General Troubleshooting List for Windows Azure Pack (WAP) and SPF Integration
Published Feb 15 2019 08:11 PM 893 Views
First published on TECHNET on Nov 12, 2013

~ Mark Stanfill

Windows Azure Pack for Windows Server (WAP) integrates with System Center 2012 Virtual Machine Manager (VMM 2012) by using Service Provider Foundation (SPF) as a middle layer to translate PowerShell cmdlets to RESTAPI\ODdata calls and vice versa.  This guide details a checklist of configuration settings that need to be in place to successfully integrate WAP, SPF, and VMM.
In the example screenshots below, CONTOSO\SpfSvcAcct is the domain service account, and spflocal is the local user account for SPF.

Enable SPF VMM IIS Application Pool Identity Running as Domain Service Account

Open Internet Services Manager (InetMgr) and navigate to <SERVERNAME>\Application Pools.  Filter on VMM and verify that the identity is a domain account that has Logon As a Service rights.


To change this setting, right-click on the VMM application pool and choose Advanced Settings... Click on Identity, and choose Custom Account.  Enter the name in <DOMAIN>\<SERVERNAME> format and enter the password.  Run IISReset to have the changes take effect.

SPF Application Pool identity needs admin access to VMM and admin access on the SPF SQL DB

SPF uses the DefaultAppPool application pool by default.  Verify that this application pool is a member of the VMM Administrator role and that also that it has access to the SPF SQL server instance (SCSPFDB by default).

Configure SPF IIS with Basic Authentication

Open Internet Services Manager and navigate to <SERVERNAME>\Sites\SPF.  Double-click on Authentication and verify that Basic Authentication is Enabled.

Create Local User on SPF Server, add to SPF Local Groups (VMM, Admin, Provider, Usage)

On the SPF server, create a local user in Local Users and Groups (lusrmgr.msc) and add it to the SPF_Admin, SPF_Provider, SPF_Usage, and SPF_VMM groups.

Use the Local User to register with the Service Management Portal and API (not a domain user)

Use the local account created above to register SPF with WAP.  Navigate to https://localhost:30091/#Workspaces/SystemCenterAdminExtension/quickStart and configure (or re-configure) your SPF account settings to use the local account.  Enter only the user name; do not include the computer name.

No need to create any tenants from the SPF PowerShell cmdlets, this is handled automatically when users sign up for a subscription

There is no need to manually configure tenants in SPF.  Allow WAP to handle tenant account management.

Login to the SPF server with the domain service account once

This allows the user's profile to be created and prevents possible timeout events.

Access the Admin and Tenant Portals Remotely

Depending on your domain and local IIS configuration, several factors can inhibit your ability to authenticate locally to the same server (i.e. if you are logged on to a WAP Express install computer or the Admin Portal machine directly and launching Internet Explorer on that same machine).  Kernel-mode authentication (see for more details) in particular may prohibit the authentication servers from correctly rendering requests.  Rather than modifying WAP IIS settings, simply accessing the web page remotely from a workstation is recommended.

Verify that your user account is a member of the local MgmtSvc Operators group

Load Local Users and Groups (lusrmgr.msc) and verify that the account you are using to access the WAP site is a member of the local machine’s MgmtSvc Operators group.

Mark Stanfill | Senior Support Escalation Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter :

System Center All Up:
System Center – Configuration Manager Support Team blog:
System Center – Data Protection Manager Team blog:
System Center – Orchestrator Support Team blog:
System Center – Operations Manager Team blog:
System Center – Service Manager Team blog:
System Center – Virtual Machine Manager Team blog:

Windows Intune:
WSUS Support Team blog:
The AD RMS blog:

App-V Team blog:
MED-V Team blog:
Server App-V Team blog:

The Forefront Endpoint Protection blog :
The Forefront Identity Manager blog :
The Forefront TMG blog:
The Forefront UAG blog:

Version history
Last update:
‎Mar 11 2019 10:00 AM
Updated by: