Azure pack VM provisioning not working & ID 26726 “Either the specified user role or the specified user (Domain\SPF-SVC) is not valid. User is not a member of the role. Add (Domain\SPF-SVC) as a member of the user role and try again or provide a different user role or a different user.”

When using the Azure pack Tenant Portal, all users (except Administrator) were unable to create VMs. In my case, when the user tried to create new VM, it failed with none specific error.

After some digging, I was able to find following error in my Azure Pack Tenant Hub server:

Potential version mismatch between WAP and SPF, please verify both component’s versions and if they’re compatible, Exception: ‚System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. —> System.Data.Services.Client.DataServiceClientException: <Error xmlns:i=“http://www.w3.org/2001/XMLSchema-instance“ xmlns=“http://schemas.microsoft.com/windowsazure“><Code>InternalError</Code><Message>The server encountered an internal error, please retry. If the problem persists, contact support.

I checked all my Azure pack, VMM and SPF servers – are all were up to date with latest updates.

 

So I was suspecting something is wrong with SPF. I followed instructions in this link:

http://blogs.technet.com/b/privatecloud/archive/2013/11/08/troubleshooting-windows-azure-pack-spf-amp-vmm.aspx

In my case there were no issues with SPF.

I also found following error in VMM Jobs History:

ID 26726: “Either the specified user role or the specified user (Domain\SPF-SVC) is not valid. User is not a member of the role. Add (Domain\SPF-SVC) as a member of the user role and try again or provide a different user role or a different user.”

My SPF account was member of Administrator role in VMM, so, I tried to login on to SPF server with SPF service account and open VMM console.

I got following error:

SCVMM console error „could not update managed code add-in pipeline due to the following error

Quick fix:

I fixed it with granting „authenticated users“ read/execute rights to the folder „C:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\AddInPipeline“ and all subfolders and files

 

Than I reopened VMM console and tried to create new VM, but it again failed with following error:

spf-svc access error

I reviewed my SPF service account permissions to make sure nothing is missing:

Group name

Purpose

Members

<DOMAIN>\ SPF-Admins Service Provider Administrators domain group used to provide domain accounts administrative rights to all Service Provider Foundation components and web services. <DOMAIN>\ SPF-SVC
<DOMAIN>\ SPF-Provider Service Provider domain group used to provide domain accounts access to the Service Provider Foundation Provider web service. Appropriate domain accounts to be delegated permissions to services
<DOMAIN>\ SPF-VMM Service Provider domain group used to provide domain accounts access to the Service Provider Foundation VMM web service. Appropriate domain accounts to be delegated permissions to services
<DOMAIN>\ SPF-Usage Service Provider domain group used to provide domain accounts access to the Service Provider Foundation Usage web service. Appropriate domain accounts to be delegated permissions to services
<SPF Server>\SPF_Admin Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

 

<Service Provider Foundation Server>\SPF_Provider Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-Provider

 

<Service Provider Foundation Server>\SPF_VMM Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-VMM

 

<Service Provider Foundation Server>\SPF_Usage Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-Usage

 

 

Solution:

One thing which helped me to get VM provisioning with SPF service account working was adding the VMM Service account to the Windows Authorization Access group in Active Directory. Once I did it, I was able to provision VMs logged as SPF service account. It also worked in Azure Pack Tenant portal.

 

 

 

 

Query on Active Directory Account for identity Domain\Useraccount returned empty attribute values.

I have deployed&integrated ADFS with Azure pack and I am using ExtendASP control panel for Hosted Exchange & multitenant Active Directory. All my Tenant accounts are created via ExtendASP and reside in Hosting OU. My goal is to use ExtendASP as central management for my Cloud identities, so Tenant administrators will be able to manage Azure pack IaaS service and ExtendASP SaaS services with single AD account.

When I created first customer in ExtendASP and tried to login to Azure Pack Tenant Portal through ADFS with Company Administrator, I got following error:

adfs_error

Also following errors were generated in ADFS log:

Error1:

Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.

Error2:

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

Additional Data

Caller: Domain\Useraccount

 

Error3:

The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue

Additional Data
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.

 

Solution:

Grant Read rights to ADFS service account on Hosting OU in AD. Do not forget to apply it to: This object and all descendant objects.

Activate all running VMs on Hyper-V host using Powershell

Objective:

Activate all running Virtual Machines with Windows server 2012 R2 OS installed from SPLA ISO image using MAK key. I am not going to use AVMA – Automatic VM Activation as my Hyper-V OS is not Datacenter. I am using either Hyper-V Server or WS 2012 R2 Standard.

Check Activation Status on single VM:

$VM = „yourVMname“

$cim = new-cimsession -ComputerName $VM

get-ciminstance -class softwarelicensingproduct -cimsession $cim |where {$_.name -match ‚windows‘ -and $_.licensefamily} | format-table -Property PScomputername,Name,Description,Licensestatus

notActivatedVM

Activate Single VM with MAK license key:

new-item -path „c:\temp\activate.cmd“ -type file

#add your MAK key

add-content „c:\temp\activate.cmd“ „cscript //B %windir%/system32/slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx“

$FilePath = „c:\temp\activate.cmd“

#add your VM name

$VMName = „yourVMname“

$VMName |Enable-VMIntegrationService -name „Guest Service Interface“

copy-vmfile $VMName -sourcepath  $FilePath -DestinationPath C: -filesource Host

invoke-command -ComputerName $VMName -ScriptBlock {

Start-Process C:\activate.cmd -verb runas -wait

remove-item C:\activate.cmd -ErrorAction SilentlyContinue}

$VMName |Disable-VMIntegrationService -name „Guest Service Interface“

 activatedVM

Check Activation Status on all VMs running on Hyper-V host:

$cim = new-cimsession -ComputerName (get-VM).name

get-ciminstance -class softwarelicensingproduct -cimsession $cim |where {$_.name -match ‚windows‘ -and $_.licensefamily} | ft -Property PScomputername,Name,Description

 

Activate all running VMs on Hyper-V host with MAK license key:

new-item -path „c:\temp\activate.cmd“ -type file

add-content „c:\temp\activate.cmd“ „cscript //B %windir%/system32/slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX“

$FilePath = „c:\temp\activate.cmd“

#add your HV host name

$VMNames = get-vm  –ComputerName HyperVHOST  | Where-Object {$_.State –eq ‚Running‘}

$VMNames  |Enable-VMIntegrationService -name „Guest Service Interface“

foreach ($VMName in $VMNames)

{

$server = $VMName.Name

write-host „Working on“ $server -foregroundcolor red -backgroundcolor yellow

copy-vmfile $VMName -sourcepath  $FilePath -DestinationPath C: -filesource Host

invoke-command -ComputerName $Server -ScriptBlock {

Start-Process C:\activate.cmd -verb runas -wait

remove-item C:\activate.cmd -ErrorAction SilentlyContinue}

}

$VMName |Disable-VMIntegrationService -name „Guest Service Interface“

remove-item C:\activate.cmd -ErrorAction SilentlyContinue

Now we can check how many VMs have licensestatus „1“ which means „Activated“

$cim = new-cimsession -ComputerName (get-VM).name

get-ciminstance -class softwarelicensingproduct -cimsession $cim |where {$_.name -match ‚Windows‘ -and $_.Licensestatus -eq ‚1‘} | ft -Property PScomputername,Name,Description, Licensestatus

 activatedVMs