Merge branch 'vnext' into mergebranch

Author: MatthewMcGlynn

CanaryValidator/Canary.Tests.ps1

@@ -104,7 +104,7 @@ param (
     [parameter(HelpMessage="List of usecases to be excluded from execution")]
     [Parameter(ParameterSetName="default", Mandatory=$false)]
     [Parameter(ParameterSetName="tenant", Mandatory=$false)]  
-    [string[]]$ExclusionList = ("GetAzureStackInfraRoleInstance", "DeleteSubscriptionResourceGroup"),
+    [string[]]$ExclusionList = ("GetAzureStackInfraRoleInstance", "DeleteSubscriptionResourceGroup", "QueryImagesFromPIR", "DeployARMTemplate", "RetrieveResourceDeploymentTimes", "QueryTheVMsDeployed", "CheckVMCommunicationPreVMReboot", "TransmitMTUSizedPacketsBetweenTenantVMs", "AddDatadiskToVMWithPrivateIP", "ApplyDataDiskCheckCustomScriptExtensionToVMWithPrivateIP", "RestartVMWithPublicIP", "StopDeallocateVMWithPrivateIP", "StartVMWithPrivateIP", "CheckVMCommunicationPostVMReboot", "CheckExistenceOfScreenShotForVMWithPrivateIP", "DeleteVMWithPrivateIP"),
     [parameter(HelpMessage="Lists the available usecases in Canary")]
     [Parameter(ParameterSetName="listavl", Mandatory=$true)]
     [ValidateNotNullOrEmpty()]  
@@ -319,7 +319,7 @@ while ($runCount -le $NumberOfIterations)
                         $CustomVHDPath = CopyImage -ImagePath $LinuxImagePath -OutputFolder $CanaryCustomImageFolder
                         Add-AzsVMImage -publisher $linuxImagePublisher -offer $linuxImageOffer -sku $LinuxOSSku -version $linuxImageVersion -osDiskLocalPath $CustomVHDPath -osType Linux -Location $ResourceLocation -CreateGalleryItem $false
                         Remove-Item $CanaryCustomImageFolder -Force -Recurse
-                        $linuxUpload = $true
+                        Set-Variable -Name linuxUpload -Value $true -Scope 1
                     }    
                 }
                 catch
@@ -408,7 +408,7 @@ while ($runCount -le $NumberOfIterations)
             if ($asTenantSubscription)
             {
                 Get-AzureRmSubscription -SubscriptionName $asTenantSubscription.DisplayName | Select-AzureRmSubscription -ErrorAction Stop
-            }           
+            }          
         } 
 
         Invoke-Usecase -Name 'RoleAssignmentAndCustomRoleDefinition' -Description "Assign a reader role and create a custom role definition" -UsecaseBlock `
@@ -765,8 +765,8 @@ while ($runCount -le $NumberOfIterations)
         }
         $osVersion, $linuxImgExists
     }
-    [string]$osVersion = $pirQueryRes[2]
-    [boolean]$linuxImgExists = $pirQueryRes[3]
+    #[string]$osVersion = $pirQueryRes[2]
+    #[boolean]$linuxImgExists = $pirQueryRes[3]
 
     Invoke-Usecase -Name 'DeployARMTemplate' -Description "Deploy ARM template to setup the virtual machines" -UsecaseBlock `
     {        
@@ -1166,13 +1166,13 @@ while ($runCount -le $NumberOfIterations)
 
                     Invoke-Usecase -Name 'RemoveLinuxImageFromPIR' -Description "Remove the Linux image uploaded during setup from the Platform Image Respository" -UsecaseBlock `
                     {
-                        if (Get-AzureRmVMImage -Location $ResourceLocation -PublisherName $linuxImagePublisher -Offer $linuxImageOffer -Sku $LinuxOSSku -ErrorAction SilentlyContinue)
+                        if ((Get-AzureRmVMImage -Location $ResourceLocation -PublisherName $linuxImagePublisher -Offer $linuxImageOffer -Sku $LinuxOSSku -ErrorAction SilentlyContinue) -and ($linuxUpload))
                         {
                             Remove-AzsVMImage -publisher $linuxImagePublisher -offer $linuxImageOffer -sku $LinuxOSSku -version $linuxImageVersion -Location $ResourceLocation -Force
                         }
                     }
                     Invoke-Usecase -Name 'DeleteSubscriptionResourceGroup' -Description "Delete the resource group that contains subscription resources" -UsecaseBlock `
-                    {
+                    {   
                         if ($removeRG = Get-AzureRmResourceGroup -Name $subscriptionRGName -ErrorAction Stop)
                         {
                             $removeRG | Remove-AzureRmResourceGroup -Force -ErrorAction Stop

DatacenterIntegration/Identity/README.md

@@ -0,0 +1,12 @@
+# Azure Stack Datacenter Integration Helper Scripts
+
+These tools are meant to help customers integrate Azure Stack into their Datacenter. Datacenter integration of Azure Stack does require configuration changes on existing infrastructure services which are not touched by Azure Stack's automation. These scripts are meant to help to simplify and reduce failures.
+
+
+## AD FS integration
+
+Configure AD FS relying Party Trust including claim transformation rules
+
+
+---
+_This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [[email protected]](mailto:[email protected]) with any additional questions or comments._

DatacenterIntegration/Identity/claimrules.txt

@@ -0,0 +1,28 @@
+@RuleTemplate = "LdapClaims"
+@RuleName = "Name claim"
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
+=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), query = ";userPrincipalName;{0}", param = c.Value);
+
+@RuleTemplate = "LdapClaims"
+@RuleName = "UPN claim"
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
+=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);
+
+@RuleTemplate = "LdapClaims"
+@RuleName = "ObjectID claim"
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
+=> issue(Type = "http://schemas.microsoft.com/identity/claims/objectidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
+
+@RuleName = "Family Name and Given claim"
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
+=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";sn,givenName;{0}", param = c.Value);
+
+@RuleTemplate = "PassThroughClaims"
+@RuleName = "Pass through all Group SID claims"
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
+=> issue(claim = c);
+
+@RuleTemplate = "PassThroughClaims"
+@RuleName = "Pass through all windows account name claims"
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
+=> issue(claim = c);

DatacenterIntegration/Identity/setupadfs.ps1

@@ -0,0 +1,61 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# See LICENSE.txt in the project root for license information. 
+
+<#
+ 
+.SYNOPSIS 
+ 
+Configures existing AD FS for Azure Stack
+ 
+.DESCRIPTION 
+ 
+It will create a relying Party Trust to Azure Stack's AD FS with the necessary rules. It will also turn on form based authentication and Enable as setting to support Edge
+ 
+.PARAMETER ExternalDNSZoneSpecify the Extnerl Dns Zone of Azure Stack which was also provided for initial deployment.EXAMPLE .\setupadfs.ps1 -externaldnszone local.azurestack.external#>Param(  [string]$ExternalDNSZone)
+$currentPath = $PSScriptRoot
+
+#Create Endpoint
+$VIP="adfs.$ExternalDnsZone"
+
+#Verify if Endpoint is reachable
+Write-Host "Validate AD FS Endpoint if reachable"
+$Validator1=Test-NetConnection -ComputerName $VIP -Port 443
+IF ($Validator1.TcpTestSucceeded -ne $true){
+Write-Host "Check you DNS Integration with Azure Stack Error "$Validator1.TcpTestSucceeded ""
+Exit}
+else{
+Write-host "Status "$Validator1.TcpTestSucceeded""
+#Create Metadata URL
+$MetadataURL= "https://$VIP/FederationMetadata/2007-06/FederationMetadata.xml"
+
+#Verify Metadata URL
+Write-Host "Validate AD FS Metadata URL"
+$Validator2=Invoke-WebRequest $MetadataURL
+If ($Validator2.StatusCode -ne 200){
+Write-Host "Metadata URL could not be retrived Error "$Validator2.StatusCode""
+Exit}
+else{
+Write-Host "Status "$Validator2.StatusCode""
+
+#Determine Windows Version
+$WindowsVersion= [environment]::OSVersion.Version
+
+#Configure Relying Party Trust
+If ($WindowsVersion.Build -lt 14393) {
+
+#Must be 2012 or 2012 R2 
+Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl $MetadataURL -IssuanceTransformRulesFile ($currentPath + '\claimrules.txt') -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true
+}
+else{
+#Must be 2016
+Add-ADFSRelyingPartyTrust -Name AzureStack -MetadataUrl $MetadataURL -IssuanceTransformRulesFile ($currentPath + '\claimrules.txt') -AutoUpdateEnabled:$true -MonitoringEnabled:$true -enabled:$true -AccessControlPolicyName “Permit everyone”
+
+
+#Enable Form Based Authentication
+Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIPC","Windows Rights Management Client","Kloud")
+
+#Enable Supprt for Edge Browser
+Set-AdfsProperties -IgnoreTokenBinding $true
+}
+}
+}