Changing Your Service Principal Key¶
The Service Principal keys that are automatically generated during deployment expire after 1 year. This section outlines how to upgrade and edit your Service Principal key and enables you to recover expired keys. At any time after deployment you can upgrade the Service Principal key. This process should be used if want to change the Service Principal key with no downtime or you if you want to recover an expired key. The following behaviour can be an indication of an expired key:
- When attempting to connect to a remote workstation from a PCoIP Client you get an error message stating Authentication Successful !! User has no Resources.
- When attempting to connect to an existing resource you get an error message stating Connection failed. Please try to connect again.
- When trying to create a new remote workstation from within the Cloud Access Manager Management Interface, the NEW Remote Workstation Template drop-down options are empty. You can confirm that this is a Service Principal key issue by clicking the System Health tab from the left sidebar and see that one or more the CAM services are not available.
- When creating a new Cloud Access Connector, the deployment script fails with an error message stating Please make sure that the Service Principal password has not expired.
Upgrading a Service Principal Key through the Azure Portal¶
The following section outlines the process involved in upgrading and changing the Service Principal key in your Cloud Access Manager deployment through the Azure Portal:
- Click on the Azure Active Directory tab from the favourites sidebar.
- Click App registrations to display all registered applications, including the application named CAM-(rgname) where (rgname) is the root resource group name of the Cloud Access Manager deployment.
- Click on that resource group to display the metadata for that application.
- From the Manage tab click on Certificates & secrets.
- Click on New client secret.
Enter a description for the client secret in the description field, select an expiry date and click Add. The client secret will be displayed after it has been saved.
Ensure that you note the value of the key you created as you will be unable to retrieve this value once you exit the page.
Start the deployment script by passing the
cd $HOME Invoke-WebRequest -UseBasicParsing ` https://raw.githubusercontent.com/teradici/deploy/master/Deploy-CAM.ps1 ` -OutFile Deploy-CAM.ps1 .\Deploy-CAM.ps1 -updateSPCredential
While the script is running you will be asked to enter the new credentials for the Service Principal. Passing the
-updateSPCredentialswitch ensures that the Cloud Access Manager service is updated as well as the key vault. This script will automatically update the Service Principal key and also deploy a new Cloud Access Connector.
- You will need to re-create all the connectors required in your infrastructure and update DNS for the switch over to be complete. Subsequent
connector deployments do not need the
-updateSPCredentialswitch to be passed as it only needs to be run once.
- Once the switch over has been completed successfully you should delete the old Service Principal key and old connectors.