Cannot connect to secured Azure Service Fabric Cluster via Powershell or Visual Studio

I too had a nightmare attempting to deploy a secure cluster, using much of the same documentation you too have tried to consume. After spending days getting my hands dirty I managed to finally get it working.

Here is my own helper and template: SecureCluster

The key things to watch are:

• Make sure your client and cluster certificates are both in your key vault and referenced within your ARM template under the OSProfile of the VM scale set (I noticed in your example that you were adding the client admin certificate after modifying the ARM template):

  "osProfile": {        "adminUsername": "[parameters('adminUsername')]",        "adminPassword": "[parameters('adminPassword')]",        "computernamePrefix": "[parameters('vmNodeType0Name')]",        "secrets": [                        {                            "sourceVault": {                                "id": "[parameters('sourceVault')]"                            },                            "vaultCertificates": [                                {                                    "certificateStore": "My",                                    "certificateUrl": "[parameters('clusterCertificateUrl')]"                                },                                {                                    "certificateStore": "My",                                    "certificateUrl": "[parameters('adminCertificateUrl')]"                                }                            ]                        }                    ]      },

This will make sure all your certificates are installed onto each node within the cluster.

Next is to make sure that the Service Fabric extension within the scale set also has your certificate:

"extensions": [              {                "name": "[concat(parameters('vmNodeType0Name'),'_ServiceFabricNode')]",                "properties": {                  "type": "ServiceFabricNode",                  "autoUpgradeMinorVersion": false,                  "protectedSettings": {                    "StorageAccountKey1":                      "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('supportLogStorageAccountName')),'2015-05-01-preview').key1]",                    "StorageAccountKey2":                      "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('supportLogStorageAccountName')),'2015-05-01-preview').key2]"                  },                  "publisher": "Microsoft.Azure.ServiceFabric",                  "settings": {                    "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]",                    "nodeTypeRef": "[parameters('vmNodeType0Name')]",                    "dataPath": "D:\\\\SvcFab",                    "durabilityLevel": "Bronze",                    "certificate": {                        "thumbprint": "[parameters('clusterCertificateThumbPrint')]",                        "x509StoreName": "My"                    }                  },                  "typeHandlerVersion": "1.0"                }              },

Finally, under the Service Fabric resource section within the ARM template make sure you specify which certificates to use for node to node security and which is for client to node security.

certificate": {            "thumbprint": "[parameters('clusterCertificateThumbPrint')]",            "x509StoreName": "My"        },        "clientCertificateCommonNames": [],        "clientCertificateThumbprints": [{                    "CertificateThumbprint": "[parameters('adminCertificateThumbPrint')]",                    "IsAdmin": true                }],

You should then be able to securely connect to the cluster in the way you are attempting to. Although one thing I have found is that the URL shouldbn't be prefixed with "http" within the publish profile and when trying you browse to the explorer you will need the URL to be https://[n]:19080/Explorer/index.html

Hopefully you will find this of some help.