Category Archives: Microsoft

Kemp LoadMaster Monitoring Management Pack (Community MP)

Recently I was looking how to monitor Kemp LoadMaster devices with SCOM. I was able to discover them trough SCOM as Network Devices but that was the only thing and it was not enough. Fortunately fellow MVP Daniele Grandini decided to help me and develop Kemp LoadMaster Management Pack. He was the main driver for this MP to exists as he was the main developer and I’ve took the task of testing it and fixing some small bugs that we’ve encountered. This is initial version of the MP and contains some know issues some of them are due to kemp loadmaster others are internal for the MP. Consider this version somehow as beta as we have some plans to re-write the MP in the future if we can. You will find the MP here along with some documentation. You can log any feedback you have on the Codeplex page.

Using VMM Cmdlets locally on SMA Worker Server in SMA Runbooks

If you are working with SMA and VMM you are probably familiar with the following sample Runbook for connecting to VMM:

workflow Sample-Managing-VirtualMachineManager  {      # Connection to access VMM server.      $VmmConnection = Get-AutomationConnection -Name 'VmmConnection'      $VmmServerName = $VmmConnection.ComputerName        # Create a PSCredential from the 'Username' and 'Password' fields within       # 'VmmConnection' because this is the form of authentication that an       # inlinescript accepts.       $SecurePassword = ConvertTo-SecureString -AsPlainText -String $VmmConnection.Password -Force      $VmmCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $VmmConnection.Username, $SecurePassword            inlinescript {          # Import VMM module.          Import-Module virtualmachinemanager                    # Connect to VMM server.          Get-SCVMMServer -ComputerName $Using:VmmServerName            # Obtain VMM server license information.          Get-SCVMMAccessLicense -VMMServer $Using:VmmServerName -License      } -PSComputerName $VmmServerName -PSCredential $VmmCredential  }
Trough this way basically you are making remote connection to the VMM server and you are executing everything there. For most cases this is not the best way and there is another one. The other way is to install the VMM console on the SMA worker server/s thus making available the VMM cmdlets there. Keep in min that this also requires updating the console upon new Update rollup.
Now that we have the cmdlets on the SMA worker you can use a simple example like this to make the connection to VMM:

workflow Get-VM
$VmmConnection = Get-AutomationConnection -Name ‘VmmConnection’
$VmmServerName = $VmmConnection.ComputerName 
$SecurePassword = ConvertTo-SecureString -AsPlainText -String $VmmConnection.Password -Force 
$VmmCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $VmmConnection.Username, $SecurePassword 
$VMMobject=Get-SCVMMServer -ComputerName $VmmServerName -Credential $VmmCredential

$VMS=Get-SCVirtualMachine -VMMServer $VmmServerName | select -Property Name

Hope this helps you when you integrate SMA and VMM.

How SPF and WAP Make Tenant Separation for VM Clouds Resource Provider

Lately I’ve been exploring and challenging my self with some DevOps. Got to follow the trend. It is not something deep but you have to start from somewhere. Le’s get started:

We all know that we can query the SPF web service even with Internet Explorer:



But these queries result in returning all instances for specific object type. This neither gives us optimized queries nor provides multi-tenancy. So how than to get objects on behalf of the Tenant and more importantly how to create objects on behalf of the Tenant?

This information is not exposed clearly but can be found trough some docs, samples and a little bit of knowledge in WAP and SPF. To find it I was going trough this link and the sample portal code provided by Microsoft.

When you go trough these two resources you will find example how WAP calls SPF on behalf of Tenant:


Resource provider service can be VMM or Admin and only need to find subscription ID. Let’s see if we can find with SPF PowerShell cmdlets:

import-module spfadmin
Get-SCSpfTenant | Where Name -like stas*


Now we have that subscription ID so let’s try this:

Unfortunately we get this:


That does not mean necessary we are in the wrong direction just the credentials we use are not the right one.

Going trough the sample portal code I’ve found the following functions:

/// <summary>
/// Gets VMM Instance for a User role (Tenant, Self-Service User or Administrator)
/// </summary>
/// <param name=”userRoleName”></param>
/// <param name=”userRoleID”></param>
/// <returns></returns>
private VMM VmmContextInstance(string userRoleName, Guid userRoleID)
if (VmmContextCache == null || !VmmContextCache.ContainsKey(userRoleName))
lock (sync)
if (VmmContextCache == null)
VmmContextCache = new Dictionary<string, VMM>();

                   if (!VmmContextCache.ContainsKey(userRoleName))
VMM context = null;
if (userRoleName != “Administrator”)
// Create subscription auth mode context
context = new VMM(new Uri(string.Format(“{0}/{1}/services/systemcenter/VMM/Microsoft.Management.Odata.svc/”, TenantEndpoint, userRoleID.ToString().Replace(“{“, “”).Replace(“}”, “”))));
context.SendingRequest += new EventHandler<SendingRequestEventArgs
// Create admin auth mode context
context = new VMM(new Uri(string.Format(“{0}/services/systemcenter/SC2012R2/VMM/Microsoft.Management.Odata.svc/”, AdminEndpoint)));
context.SendingRequest += new EventHandler<SendingRequestEventArgs>(OnSendingRequestAdmin);

                       // use OverwriteChanges to see updates made by VMM
context.MergeOption = System.Data.Services.Client.MergeOption.OverwriteChanges;
VmmContextCache.Add(userRoleName, context);
return context;
return VmmContextCache[userRoleName];



/// <summary>
/// Method to set the Authorization token in request header for WAP Tenant Authentication
/// </summary>
/// <param name=”sender”></param>
/// <param name=”e”></param>
private void
OnSendingRequestTenant(object sender, SendingRequestEventArgs e)
// Add an Authorization header that contains an OAuth WRAP access token to the request.
if (TenantHeaderValue != null)
string headerValue = “Bearer ” + TenantHeaderValue;
e.RequestHeaders.Add(“Authorization”, headerValue);
e.RequestHeaders.Add(“x-ms-principal-id“, string.Format(“[{0}]“, TenantUserName));
e.RequestHeaders.Add(“x-ms-principal-id”, “[test]“);

In yellow I’ve marked what I’ve spotted as important. This x-ms-principal-id property is put in a header when you query URL. I do not know how to do that with IE but I can do it with PowerShell:

$cred = Get-Credential
$request =Invoke-WebRequest -Uri “; -Method Get -Headers @{“x-ms-principal-id”=”stas at”} -Credential $cred


This will get us the same results we see in IE but this time scoped to the Tenant we are using. Note that you will still have to provide credentials that have access to the SPF VMM Endpoint. The x-ms-principal-id property just needs to be provided and actually you can put any value you want and it will still works. I will explain later how security is provided trough SPF and WAP.

Now that we were able to get results how can be sure that actually what we’ve did is really executed on behalf of the Tenant in VMM? Simple answer is we need to create object and see if this object has the right properties when created. That of course also can be done with PowerShell:

$body = @{
StampId = “2dcbb497-2b41-4dad-a883-09212c21e9e5″
Name = “Network33″
LogicalNetworkId = “1190fe0d-d5b9-4252-adae-b5b761db81f7″
CAIPAddressPoolType = “IPv4″
$BodyJSON = ConvertTo-Json $body

$request =Invoke-WebRequest -Uri “; -Method Post -Body $BodyJSON -ContentType ‘application/json;’ -Headers @{“x-ms-principal-id”=stas at} -Credential $cred

After executing the command you will see the following job in VMM:


You will see that the VM Network was created in the name of the Owner we’ve provided but is the User role that correspond to Tenant’s subscription owner of the VM Network?


As you can see everything is as it should be. Looking at WAP Tenant portal that network is shown for the Tenant:


In all commands I’ve modified my e-mail in order to not be exposed.

Now that we’ve learn that how SPF and WAP actually provide security?

SPF is just service provider/framework. SPF does not provide separate authentication for Tenants. SPF just provides the separation and the service and this is the right way as the authentication of your users will happen on your custom portal or in Windows Azure Pack. Trough your custom code or the WAP code you security is provided. For example WAP knows which users have access to which subscription and it does not allow to have access to other subscriptions you do not have access to by making context for that user. When user logs in WAP as Tenant token is generated for that user. This token gives additional security by restricting access only to the session. That token is even forwarded trough every call to SPF and SPF actually verifies if that token is truly valid.

I hope this gave you more insight about how SPF and WAP work together to achieve the goal to provide secure and multi-tenant service.

Awarded to be MVP for Second Year

Today I’ve received e-mail that my MVP award has been renewed:


I am very happy and honored to receive this award for second year because I like helping the community.

This is the time that I would like to thank to a few people that helped me a lot in the past year.

First I would like to thank to my dear friend Kristian Nese. I feel that he has been like a mentor for me for the past year.

Second I would like to thank to the following MVPs with whom I’ve discussed various topics, helped me learn a lot and many times we’ve shared the same opinions: Damian Flynn, Flemming Riis, Hans Vredevoort, Marc van Eijk, Thomas Maurer, Bob Cornelissen, Marnix Wolf, Daniel Neumann, Pete Zerger, Daniele Grandini and Didier Van Hoye. There are many others of course. Thank you guys!

I also would like to thank to my family. Thank for supporting me.

Last but not least I would like to thank to my co-workers.

New and Updated MPs: SQL Server

Today we see some MPs being updated and some new ones released all related to SQL: