Azure Service Fabric Explorer returns always 403

Question

I just deployed an secured Service Fabric Cluster (EncryptAndSign) with a LoadBalancer to an Azure Subscription. Deployment took some time but it worked as expected. Also I can connect to the cluster via PowerShell:

$connectionEndpoint = ("{0}.{1}.cloudapp.azure.com:19000" -f 
   "mycluster", "somewhere")

Connect-serviceFabricCluster -ConnectionEndpoint $connectionEndpoint `
  -KeepAliveIntervalInSec 10 `
  -X509Credential `
  -ServerCertThumbprint "..." `
  -FindType FindByThumbprint `
  -FindValue $clusterCertificate.Thumbprint  `
  -StoreLocation CurrentUser -StoreName My

It is also possible for me to deploy an application to the Cluster via Port 19000 using VisualStudio. Within in the Azure Portal everything looks good, no warning, no errors.

Unforunately I am not able to connect via Port 19080 to the Explorer. As I try to connect via the LoadBalancer I receive a Connection-Timeout. So established a RDP-Connection to one of the Nodes in the Cluster and tried to access the Explorer locally via

localhost:19080/Explorer

But here I receive a Http-Error 403 (Forbidden) which might be the reason for the Connection timeout via Load-Balancer (as the probe is always receiving 403). Accroding to the Azure Documentation:

"If you attempt to connect to Service Fabric Explorer on a secure cluster, your browser will ask you to present a certificate in order to gain access."

Well, I was not prompted to present any certificate. Did I miss something? Is there anything special to configure? Thanks in advance.

Answer 1

Okay, this one was not that tricky - but you have to know it and I did not read it anywhere yet. As long as you do not configure any Andmin Client Certificate all your request to the Explorer (:19080/Explorer) end up with an 403 as described above.

You can add an Thumbprint of an Admin Client Certificate in the Portal:

And it should (untested) also work with the following setting in your ARM Template:

{
  "type": "Microsoft.ServiceFabric/clusters",
  ...
  "properties": {
    ...
    "ClientCertificateThumbprints": [
      {
        "CertificateThumbprint": "THUMBPRINT_HERE",
        "IsAdmin": true
      }
    ],
  ...
  }
}

As you can see, it should be possible (also untested) to specify multiple certificates in this array.

Be sure that you generate and use a SHA1 fingerprint hash. A SHA256 fingerprint can be input through the Azure Portal, but will result in HTTP 403 responses without warnings as to what the problem is.