Monthly Archives: June 2011

Jun 15 2011

Setting up ADFS with Office 365

ADFS (Active Directory Federation Services) – What is it ? 
Complete setup details for federated identity access from on-premise AD to Office 365. – Video
The Following is how to connect your on premise Active Directory  Server / ADFS Server to Microsoft’s Office 365. Office 365 is still currently in Beta and will only allow a maximum of 25 user to access its services. – not sure when it is actually going to be released….
Assumptions:
  • 2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
  • Internal ADFS server is joined to the domain
  • Proxy ADFS server is not joined to domain and located in perimeter network (aka DMZ)
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • External DNS record has been implemented for ADFS (our example will use sts.domain.com)
  • Domain and Forest functional levels need to be at Windows Server 2003 before you can install ADFS

The following steps are used to prepare the environment:

  • Add UPN Suffix to AD and configure for each user
    • domain.com was used for the UPN in this example
  • UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
  • Open AD Domains and Trusts tool
  • Right-click AD Domains and Trusts and click Properties
  • On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
  • Open user properties, navigate to Account Tab.
  • Select the external namespace UPN for the “User logon name”
  • Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
  • Add internal ADFS server to AD forest
  • Download ADFS 2.0 (here). During the install process, the following Windows components will be automatically installed:
    • Windows PowerShell
    • .NET Framework 3.5 SP1
    • Internet Information Services (IIS)
    • Windows Identity Foundation
  • Download Microsoft Online Services Identity Federation Management Tool (64-bit)
  • Configure external DNS A record for ADFS Proxy (adfs.domain.com)

Installing and configure ADFS 2.0 on internal server:

  • Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
  • Click Next on the Welcome Screen and Accept the License Agreement
  • On the Server Role Option screen, select Federation Server
  • Finish the rest of the wizard, this will install any necessary prerequisites
  • At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
  • Request and provision public certificate through Entrust
  • Bind certificate to IIS on port 443 (remove binding for port 80)
  • Configure ADFS utilizing ADFS 2.0 Management
  • Select ADFS 2.0 Federation Server Configuration Wizard
  • Select Create a new Federation Service
  • Select New Federation server farm (during the POC we did a Stand-alone configuration to prevent the need to add a container to the production AD for certificate sharing in the farm)
  • Select the public certificate and validate the Federation Service name. This will automatically fill in the name on the certificate Subject Name. (adfs.domain.com was the federation name)
  • Finish the Wizard
  • Run Office 365 Desktop Setup from the Office 365 portal. Unselect all tools (Outlook, Sharepoint, & Lync) to install the Microsoft Online Connector.
  • Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
    • The tool could be installed and run on a workstation, but the remote administration for the internal server needs to be activated and configured to trust the workstation.

Enable Identity Federation within Office 365 portal

  • Launch the Identity Federation Management Tool
  • Type $cred=Get-Credential and press Enter
    • Note: It’s a really good idea to setup an admin account that is not part of the domain you are converting to SSO
  • Enter you Microsoft Online Services administrator logon and password and click ok
    • Use the admin account the is NOT a member of the domain being converted
  • Type Set-MSOLContextcredential –msolAdminCredentials $cred and press enter
    • This logs you into the Online Services
  • For a new domain – Type Add-MSOLFederatedDomain –domainname domain.com
  • For existing domain – Type Convert-MSOLDomainToFederated –domainname domain.com
  • Type Update-MSOLFederatedDomain –domainname domain.com
    • This updates and activates the SSO
  • Exit the Federation Management Tool
  • Launch the ADFS Management console and check the Relying Party Trust to see if Microsoft Federation Gateway was added to the list.

Install ADFS 2.0 Proxy server 

  • Export public certificate from ADFS internal server and copy to proxy server
  • Add a HOST file entry for adfs.domain.com to point to the internal ADFS server
  • Validate DNS resolution of adfs.domain.com resolves to external A record from an internet connected PC
  • Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
  • Click Next on the Welcome Screen and Accept the License Agreement
  • On the Server Role Option screen, select Federation Server Proxy
  • Finish the rest of the wizard, this will install any necessary prerequisites
  • At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
  • Import certificate in IIS and bind certificate to Default Web Site (adfs.domain.com)
  • Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard
    • Enter the federation namespace (ex. adfs.domain.com)
    • Click the Test connection button
    • Enter the service account credentials
      • Make sure the service account has the SPN set correctly (details)
    • Finish the Wizard
  • Log into portal with UPN credentials. Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server

Notes / Links

  • To create a smart link (which reduces the number of redirects during login to Office 365) – Click here for details
  • Certificate Requirements for Federation Server Proxies – Click here for details
  • Name Resolution Requirements for Federation Server Proxies – Click here for details
  • Troubleshooting federation server proxy problems with AD FS 2.0 – Click here for details