Global Leader in Turnkey, Integration, Supply Chain, Field Deployment & Support Services.

Get Instant Help - Anytime, Anywhere

Using Our Online Customer Support Portal

  • Premium Support Packages
  • Reduce Time to Market
  • 24 x 7 Premium Email/Phone Support

Installing System Center Service Provider Foundation – step by step
Posted by on 20 July 2015 11:32 PM

By Robert Keith

This article describes in detail the steps to create a System Center Service Provider Foundation (SPF) implementation which connects Microsoft Azure Pack to System Center Virtual Machine Manager. SPF is a core component of Azure Pack, and can be problematic to install and troubleshoot.


Applies to:
Iron Networks Products: Iron Networks Products: IronPOD Family of Products, Microsoft CPS
Software: Microsoft Azure Pack, System Center SPF 2012 R2, Orchestrator 2012 R2
Hardware Components: NA


System Center Service Provider Foundation is a system which communicates with System Center Virtual Machine Manager (VMM) and exposes the operations of VMM as a Web Service using OData and REST protocols. The primary uses of SPF are for Orchestrator and Azure Pack. Azure Pack interfaces with SPF to provision and manage Virtual Machine resources. Azure Pack can then provide data center operations management and automation, and provide self-service provisioning to end users and customers in a secure manor

This document describes in detail the steps to install and test a Service Provider Foundation step by step and attempts to provide tests at several stages to help guarantee the installation is correct and functional. This implementation does not describe best practices for a production implementation as it takes some shortcuts to make the installation simple and understandable. We disable the firewalls instead of correctly configuring the firewalls, etc. The implementation of SPF can then be adjusted to meet your own corporate IT standards.


Your environment will require a working SQL Server and SCVMM Server.
Environment Requirements:

  • Windows 2012 R2
  • SQL Server 2012 SP1 (64bit) or above
  • SC VMM 2012 R2

SQL Requirements are documented here:
General prerequisites are available here:

Two software packages from Microsoft not distributed with the Windows images will need to be downloaded.
Download the following two packages (AspNetMVC4Setup, WclDataServices):

The VMM Server should be configured and operational with the following capabilities:

  1. VMM should have Host machines configured capable of running Virtual Machines
  2. VMM should be able to create new Virtual Machines
  3. There should be a library configured with a SysPrep’ed VHDx with Windows 2012R2 images installed and configured as a generic Windows system
  4. There should be a storage server configured capable of supporting running VMs and their associated VHDx files
  5. VMM should be configured with Clouds and have one or more VM associated with this cloud

If you can use VMM to create new VMs do normal operations, then SPF should be able to expose VMM functions with a set of Web Services.

Preparing the SPF Server

  1. Create a Virtual Machine to run Service Provider Foundation.  You will typically use your VMM system for this.
    • This VM will require 4GB Memory and 3GB Storage for software
    • In the examples below, we called the VM SPFTestVM
  2. Disable IE Enhanced Security
  3. Disable the Firewall on the new SPF VM
  4. Join this new Virtual Machine to the Domain where SQL Server and VMM resides
  5. Install the following prerequisite Windows Features.
    • Run the following commands from the PowerShell console as Administrator

    #Install Windows Features
    Install-WindowsFeature Web-Server
    Install-WindowsFeature Web-Request-Monitor
    Install-WindowsFeature Web-Http-Tracing
    Install-WindowsFeature Web-Basic-Auth
    Install-WindowsFeature Web-Windows-Auth
    Install-WindowsFeature Web-App-Dev
    Install-WindowsFeature Web-Net-Ext45
    Install-WindowsFeature Web-Asp-Net45
    Install-WindowsFeature Web-Mgmt-Tools
    Install-WindowsFeature Web-Mgmt-Console
    Install-WindowsFeature Web-Scripting-Tools
    Install-WindowsFeature Net-Framework-45-ASPNET
    Install-WindowsFeature NET-WCF-HTTP-Activation45
    Install-WindowsFeature ManagementOdata
    Install-WindowsFeature WAS
    Install-WindowsFeature WAS-Process-Model
    Install-WindowsFeature WAS-Config-APIs

    The results will appear similar to this

  6. Create a local folder on the SPF Server to store the prerequisite software packages.
    • In this example we created C:\Sources
  7. Copy in the following packages:
    • System Center Orchestrator 2012 R2
    • System Center Virtual Machine Manager 2012 R2
    • The two Microsoft packages listed in the prerequisites above (AspNetMVC4Setup, WclDataServices)
  8. Install WCF Data Services 5.0 for OData V3 and ASP .NET MVC 4
      • Run the following commands to install the downloaded prerequisite software packages
      • Take the defaults and just press next next

    #These two packages are not distributed with Windows 2012R2
    C:\Sources\"SPF Required Packages"\AspNetMVC4Setup.exe
    C:\Sources\"SPF Required Packages"\WcfDataServices.exe

  9. Install the System Center VMM Console on the SPF Server
    • Launch the VMM Installer by running Setup.exe inside the VMM software folder
    • The VMM Installer will appear. Click on Install.
    • Select the VMM Console option
    • Select the defaults to complete the VMM Console installation
  10. Update the SPF Server to the latest software versions using Windows Update
    • Important: Select the “updates for other Microsoft products” to update the System Center software as well as Windows features.
  11. Reboot and continue until all updates are installed.

Note: It is important that the VMM Console and the software version of the VMM Server are the same. If the Console and Server version mismatch – even at the rollup level or installed hot fixes level – issues can occur. SPF communicates with VMM via the VMM Console software and network protocols, similar to a VMM console user. In one observed case, mismatched version between rollup 5 and rollup 6 causes the VMM console and thereby SPF to hang.

Sanity Check 1

We should perform some tests at this point. Any issues found should be resolved. Any issues with the operation of the SPF server and the network connectivity to VMM will resort in confusing problems with Azure Pack or any other systems using SPF. Since SPF is an API for VMM, issues with VMM or other infrastructure components will be hidden behind SPF.

Some of the possible problems we encounter are:

  1. VMM is not reachable over the network from the SPF server.   This could be network routing or other network issues, firewall issues, or any number of others.
  2. The VMM server does not resolve correctly from DNS
  3. The VMM console software is not operating correctly

Test 1 - Ping

Perform a Ping from the SPF server to the VMM server. Use the Fully Qualified Domain Name for this test and fall back to the IP address if this fails.

In this case, we ran into a DNS issue. Troubleshooting this, the VMM server had multiple interfaces and the SPF server only a single IP subnet.

Sanity Test 2 – Connect to VMM from the Console

Connect to the VMM server from the console installed on the SPF Server. The VMM console communicates with the VMM Server via TCP on port 8100. Any network connectivity, security issues or software version issues will show up here. SPF communicates with VMM using the same software and protocols as the VMM Console, so if this test works, SPF has a good chance of communicating with VMM successfully.

Start the Console and connect to the FQDN name of the VMM Server:

When this works, the VMM Server will appear. If this does not work, the system will usually through up an error message.

Use PowerShell from the SPF Server to connect to the VMM Server.
Run the PowerShell commands from a PowerShell window on the SPF Server:

Import-Module VirtualMachineManager
Get-SCVMMServer <VMM Server>

You should see an output similar to this:

Create Service Account and Groups

SPF requires a user domain account, a local account and several groups to be created.

Since the SPF installer will create the local groups automatically, we will create the domain account and groups first, and then do some updates to the local account and groups after the SPF software install.

SPF Domain Service Account

Create the Service Foundation Provider domain service account. This account will not have any special privileges.

  1. Log into your Active Directory Server
  2. Start Active Directory Users and Computers
  3. Navigate to Users > Right Click > New > User
  4. Add the User ID into the New Object form and click Next
  5. Enter your password (remember this for later)
    • Select Password never expires (as this is a service account)

  6. And the Service Account is created

The same operation in PowerShell

Log into your Active Domain Server and from Powershell run the following commands:

$setpass - ConvertTo-SecureString -AsPlainText "ABCD1234!" -force
New-ADUser -Name "SPFTest_SVC" -GivenName SPFTest_SVC -SamAccountName \
SPFTest_SVC -AccountPassword $setpass -PasswordNeverExpires $true
Enable -ADAccount -Identity SPFTest_SVC

This will create the account. Naturally select your own Active Directory account name and password. A cleaner script example of a PowerShell script would be:

A cleaner script example of a PowerShell script would be:

$setpass - ConvertTo-SecureString -AsPlainText $PASSWORD -force
New-ADUser -Name $ADUSER -GivenName $ADUSER -SamAccountName $ADUSER \
-AccountPassword $setpass -PasswordNeverExpires $true
Enable -ADAccount -$ADUSER

From the Active Directory Users and Groups form, the following account will be created:

SPF Domain Groups

We need to create the domain groups for SPF services (Admin, Provider, Usage and VMM)

  1. Log into your Active Directory Server
  2. Start Active Directory Users and Computers
  3. Navigate to Users > New > Groups
  4. Enter the Group Name (SPF_Admin for this example)
    • Select Global scope
    • Select Security type
  5. Do the same for
    1. SPF_Provider
    2. SPF_Usage
    3. SPF_VMM

If using PowerShell, do the following commands on the Active Directory server.

NEW-ADGroup –name “SPF_Admin” –groupscope Global
NEW-ADGroup –name “SPF_Provider” –groupscope Global
NEW-ADGroup –name “SPF_VMM” –groupscope Global
NEW-ADGroup -name "SPF_Usage" -groupscope Global

The following Groups will be created.

The properties of these groups are simple:

Install the System Center Service Provider Foundation software

    1. Log into the SPF Virtual Machine as the domain administrator
    2. Navigate to the folder where System Center Orchestrator is loaded
    3. Execute the SetupOrchestrator installer. The Service Provider Foundation is included with Orchestrator.
      • The path is in this example is: C:\Sources\SC2012 R2 SCO\SetupOrchestrator.exe
    4. The Orchestrator installer will appear. Select the Service Foundation Provider option on the lower right of the installer form.
    5. Click on Install
    6. Take the defaults and accept the license.
    7. The Installer will test your environment that all the prerequisite software is installed.
    8. Click Next to proceed if the prerequisites tests passed. If not, installed the missing components and then proceed.
    9. Configure the SQL Database settings. Take the defaults or modify this to match your environment.
      • Provide the FQDN server name of the SQL Server in your domain.
      • Note in this example I changed the database name to SCSPFDB4 as I have multiple Service Provider Foundation systems running in this environment.
    10. Click Next to Proceed.
    11. The next form will configure the SPF settings.
      • We are selecting the defaults in this case
      • Notice that we are allowing SPF to create a self-signed certificate.     This certificate will be used by Azure Pck to communicate SSL traffic to SPF.
    12. Click Next to proceed
    13. Configure the Admin Group access for the Administrator
      • Select the domain group   domain\Group, in this example the domain is IP3 - [IP3\SPF_Admin]
      • For this example, select the Service Account option
      • Select the domain SPF Service account just created above   domain\Account – [IP3\SPFTest_SVC]
      • Select the password created for this account    [ABCD1234!]
    14. Click Next to proceed
    15. Do the same procedure for the next three Groups
      • Select the domain group   domain\Group, in this example the domain is IP3 - [IP3\SPF_Admin]
      • For this example, select the Service Account option
      • Select the domain SPF Service account just created above   domain\Account – [IP3\SPFTest_SVC]
      • Select the password created for this account    [ABCD1234!]
    16. Click Next to Proceed
    17. For the Virtual Machine Manager web service
      • Select the domain group   domain\Group, in this example the domain is IP3 - [IP3\SPF_Admin]
      • For this example, select the Service Account option
      • Select the domain SPF Service account just created above   domain\Account – [IP3\SPFTest_SVC]
      • Select the password created for this account    [ABCD1234!]
    18. Click Next to Proceed
    19. For the Virtual Machine Manager web service
      • Select the domain group   domain\Group, in this example the domain is IP3 - [IP3\SPF_Admin]
      • For this example, select the Service Account option
      • Select the domain SPF Service account just created above   domain\Account – [IP3\SPFTest_SVC]
      • Select the password created for this account    [ABCD1234!]
    20. Click Next to Proceed
    21. Select your preferences for the Microsoft Customer Experience and Updates
    22. Review the Installation Summary
    23. Click Install to Proceed
    24. The SPF Installer will install the SPF software and configurations
    25. Once the installation is complete, the SPF software is installed, IIS is configured, and local SPF Server groups are created. We will need to do some post-installation work to complete the installation.

Post SPF Installation steps

At this stage, there are no new local groups on the SPF server, but there are four new groups.

Local Users

Local Groups

There are four new groups created.

Create a local account on the SPF Server

      1. Log into the SPF Server [SPFTestVM] as a domain administrator
      2. Create a new user account.   If this example we are creating the account [SPFlocal].
        • Run the command LUSRMGR.MSC from the PowerShell window
      3. The Local Users and Groups manager window will appear.
      4. Right-click the Users and select New User
      5. Enter the User Account name [SPFlocal]
      6. Select a friendly description of this account
      7. Select a password [ABCD1234!]
      8. Unclick the “User must change password at next logon”
      9. Select the “Password never expires”
      10. Click on the Create button
      11. You will have a new user account in the list

Update the local Groups on SPF Server

The local groups created by the Service Provider Foundation installer need to be updated. We need to add the local SPF account just created as well as the Domain Administrator account.

*** Robert – check if the administrator account can be replaced by the IP3\SPF_SVC account.

      1. From Local Users and Groups, select Groups, then update the Properties on each Group
      2. Select VMM_Admin
        • Right-click, select Properties
      3. On the Properties form, click on Add
      4. On the Select Users, Computers, Service Accounts or Groups form, add the domain\Administrator account to the group.
        • Locations will be the domain
        • Enter the domain\Administrator [IP3\Administrator] and click on Check Names
      5. The new user will appear on the Properties form
      6. Click on the Add button to add the local SPF users to the group
      7. On the Select Users, Computers, Service Accounts or Groups form, add the local SPF account to the group.
        • Locations will be the local server (this will have to be changed from the default)
        • Enter the account we created [SPFLocal] and click on Check Names
      8. The final configuration of the local group will contain the local account for the SPF server, and the domain administrator account.
      9. Do the same for all four groups. All groups are configured potentially forst. In this example, for these groups
        • SPF_Admin
        • SPF_Provider
        • SPF_Usage
        • SPF_VMM

Update the VMM Configuration

The Administrator role in VMM has to be updated. VMM roles have Active Directory domain accounts as members. The SPF domain account needs to be added to the VMM Administrator role.

Log into VMM and navigate to Settings (lower left side pane) > Security (upper left side) > User Roles (expand tree) > Administrator Role (right pane) > Right Click

      1. On the Properties form, select the Members tab on the left.
      2. Clock on the ADD button.
      3. In the Select Users, Computers, or Groups form, enter the SPF Service domain account
      4. The SPF Service account will appear in the list of Members in the Administrator properties.
      5. Click OK to save
      6. The VMM Job logs will show a successful update of the Administrator Role
        • a. Go to VMM Jobs > History

Update the SQL Server Configuration

The SPF domain service account requires permissions in SQL Server to manage the Service Provider Foundation data base created earlier in the SPF Installation.

Log into the SQL Server computer and open the SQL Server Management Studio

Sanity Check 4 – SPF Database Created

      • Expand Databases
      • Expand your Database [SCSPFDB4 in this case]
      • Expand Users
      • Look for your SPF Services Domain Account in the List

Update SQL Permissions

      1. Expand Security
      2. Expand Logins
      3. Select your SPF Services Domain Account  [IP3\SPFTest_SVC in this case]
      4. Click on and Right-Click the SPF Services Account
      5. Select the SPF Domain Service account [SQLTest_SVC in this case]
      6. Expand Server Roles
      7. Enable the sysadmin role by clicking the checkbox
      8. Click OK to update the server roles

The same procedure from command line:

The SQL Server sysadmin role can be applied with the following command run from the PowerShell window:

sqlcmd -Q "ALTER SERVER ROLE [sysadmin] ADD MEMBER [domain\SPF Service Account]"

Example: sqlcmd -Q "ALTER SERVER ROLE [sysadmin] ADD MEMBER [IP3\SPFTest_SVC]"
SPF installation is complete.

Testing the Installation

The Service Provider Foundation is complete and Azure Pack can technically be installed and connected to SPF. It would make sense to now do some Sanity Checks to make sure SPF is fully operational before adding further complexity and layers of abstraction.

Sanity Check 5 – Review IIS Configuration

If the installation worked correctly, the IIS Web Configuration should have been built correctly. Start the Internet Information Services (IIS) Manager.

      1. Expand the Server Name
      2. Expand Sites
        • There should be an SPF Website under Sites
      3. Select the Application Pools
      4. Inspect the Identity column
        • Admin, Provider, Usage and VMM should be running as the SPF Services Domain Account
      5. If this is not correct, this will have to be corrected or the installation restarted.

The Application Pools can be updated and the accounts adjusted.

Warning: This should not come up as an issue – do not do the following steps if the system is correct.

      1. Select the desired application pool   [Admin, Provider, Usage or VMM]
      2. Select Advanced Settings from the Action Menu on the right
      3. Click on Identity
      4. Click on the […] button on the right of Identity
      5. Modify the Identity as required.

Test SPF – Query VMM as a Web Service

We can use a web browser to query the SPF API calls directly. SPF is a Web Services system which sits in front of VMM. When using a browser to send queries to SPF, SPF will retrieve data from VMM and return this in the form of an XML data structure.

Doing this test removes the complexity of attempting to test SPF with Azure Pack. The Azure Pack environment is complex and can add complexity and mask SPF problems with a further layer of abstraction.

Open an IE browser on the SPF Server and enter the following URL:
If this is done from a different computer than the SPF server, change “localhost” to the SPF Server name.

This query should return the list of API functions available from SPF. The output is in the form of XML. This query does not attempt any connections to VMM, it only says that SPF is functioning as a web service.

The next query will List the Virtual Machines from VMM. This test will require SPF to connect to VMM and retrieve data.

Enter the following URL.

Notice that in this really complex set of data returned, the VM machines should exist. If what is returned is an error message, then the system installation will need to be troubleshot. Note that the VMs will need to be associated with a Cloud structure inside VMM.

Typical error messages might be SQL Server connection error messages, or connection problems to the VMM Server.

Another test is to list the Clouds defined inside VMM


The query to SPF should show the Cloud entries inside VMM (see below).

The following is a more interesting query. This query will list the Virtual Machines selecting the VM Name, CPUs in each VM, and the Memory data.

https://localhost:8090/SC2012R2/VMM/Microsoft.Management.Odata.svc/VirtualMachines?$select=Name, CPUCount, Memory, OperatingSystem


Release Notes SPF 2012 R2:
Preparing Your Environment:

Moving a VM to a VMM Cloud: <pending KB Article to be published>

(2 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name: