为客户端身份验证设置 Azure Active DirectorySet up Azure Active Directory for client authentication

对在 Azure 上运行的群集,建议使用 Azure Active Directory (Azure AD) 来保护对管理终结点的访问。For clusters running on Azure, Azure Active Directory (Azure AD) is recommended to secure access to management endpoints. 本文介绍了如何设置 Azure AD 来对 Service Fabric 群集的客户端进行身份验证。This article describes how to setup Azure AD to authenticate clients for a Service Fabric cluster.

在本文中,“应用程序”一词用来指 Azure Active Directory 应用程序,而不是 Service Fabric 应用程序;将在必要时进行区分。In this article, the term "application" will be used to refer to Azure Active Directory applications, not Service Fabric applications; the distinction will be made where necessary. 通过 Azure AD,组织(称为租户)可管理用户对应用程序的访问。Azure AD enables organizations (known as tenants) to manage user access to applications.

Service Fabric 群集提供其管理功能的各种入口点,包括基于 Web 的 Service Fabric ExplorerVisual StudioA Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,将创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。As a result, you will create two Azure AD applications to control access to the cluster: one web application and one native application. 创建应用程序后,将用户分配到只读和管理员角色。After the applications are created, you will assign users to read-only and admin roles.

备注

在 Linux 上,请在创建群集之前完成以下步骤。On Linux, you must complete the following steps before you create the cluster. 在 Windows 上,也可选择为现有群集配置 Azure AD 身份验证On Windows, you also have the option to configure Azure AD authentication for an existing cluster.

备注

已知问题是在 Azure 门户中无法查看已启用 Linux AAD 的群集上的应用程序和节点。It is a known issue that applications and nodes on Linux AAD-enabled clusters cannot be viewed in Azure Portal.

先决条件Prerequisites

本文假设已创建了一个租户。In this article, we assume that you have already created a tenant. 如果未创建,请先阅读如何获取 Azure Active Directory 租户If you have not, start by reading How to get an Azure Active Directory tenant.

为了简化涉及到配置 Azure AD 与 Service Fabric 群集的一些步骤,我们创建了一组 Windows PowerShell 脚本。To simplify some of the steps involved in configuring Azure AD with a Service Fabric cluster, we have created a set of Windows PowerShell scripts.

  1. 将存储库克隆到计算机。Clone the repo to your computer.
  2. 对于已安装脚本,确保具备所有先决条件Ensure you have all prerequisites for the scripts installed.

创建 Azure AD 应用程序并为用户分配角色Create Azure AD applications and assign users to roles

我们将使用这些脚本创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。We'll use the scripts to create two Azure AD applications to control access to the cluster: one web application and one native application. 创建表示群集的应用程序后,将为 Service Fabric 支持的角色创建用户:只读和管理员。After you create applications to represent your cluster, you'll create users for the roles supported by Service Fabric: read-only and admin.

运行 SetupApplications.ps1 并提供租户 ID、群集名称和 Web 应用程序回复 URL 作为参数。Run SetupApplications.ps1, and provide the tenant ID, cluster name, and web application reply URL as parameters. 另请指定用户的用户名和密码。Also specify usernames and passwords for the users. 例如:For example:

$Configobj = .\SetupApplications.ps1 -TenantId '0e3d2646-78b3-4711-b8be-74a381d9890c' -ClusterName 'mysftestcluster' -WebApplicationReplyUrl 'https://mysftestcluster.chinaeast.cloudapp.chinacloudapi.cn:19080/Explorer/index.html' -Location 'china' -AddResourceAccess
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestUser' -Password 'P@ssword!123'
.\SetupUser.ps1 -ConfigObj $Configobj -UserName 'TestAdmin' -Password 'P@ssword!123' -IsAdmin

备注

对于国家云(例如,Azure 中国云),还应指定 -Location 参数。For national clouds (for example Azure China Cloud), you should also specify the -Location parameter.

执行 PowerShell 命令 Get-AzureSubscription,可找到 TenantId 。You can find your TenantId by executing the PowerShell command Get-AzureSubscription. 执行此命令,为每个订阅显示 TenantId。Executing this command displays the TenantId for every subscription.

将 ClusterName 用作脚本创建的 Azure AD 应用程序的前缀 。ClusterName is used to prefix the Azure AD applications that are created by the script. 它不需要完全匹配实际的群集名称。It does not need to match the actual cluster name exactly. 旨在更加轻松地将 Azure AD 项目映射到其配合使用的 Service Fabric 群集。It is intended only to make it easier to map Azure AD artifacts to the Service Fabric cluster that they're being used with.

WebApplicationReplyUrl 是 Azure AD 在完成登录过程之后返回给用户的默认终结点 。WebApplicationReplyUrl is the default endpoint that Azure AD returns to your users after they finish signing in. 将此终结点设置为群集的 Service Fabric Explorer 的终结点。Set this endpoint as the Service Fabric Explorer endpoint for your cluster. 如果创建 Azure AD 应用程序来表示现有群集,请确保此 URL 与现有群集的终结点匹配。If you are creating Azure AD applications to represent an existing cluster, make sure this URL matches your existing cluster's endpoint. 如果为新群集创建应用程序,请计划群集将要拥有的终结点,并确保不使用现有群集的终结点。If you are creating applications for a new cluster, plan the endpoint your cluster will have and make sure not to use the endpoint of an existing cluster. 默认情况下,Service Fabric Explorer 终结点为:By default the Service Fabric Explorer endpoint is:

https://<cluster_domain>:19080/Explorerhttps://<cluster_domain>:19080/Explorer

系统会提示登录到具有 Azure AD 租户管理权限的帐户。You are prompted to sign in to an account that has administrative privileges for the Azure AD tenant. 完成此操作后,脚本会创建 Web 和本机应用程序来代表 Service Fabric 群集。After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. Azure 门户中查看租户的应用程序时,应会看到两个新条目:If you look at the tenant's applications in the Azure portal, you should see two new entries:

  • ClusterName_ClusterClusterName_Cluster
  • ClusterName_ClientClusterName_Client

创建支持 AAD 的群集时,该脚本显示 Azure 资源管理器模板所需的 JSON,因此最好不要关闭 PowerShell 窗口。The script prints the JSON required by the Azure Resource Manager template when you create your AAD enabled cluster, so it's a good idea to keep the PowerShell window open.

"azureActiveDirectory": {
  "tenantId":"<guid>",
  "clusterApplication":"<guid>",
  "clientApplication":"<guid>"
},

有关排查 Azure Active Directory 设置问题的帮助Troubleshooting help in setting up Azure Active Directory

Azure AD 的设置和使用可能有一定难度,可以参考下面的一些指导来调试问题。Setting up Azure AD and using it can be challenging, so here are some pointers on what you can do to debug the issue.

Service Fabric Explorer 提示选择证书Service Fabric Explorer prompts you to select a certificate

问题Problem

成功登录到 Service Fabric Explorer 中的 Azure AD 后,浏览器返回到主页,但会出现提示用户选择证书的消息。After you sign in successfully to Azure AD in Service Fabric Explorer, the browser returns to the home page but a message prompts you to select a certificate.

SFX 证书对话框

ReasonReason

未在 Azure AD 群集应用程序中为用户分配角色。The user isn't assigned a role in the Azure AD cluster application. 因此,Service Fabric 群集的 Azure AD 身份验证失败。Thus, Azure AD authentication fails on Service Fabric cluster. Service Fabric Explorer 会故障回复到证书身份验证。Service Fabric Explorer falls back to certificate authentication.

解决方案Solution

遵循有关设置 Azure AD 的说明操作,并为用户分配角色。Follow the instructions for setting up Azure AD, and assign user roles. 此外,我们建议打开“访问应用需要的用户分配”,如 SetupApplications.ps1 所示。Also, we recommend that you turn on "User assignment required to access app," as SetupApplications.ps1 does.

使用 PowerShell 进行连接失败并出现错误:“指定的凭据无效”Connection with PowerShell fails with an error: "The specified credentials are invalid"

问题Problem

使用 PowerShell 以“AzureActiveDirectory”安全模式连接到群集时,成功登录到 Azure AD 后,连接失败并显示错误:“指定的凭据无效。”When you use PowerShell to connect to the cluster by using "AzureActiveDirectory" security mode, after you sign in successfully to Azure AD, the connection fails with an error: "The specified credentials are invalid."

解决方案Solution

解决方案同上。This solution is the same as the preceding one.

登录时,Service Fabric Explorer 返回失败信息:“AADSTS50011”Service Fabric Explorer returns a failure when you sign in: "AADSTS50011"

问题Problem

尝试登录到 Service Fabric Explorer 中的 Azure AD 时,页面将返回失败信息:“AADSTS50011:回复地址 <url> 与为应用程序 <guid> 配置的回复地址不匹配。”When you try to sign in to Azure AD in Service Fabric Explorer, the page returns a failure: "AADSTS50011: The reply address <url> does not match the reply addresses configured for the application: <guid>."

SFX 回复地址不匹配

ReasonReason

代表 Service Fabric Explorer 的群集 (web) 应用程序尝试针对 Azure AD 进行身份验证,在执行请求的过程中提供了重定向返回 URL。The cluster (web) application that represents Service Fabric Explorer attempts to authenticate against Azure AD, and as part of the request it provides the redirect return URL. 但是,该 URL 并未列在 Azure AD 应用程序的“回复 URL” 列表中。But the URL is not listed in the Azure AD application REPLY URL list.

解决方案Solution

在群集的“Azure AD 应用注册”页上,选择“身份验证” ,然后在“重定向 URI” 部分下,将 Service Fabric Explorer URL 添加到列表中。On the Azure AD app registration page for your cluster, select Authentication, and under the Redirect URIs section, add the Service Fabric Explorer URL to the list. 保存所做更改。Save your change.

Web 应用程序回复 URL

登录时,通过 PowerShell 使用 Azure AD 身份验证连接到群集会生成错误:“AADSTS50011”Connecting to the cluster using Azure AD authentication via PowerShell gives an error when you sign in: "AADSTS50011"

问题Problem

尝试通过 PowerShell 使用 Azure AD 连接到 Service Fabric 群集时,登录页会返回故障:“AADSTS50011:在请求中指定的回复 URL 与为应用程序 <guid> 配置的回复 URL 不匹配。”When you try to connect to a Service Fabric cluster using Azure AD via PowerShell, the sign-in page returns a failure: "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: <guid>."

ReasonReason

与前面的问题类似,PowerShell 尝试针对 Azure AD 进行身份验证,而 Azure AD 提供 Azure AD 应用程序的“回复 URL” 列表中未列出的重定向 URL。Similar to the preceding issue, PowerShell attempts to authenticate against Azure AD, which provides a redirect URL that isn't listed in the Azure AD application Reply URLs list.

解决方案Solution

使用与上述问题相同的过程,但 URL 必须设置为 urn:ietf:wg:oauth:2.0:oob,这是命令行身份验证的特殊重定向。Use the same process as in the preceding issue, but the URL must be set to urn:ietf:wg:oauth:2.0:oob, a special redirect for command-line authentication.

使用 Azure AD 身份验证通过 PowerShell 连接群集Connect the cluster by using Azure AD authentication via PowerShell

若要连接 Service Fabric 群集,请使用以下 PowerShell 命令示例:To connect the Service Fabric cluster, use the following PowerShell command example:

Connect-ServiceFabricCluster -ConnectionEndpoint <endpoint> -KeepAliveIntervalInSec 10 -AzureActiveDirectory -ServerCertThumbprint <thumbprint>

若要了解详细信息,请参阅 Connect-ServiceFabricCluster cmdletTo learn more, see Connect-ServiceFabricCluster cmdlet.

是否可将同一个 Azure AD 租户用于多个群集?Can I reuse the same Azure AD tenant in multiple clusters?

是的。Yes. 请记得将 Service Fabric Explorer 的 URL 添加到群集 (Web) 应用程序。But remember to add the URL of Service Fabric Explorer to your cluster (web) application. 否则 Service Fabric Explorer 无法正常工作。Otherwise, Service Fabric Explorer doesn't work.

为何启用 Azure AD 时仍然需要服务器证书?Why do I still need a server certificate while Azure AD is enabled?

FabricClient 和 FabricGateway 执行相互身份验证。FabricClient and FabricGateway perform a mutual authentication. 使用 Azure AD 身份验证时,Azure AD 集成可将客户端标识提供给服务器,服务器证书将由客户端用于验证服务器的标识。During Azure AD authentication, Azure AD integration provides a client identity to the server, and the server certificate is used by the client to verify the server's identity. 有关 Service Fabric 证书的详细信息,请参阅 X.509 证书和 Service FabricFor more information about Service Fabric certificates, see X.509 certificates and Service Fabric.

后续步骤Next steps

在设置 Azure Active Directory 应用程序并为用户设置角色后,配置并部署群集After setting up Azure Active Directory applications and setting roles for users, configure and deploy a cluster.