则这些资源的许可证(Windows Server 许可证和 SQL Server 许可证)会包括在 Azure Stack 上的 Azure 应用服务的成本中,但会受到以下约束:If you choose to deploy the resources within your Azure Stack Default Provider Subscription, the licenses for those resources (Windows Server Licenses and SQL Server Licenses) are included in the cost of Azure App Service on Azure Stack subject to the following constraints:

  • 基础结构部署到“默认提供程序订阅”中; the infrastructure is deployed into the Default Provider Subscription;
  • 基础结构由 Azure Stack 资源提供程序上的 Azure 应用服务独占使用。the infrastructure is exclusively used by the Azure App Service on Azure Stack resource provider. 不允许其他管理工作负荷(其他资源提供程序,例如 SQL-RP)或租户工作负荷(例如需要数据库的租户应用)使用此基础结构。No other workloads, administrative (other resource providers, for example: SQL-RP) or tenant (for example: tenant apps, which require a database), are permitted to make use of this infrastructure.

准备文件服务器Prepare the file server

Azure 应用服务需要使用文件服务器。Azure App Service requires the use of a file server. 在生产部署中,必须将文件服务器配置为高度可用,且能够应对故障。For production deployments, the file server must be configured to be highly available and capable of handling failures.

用于部署 ASDK 上的 Azure应用服务的文件服务器快速入门模板。Quickstart template for file server for deployments of Azure App Service on ASDK.

如果只部署 ASDK,则可以使用示例 Azure 资源管理器部署模板来部署已配置的单节点文件服务器。For ASDK deployments only, you can use the example Azure Resource Manager deployment template to deploy a configured single-node file server. 单节点文件服务器位于工作组中。The single-node file server will be in a workgroup.

高可用性文件服务器和 SQL Server 的快速入门模板Quickstart template for Highly Available file server and SQL Server

我们现已提供一个参考体系结构快速入门模板用于部署文件服务器和 SQL Server。A reference architecture quickstart template is now available which will deploy a file server and SQL Server. 此模板在配置为支持 Azure Stack 上的 Azure 应用服务高可用性部署的虚拟网络中支持 Active Directory 基础结构。This template supports Active Directory infrastructure in a virtual network configured to support a highly available deployment of Azure App Service on Azure Stack.

部署自定义文件服务器的步骤Steps to deploy a custom file server

Important

如果选择在现有虚拟网络中部署应用服务,应将文件服务器部署到独立于应用服务的子网中。If you choose to deploy App Service in an existing virtual network, the file server should be deployed into a separate Subnet from App Service.

Note

如果已选择使用上述任一快速入门模板部署文件服务器,则可以跳过此部分,因为在部署模板的过程中已配置文件服务器。If you have chosen to deploy a file server using either of the Quickstart templates mentioned above, you can skip this section as the file servers are configured as part of the template deployment.

在 Active Directory 中预配组和帐户Provision groups and accounts in Active Directory

  1. 创建以下 Active Directory 全局安全组:Create the following Active Directory global security groups:

    • FileShareOwnersFileShareOwners
    • FileShareUsersFileShareUsers
  2. 创建以下 Active Directory 帐户作为服务帐户:Create the following Active Directory accounts as service accounts:

    • FileShareOwnerFileShareOwner
    • FileShareUserFileShareUser

    根据安全最佳做法,这些帐户(以及所有 Web 角色)的用户应该各不相同,并采用强用户名和密码。As a security best practice, the users for these accounts (and for all web roles) should be unique and have strong usernames and passwords. 根据以下条件设置密码:Set the passwords with the following conditions:

    • 启用“密码永不过期”。 Enable Password never expires.
    • 启用“用户不能更改密码”。 Enable User cannot change password.
    • 禁用“用户在下次登录时必须更改密码”。 Disable User must change password at next logon.
  3. 如下所述将帐户添加到组成员身份:Add the accounts to the group memberships as follows:

    • FileShareOwner 添加到 FileShareOwners 组。Add FileShareOwner to the FileShareOwners group.
    • FileShareUser 添加到 FileShareUsers 组。Add FileShareUser to the FileShareUsers group.

在工作组中预配组和帐户Provision groups and accounts in a workgroup

Note

配置文件服务器时,请通过管理员命令提示符运行以下所有命令。When you're configuring a file server, run all the following commands from an Administrator Command Prompt.
请勿使用 PowerShell。Don't use PowerShell.

使用 Azure 资源管理器模板时已创建用户。When you use the Azure Resource Manager template, the users are already created.

  1. 运行以下命令创建 FileShareOwner 和 FileShareUser 帐户。Run the following commands to create the FileShareOwner and FileShareUser accounts. <password> 替换为自己的值。Replace <password> with your own values.

    net user FileShareOwner <password> /add /expires:never /passwordchg:no
    net user FileShareUser <password> /add /expires:never /passwordchg:no
    
  2. 运行以下 WMIC 命令,将帐户密码设为永不过期:Set the passwords for the accounts to never expire by running the following WMIC commands:

    WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE
    WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE
    
  3. 创建本地组 FileShareUsers 和 FileShareOwners,并将第一个步骤中创建的帐户添加到其中:Create the local groups FileShareUsers and FileShareOwners, and add the accounts in the first step to them:

    net localgroup FileShareUsers /add
    net localgroup FileShareUsers FileShareUser /add
    net localgroup FileShareOwners /add
    net localgroup FileShareOwners FileShareOwner /add
    

预配内容共享Provision the content share

内容共享包含租户网站内容。The content share contains tenant website content. 在单个文件服务器上预配内容共享的过程与在 Active Directory 和工作组环境中相同。The procedure to provision the content share on a single file server is the same for both Active Directory and workgroup environments. 但是对于 Active Directory 中的故障转移群集则不同。But it's different for a failover cluster in Active Directory.

在单个文件服务器上(Active Directory 或工作组)预配内容共享Provision the content share on a single file server (Active Directory or workgroup)

在单个文件服务器上,在权限提升的命令提示符下运行以下命令。On a single file server, run the following commands at an elevated command prompt. C:\WebSites 的值替换为环境中的相应路径。Replace the value for C:\WebSites with the corresponding paths in your environment.

set WEBSITES_SHARE=WebSites
set WEBSITES_FOLDER=C:\WebSites
md %WEBSITES_FOLDER%
net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full

配置共享访问控制Configure access control to the shares

在文件服务器上或故障转移群集节点(当前的群集资源所有者)上,在权限提升的命令提示符下运行以下命令。Run the following commands at an elevated command prompt on the file server or on the failover cluster node, which is the current cluster resource owner. 将斜体显示的值替换为环境特定的值。Replace values in italics with values that are specific to your environment.

Active DirectoryActive Directory

set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=C:\WebSites
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

工作组Workgroup

set WEBSITES_FOLDER=C:\WebSites
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

准备 SQL Server 实例Prepare the SQL Server instance

Note

如果已选择为高度可用的文件服务器和 SQL Server 部署快速入门模板,则可以跳过本部分,因为模板会在 HA 配置中部署和配置 SQL Server。If you've chosen to deploy the Quickstart template for Highly Available File Server and SQL Server, you can skip this section as the template deploys and configures SQL Server in a HA configuration.

对于 Azure Stack 上的 Azure 应用服务托管和计量数据库,必须准备 SQL Server 实例,用于存放应用服务数据库。For the Azure App Service on Azure Stack hosting and metering databases, you must prepare a SQL Server instance to hold the App Service databases.

对于 ASDK 部署,可以使用 SQL Server Express 2014 SP2 或更高版本。For ASDK deployments, you can use SQL Server Express 2014 SP2 or later. SQL Server 必须配置为支持混合模式身份验证,因为 Azure Stack 上的应用服务不支持 Windows 身份验证。SQL Server must be configured to support Mixed Mode authentication because App Service on Azure Stack DOES NOT support Windows Authentication.

对于生产和高可用性目的,应使用完整版本的 SQL Server 2014 SP2 或更高版本,启用混合模式身份验证,并在高可用性配置中部署。For production and high-availability purposes, you should use a full version of SQL Server 2014 SP2 or later, enable mixed-mode authentication, and deploy in a highly available configuration.

必须能够从所有“应用服务”角色访问 Azure Stack 上的 Azure 应用服务的 SQL Server 实例。The SQL Server instance for Azure App Service on Azure Stack must be accessible from all App Service roles. 可以在 Azure Stack 中的默认提供程序订阅中部署 SQL Server。You can deploy SQL Server within the Default Provider Subscription in Azure Stack. 或者,可以使用组织中现有的基础结构(前提是与 Azure Stack 建立了连接)。Or you can make use of the existing infrastructure within your organization (as long as there's connectivity to Azure Stack). 如果使用 Azure 市场映像,请记得相应地配置防火墙。If you're using an Azure Marketplace image, remember to configure the firewall accordingly.

Note

可通过市场管理功能获取许多 SQL IaaS 虚拟机映像。A number of SQL IaaS virtual machine images are available through the Marketplace Management feature. 在使用市场项部署 VM 之前,请确保下载最新版本的 SQL IaaS 扩展。Make sure you always download the latest version of the SQL IaaS Extension before you deploy a VM using a Marketplace item. SQL 映像与 Azure 中提供的 SQL VM 相同。The SQL images are the same as the SQL VMs that are available in Azure. 对于从这些映像创建的 SQL VM,IaaS 扩展和相应的门户增强功能可提供自动修补和备份等功能。For SQL VMs created from these images, the IaaS extension and corresponding portal enhancements provide features such as automatic patching and backup capabilities.

对于任何 SQL Server 角色,可以使用默认实例或命名实例。For any of the SQL Server roles, you can use a default instance or a named instance. 如果使用命名实例,请务必手动启动 SQL Server Browser 服务并打开端口 1434。If you use a named instance, be sure to manually start the SQL Server Browser service and open port 1434.

应用服务安装程序将检查以确保 SQL Server 已启用数据库包含。The App Service installer will check to ensure the SQL Server has database containment enabled. 若要在将托管应用服务数据库的 SQL Server 上启用数据库包含,请运行以下 SQL 命令:To enable database containment on the SQL Server that will host the App Service databases, run these SQL commands:

sp_configure 'contained database authentication', 1;
GO
RECONFIGURE;
GO

Important

如果选择在现有虚拟网络中部署应用服务,应将 SQL Server 部署到独立于应用服务和文件服务器的子网中。If you choose to deploy App Service in an existing virtual network the SQL Server should be deployed into a separate Subnet from App Service and the File Server.

创建 Azure Active Directory 应用Create an Azure Active Directory app

配置 Azure AD 服务主体以支持以下操作:Configure an Azure AD service principal to support the following operations:

  • 辅助角色层上的虚拟机规模集集成。Virtual machine scale set integration on worker tiers.
  • Azure Functions 门户和高级开发人员工具的 SSO。SSO for the Azure Functions portal and advanced developer tools.

这些步骤只适用于 Azure AD 保护的 Azure Stack 环境。These steps apply to Azure AD-secured Azure Stack environments only.

管理员必须配置 SSO 才能执行以下操作:Admins must configure SSO to:

  • 在 应用服务 (Kudu) 中启用高级开发人员工具。Enable the advanced developer tools within App Service (Kudu).
  • 启用 Azure Functions 门户体验。Enable the use of the Azure Functions portal experience.

执行以下步骤:Follow these steps:

  1. 以 azurestack\AzureStackAdmin 身份打开 PowerShell 实例。Open a PowerShell instance as azurestack\AzureStackAdmin.
  2. 转到在先决条件步骤中下载并提取的脚本所在的位置。Go to the location of the scripts that you downloaded and extracted in the prerequisite step.
  3. 安装适用于 Azure Stack 的 PowerShellInstall PowerShell for Azure Stack.
  4. 运行 Create-AADIdentityApp.ps1 脚本。Run the Create-AADIdentityApp.ps1 script. 根据提示输入部署 Azure Stack 时使用的 Azure AD 租户 ID。When you're prompted, enter the Azure AD tenant ID that you're using for your Azure Stack deployment. 例如,输入 myazurestack.partner.onmschina.cnFor example, enter myazurestack.partner.onmschina.cn.
  5. 在“凭据”窗口中,输入 Azure AD 服务管理帐户和密码。 In the Credential window, enter your Azure AD service admin account and password. 选择“确定” 。Select OK.
  6. 输入前面创建的证书的证书文件路径和证书密码。Enter the certificate file path and certificate password for the certificate created earlier. 默认情况下值,为此步骤创建的证书是 sso.appservice.local.azurestack.external.pfxThe certificate created for this step by default is sso.appservice.local.azurestack.external.pfx.
  7. 此脚本在租户 Azure AD 实例中创建新的应用。The script creates a new app in the tenant Azure AD instance. 请记下 PowerShell 输出中返回的应用程序 ID。Make note of the application ID that's returned in the PowerShell output. 安装期间需要此信息。You need this information during installation.
  8. 打开新的浏览器窗口,以 Azure Active Directory 服务管理员的身份登录到 Azure 门户Open a new browser window, and sign in to the Azure portal as the Azure Active Directory service admin.
  9. 打开 Azure AD 资源提供程序。Open the Azure AD resource provider.
  10. 选择“应用注册” 。Select App Registrations.
  11. 搜索步骤 7 返回的应用程序 ID。Search for the application ID returned as part of step 7. 随即会列出应用服务应用程序。An App Service application is listed.
  12. 在列表中选择“应用程序”。 Select Application in the list.
  13. Select Settings.
  14. 选择“所需的权限” > “授予权限” > “是” 。Select Required Permissions > Grant Permissions > Yes.
    Create-AADIdentityApp.ps1
参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
DirectoryTenantNameDirectoryTenantName 必须Required NullNull Azure AD 租户 ID。Azure AD tenant ID. 提供 GUID 或字符串。Provide the GUID or string. 例如 myazureaaddirectory.partner.onmschina.cn。An example is myazureaaddirectory.partner.onmschina.cn.
AdminArmEndpointAdminArmEndpoint 必须Required NullNull Azure 资源管理器管理终结点。Admin Azure Resource Manager endpoint. 例如 adminmanagement.local.azurestack.external。An example is adminmanagement.local.azurestack.external.
TenantARMEndpointTenantARMEndpoint 必须Required NullNull Azure 资源管理器租户终结点。Tenant Azure Resource Manager endpoint. 例如 management.local.azurestack.external。An example is management.local.azurestack.external.
AzureStackAdminCredentialAzureStackAdminCredential 必须Required NullNull Azure AD 服务管理员凭据。Azure AD service admin credential.
CertificateFilePathCertificateFilePath 必须Required NullNull 前面生成的标识应用程序证书文件的完整路径Full path to the identity application certificate file generated earlier.
CertificatePasswordCertificatePassword 必须Required NullNull 帮助保护证书私钥的密码。Password that helps protect the certificate private key.
环境Environment 可选Optional AzureCloudAzureCloud 其中目标 Azure Active Directory Graph 服务可用的受支持云环境的名称。The name of the supported Cloud Environment in which the target Azure Active Directory Graph Service is available. 允许的值:'AzureChinaCloud'。Allowed values: 'AzureChinaCloud'.

创建 Active Directory 联合身份验证服务应用Create an Active Directory Federation Services app

对于受 AD FS 保护的 Azure Stack 环境,必须配置 AD FS 服务主体以支持以下操作:For Azure Stack environments secured by AD FS, you must configure an AD FS service principal to support the following operations:

  • 辅助角色层上的虚拟机规模集集成。Virtual machine scale set integration on worker tiers.
  • Azure Functions 门户和高级开发人员工具的 SSO。SSO for the Azure Functions portal and advanced developer tools.

管理员必须配置 SSO 才能执行以下操作:Admins must configure SSO to:

  • 针对辅助角色层上的虚拟机规模集集成配置服务主体。Configure a service principal for virtual machine scale set integration on worker tiers.
  • 在 应用服务 (Kudu) 中启用高级开发人员工具。Enable the advanced developer tools within App Service (Kudu).
  • 启用 Azure Functions 门户体验。Enable the use of the Azure Functions portal experience.

执行以下步骤:Follow these steps:

  1. 以 azurestack\AzureStackAdmin 身份打开 PowerShell 实例。Open a PowerShell instance as azurestack\AzureStackAdmin.
  2. 转到在先决条件步骤中下载并提取的脚本所在的位置。Go to the location of the scripts that you downloaded and extracted in the prerequisite step.
  3. 安装适用于 Azure Stack 的 PowerShellInstall PowerShell for Azure Stack.
  4. 运行 Create-ADFSIdentityApp.ps1 脚本。Run the Create-ADFSIdentityApp.ps1 script.
  5. 在“凭据”窗口中,输入 AD FS 云管理帐户和密码。 In the Credential window, enter your AD FS cloud admin account and password. 选择“确定” 。Select OK.
  6. 提供前面创建的证书的证书文件路径和证书密码。Provide the certificate file path and certificate password for the certificate created earlier. 默认情况下值,为此步骤创建的证书是 sso.appservice.local.azurestack.external.pfxThe certificate created for this step by default is sso.appservice.local.azurestack.external.pfx.
    Create-ADFSIdentityApp.ps1
参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
AdminArmEndpointAdminArmEndpoint 必须Required NullNull Azure 资源管理器管理终结点。Admin Azure Resource Manager endpoint. 例如 adminmanagement.local.azurestack.external。An example is adminmanagement.local.azurestack.external.
PrivilegedEndpointPrivilegedEndpoint 必须Required NullNull 特权终结点。Privileged endpoint. 例如 AzS-ERCS01。An example is AzS-ERCS01.
CloudAdminCredentialCloudAdminCredential 必须Required NullNull Azure Stack 云管理的域帐户凭据。Domain account credential for Azure Stack cloud admins. 例如 Azurestack\CloudAdmin。An example is Azurestack\CloudAdmin.
CertificateFilePathCertificateFilePath 必须Required NullNull 标识应用程序的证书 PFX 文件的完整路径Full path to the identity application's certificate PFX file.
CertificatePasswordCertificatePassword 必须Required NullNull 帮助保护证书私钥的密码。Password that helps protect the certificate private key.

后续步骤Next steps

安装应用服务资源提供程序Install the App Service resource provider