June | 2011 | Malcolm Plested IT Blogs

2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
Internal ADFS server is joined to the domain
Proxy ADFS server is not joined to domain and located in perimeter network (aka DMZ)
Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
External DNS record has been implemented for ADFS (our example will use sts.domain.com)
Domain and Forest functional levels need to be at Windows Server 2003 before you can install ADFS

The following steps are used to prepare the environment:

Add UPN Suffix to AD and configure for each user
- domain.com was used for the UPN in this example
UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
Open AD Domains and Trusts tool
Right-click AD Domains and Trusts and click Properties
On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
Open user properties, navigate to Account Tab.
Select the external namespace UPN for the “User logon name”
Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
Add internal ADFS server to AD forest
Download ADFS 2.0 (here). During the install process, the following Windows components will be automatically installed:
- Windows PowerShell
- .NET Framework 3.5 SP1
- Internet Information Services (IIS)
- Windows Identity Foundation
Download Microsoft Online Services Identity Federation Management Tool (64-bit)
Configure external DNS A record for ADFS Proxy (adfs.domain.com)

Installing and configure ADFS 2.0 on internal server:

Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
Click Next on the Welcome Screen and Accept the License Agreement
On the Server Role Option screen, select Federation Server
Finish the rest of the wizard, this will install any necessary prerequisites
At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
Request and provision public certificate through Entrust
Bind certificate to IIS on port 443 (remove binding for port 80)
Configure ADFS utilizing ADFS 2.0 Management
Select ADFS 2.0 Federation Server Configuration Wizard
Select Create a new Federation Service
Select New Federation server farm (during the POC we did a Stand-alone configuration to prevent the need to add a container to the production AD for certificate sharing in the farm)
Select the public certificate and validate the Federation Service name. This will automatically fill in the name on the certificate Subject Name. (adfs.domain.com was the federation name)
Finish the Wizard
Run Office 365 Desktop Setup from the Office 365 portal. Unselect all tools (Outlook, Sharepoint, & Lync) to install the Microsoft Online Connector.
Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
- The tool could be installed and run on a workstation, but the remote administration for the internal server needs to be activated and configured to trust the workstation.

Enable Identity Federation within Office 365 portal

Launch the Identity Federation Management Tool
Type $cred=Get-Credential and press Enter
- Note: It’s a really good idea to setup an admin account that is not part of the domain you are converting to SSO
Enter you Microsoft Online Services administrator logon and password and click ok
- Use the admin account the is NOT a member of the domain being converted
Type Set-MSOLContextcredential –msolAdminCredentials $cred and press enter
- This logs you into the Online Services
For a new domain – Type Add-MSOLFederatedDomain –domainname domain.com
For existing domain – Type Convert-MSOLDomainToFederated –domainname domain.com
Type Update-MSOLFederatedDomain –domainname domain.com
- This updates and activates the SSO
Exit the Federation Management Tool
Launch the ADFS Management console and check the Relying Party Trust to see if Microsoft Federation Gateway was added to the list.

Install ADFS 2.0 Proxy server

Export public certificate from ADFS internal server and copy to proxy server
Add a HOST file entry for adfs.domain.com to point to the internal ADFS server
Validate DNS resolution of adfs.domain.com resolves to external A record from an internet connected PC
Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
Click Next on the Welcome Screen and Accept the License Agreement
On the Server Role Option screen, select Federation Server Proxy
Finish the rest of the wizard, this will install any necessary prerequisites
At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
Import certificate in IIS and bind certificate to Default Web Site (adfs.domain.com)
Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard

Enter the federation namespace (ex. adfs.domain.com)
Click the Test connection button
Enter the service account credentials
- Make sure the service account has the SPN set correctly (details)
Finish the Wizard

Log into portal with UPN credentials. Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server

Notes / Links

To create a smart link (which reduces the number of redirects during login to Office 365) – Click here for details
Certificate Requirements for Federation Server Proxies – Click here for details
Name Resolution Requirements for Federation Server Proxies – Click here for details
Troubleshooting federation server proxy problems with AD FS 2.0 – Click here for details

	Richard C. Lambert on New OWA for iPhone and OWA for…
	michel jon on Exchange 2010/2007 to 2013 Mig…
	Tom Brown on PowerShell Script to List Acti…
	Victor Benz on Exporting and Importing site,…
	Mr WordPress on Hello world!

Malcolm Plested IT Blogs