Search Engine: Elastic

Article ID: 128471, created on Feb 26, 2016, last review on May 8, 2016

  • Applies to:
  • Operations Automation 6.0
  • Operations Automation 5.5


After applying steps described above WAP will continue working separately from OSA:

- Customers will have ability to directly manage Azure Pack Plans, VMs, Subscriptions using WAP Portal directly
- No communication with OA and BA
- Provider will have ability to sell WAP service as dummy using BA and PA

Removing integration with OSA - disabling communication and notifications:

1) Login to WAP host (where IIS with all WAP websites is installed)

2) Open Windows Azure Pack Configuration Power Shell

3) Build the connection variable with DataBase IP, system administrator login, and password

 $cnctString = 'Data Source=<WAP DataBase IP>;User ID=sa;Password=<password>'

4) Set default Admin Endpoint. Port 30072 is default for Admin Endpoint site. For URL you can use your own domain which is pointing to this site. Using this URL customer will have ability to access WAP portal.

 Set-MgmtSvcRelyingPartySettings -Target 'Admin' -MetadataEndpoint -ConnectionString $cnctString -DisableCertificateValidation

5) Set the default Tenant Endpoint. Use same domain as for WAP portal

 Set-MgmtSvcRelyingPartySettings -Target 'Tenant' -MetadataEndpoint -ConnectionString $cnctString -DisableCertificateValidation

6) Set default Auth Endpoint. By using this command you remove authentication which was set up during WAP deployment blocking exernal access to WAP portal. Instead of you need to use the domain pointing to this site.

 Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint -ConnectionString $cnctString -DisableCertificateValidation

For reference, please see the Technet link Switch back to the default Windows Azure Pack authentication sites

7) Remove our Billing notification subscriber. This action is needed to remove integration with OSA Billing side. When it is performed, notification to WAP endpoint will not be sent in case customer cancels subscription in CCP.

 Remove-MgmtSvcNotificationSubscriber -Name 'Billing'

Remove users created during deployment from WAP.

These users have access and permissions to execute command on WAP endpoint and needed for communication with OSA via API. They should be removed to prevent access to WAP endpoint for anyone except admin.

1) Remove OSA Rest-API User.

 Remove-MgmtSvcAdminUser 'wap-rest-admin'

# in case DB deployed on separate host:*

     Remove-MgmtSvcAdminUser 'wap-rest-admin' -ConnectionString 'Data Source=<fqdn of wap db>;Initial  Catalog=Microsoft.MgmtSvc.Store;User ID=<admin user of database>;Password=<password of db admin>'

2) Remove OSA WAP-Portal User.

 Remove-MgmtSvcAdminUser 'wap-portal-admin'

IMPORTANT: In case DB deployed on separate host:

 Remove-MgmtSvcAdminUser 'wap-portal-admin' -ConnectionString 'Data Source=om;Initial Catalog=Microsoft.MgmtSvc.Store;User ID=<admin user of database>;Password=<password of db admin>'

3) Restart IIS


Create users in WAP portal to allow customer to login in WAP:

1) Create new users for OA Customers with WAP subscriptions from Admin Portal directly. Also you can use built-in cmdlets in order to create them. To automate that please refer to Microsoft cmdlet

IMPORTANT: This action is needed to restore access of users to WAP portal. By default users created with UIDs instead of human readable UPN logins.

12) Assign subscription administrator rights to them and provide new login details to customers.

Now you and your customers will directly manage Azure Pack Plans, VMs, Subscriptions using WAP Portal directly.


1) Keep in mind that 30072, 30071, 30081 are default ports for appropriate WAP websites. Like installation from beginning

2) OA creates WAP Users with Names = GUID, like (7a9ea80c-e279-461f-bc5c-40d7841ed5d0), therefore 'Forgot Password', 'Reset Password' or login with that GUID as login name will no longer work.

3) Important: do not remove users in WAP which were created by OA, that will trigger sugbscription removal

4) Important: do not apply that guide for WAP with ADFS integration.

For reference, please see Switch back to the default Windows Azure Pack authentication sites

If you want also to remove possibility to manage existing WAP subscriptions and buy new ones from OA you may use a few paths.

Our default approach is not to remove existing subscriptions, but to keep them remaining in OSA. Prodiver will have an ability to sell them as dummy subscriptions.

Setup dummy APS endpoint in WAP settings. This will make sure provisioning to complete successfully as APS endpoint will always give answer 200 OK. You need to ensure that connection to is working from the Management Node:

[root@core ~]# curl --verbose -k
* About to connect() to port 443 (#0)
*   Trying connected
* Connected to ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=*,OU=Domain Control Validated
*       start date: Feb 03 08:17:38 2016 GMT
*       expire date: Feb 03 06:40:38 2017 GMT
       common name:
*       issuer: CN=Go Daddy Secure Certificate Authority - G2,OU=,O=", Inc.",L=Scottsdale,ST=Arizona,C=US
> GET /endpoint HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host:
> Accept: /
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 06 May 2016 07:43:35 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: no-cache, must-revalidate
< Expires: Sat, 26 Jul 1997 05:00:00 GMT
* Connection #0 to host left intact
* Closing connection #0

And then repoint WAP application to the new endpoint:

plesk> update aps_application set endpoint_uri='' where id=59;

For new subscriptions use ServicePlan based on dummy resources - no subscription will be provisioned to OA side, but subscription will be not visible in hosting cp - only in managed subscriptions under account.

If you decide to clean up all WAP subscriptions from OSA completely - use the following steps:

1) In OA provider's control panel, go to Billing panel > Operations > Subscriptions

2) Cancel and destroy each subscription on WAP services. Wait until Cancellation Orders provisioning finished

3) Go to Products > Service Plans. Unpublish all WAP Service Plans from there.

4) Go to Products > Online Store. Delete Purchase Scenario, which was created for selling WAP services. Synchronize Online Store

5) Go to Operations panel > Operations > Tasks. You will have failed “Unprovisioning "AzureSubscription" for APS application Windows Azure Pack APS Package” tasks for each cancelled WAP subscription. Cancel this Tasks trees


Tasks will be failed with errors like:

APS Application Error: 403 Forbidden [ApplicationUnknownError] Unprovisioning: resource 345e5cee-be5a-40ed-b41e-351f0414b5ae of type 'subscriptions' ( for APS application 'Windows Azure Pack APS Package-1.4-307': [AZURE] {"Code":"InvalidSecurityToken","Message":"The security token cannot be verified.","Details":[]}.

Body: { "error": "ApplicationUnknownError", "message": "[AZURE] {\"Code\":\"InvalidSecurityToken\",\"Message\":\"The security token cannot be verified.\",\"Details\":[]}", "http_request": "DELETE /subscriptions/345e5cee-be5a-40ed-b41e-351f0414b5ae to ''" }

It’s normal in current situation because we have already decommissioned WAP from OA.

Now Customers won’t see Azure Pack Services tab in their control panels, couldn’t manage existing WAP subscriptions from it and buy new WAP subscriptions in customer’s control panel or Online Store. Business Automation will not bill customers for WAP subscriptions anymore.

You cannot remove WAP Service Plans, Service Templates, Resources, WAP APS package itself because previously created WAP subscriptions are still stored in BA database, and it is not possible to delete them because of constraints.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0 5b048d9bddf8048a00aba7e0bdadef37 2554725ed606193dd9bbce21365bed4e

Email subscription for changes to this article
Save as PDF