ADFS (Active Directory Federation Services) – What is it ?
Complete setup details for federated identity access from on-premise AD to Office 365. – Video
The Following is how to connect your on premise Active Directory Server / ADFS Server to Microsoft’s Office 365. Office 365 is still currently in Beta and will only allow a maximum of 25 user to access its services. – not sure when it is actually going to be released….
Assumptions:
- 2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
- Internal ADFS server is joined to the domain
- Proxy ADFS server is not joined to domain and located in perimeter network (aka DMZ)
- Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
- Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
- External DNS record has been implemented for ADFS (our example will use sts.domain.com)
- Domain and Forest functional levels need to be at Windows Server 2003 before you can install ADFS
The following steps are used to prepare the environment:
- Add UPN Suffix to AD and configure for each user
- domain.com was used for the UPN in this example
- UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
- Open AD Domains and Trusts tool
- Right-click AD Domains and Trusts and click Properties
- On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
- Open user properties, navigate to Account Tab.
- Select the external namespace UPN for the “User logon name”
- Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
- Add internal ADFS server to AD forest
- Download ADFS 2.0 (here). During the install process, the following Windows components will be automatically installed:
- Windows PowerShell
- .NET Framework 3.5 SP1
- Internet Information Services (IIS)
- Windows Identity Foundation
- Download Microsoft Online Services Identity Federation Management Tool (64-bit)
- Configure external DNS A record for ADFS Proxy (adfs.domain.com)
Installing and configure ADFS 2.0 on internal server:
- Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
- Click Next on the Welcome Screen and Accept the License Agreement
- On the Server Role Option screen, select Federation Server
- Finish the rest of the wizard, this will install any necessary prerequisites
- At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
- Request and provision public certificate through Entrust
- Bind certificate to IIS on port 443 (remove binding for port 80)
- Configure ADFS utilizing ADFS 2.0 Management
- Select ADFS 2.0 Federation Server Configuration Wizard
- Select Create a new Federation Service
- Select New Federation server farm (during the POC we did a Stand-alone configuration to prevent the need to add a container to the production AD for certificate sharing in the farm)
- Select the public certificate and validate the Federation Service name. This will automatically fill in the name on the certificate Subject Name. (adfs.domain.com was the federation name)
- Finish the Wizard
- Run Office 365 Desktop Setup from the Office 365 portal. Unselect all tools (Outlook, Sharepoint, & Lync) to install the Microsoft Online Connector.
- Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
- The tool could be installed and run on a workstation, but the remote administration for the internal server needs to be activated and configured to trust the workstation.
Enable Identity Federation within Office 365 portal
- Launch the Identity Federation Management Tool
- Type $cred=Get-Credential and press Enter
- Note: It’s a really good idea to setup an admin account that is not part of the domain you are converting to SSO
- Enter you Microsoft Online Services administrator logon and password and click ok
- Use the admin account the is NOT a member of the domain being converted
- Type Set-MSOLContextcredential –msolAdminCredentials $cred and press enter
- This logs you into the Online Services
- For a new domain – Type Add-MSOLFederatedDomain –domainname domain.com
- For existing domain – Type Convert-MSOLDomainToFederated –domainname domain.com
- Type Update-MSOLFederatedDomain –domainname domain.com
- This updates and activates the SSO
- Exit the Federation Management Tool
- Launch the ADFS Management console and check the Relying Party Trust to see if Microsoft Federation Gateway was added to the list.
Install ADFS 2.0 Proxy server
- Export public certificate from ADFS internal server and copy to proxy server
- Add a HOST file entry for adfs.domain.com to point to the internal ADFS server
- Validate DNS resolution of adfs.domain.com resolves to external A record from an internet connected PC
- Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
- Click Next on the Welcome Screen and Accept the License Agreement
- On the Server Role Option screen, select Federation Server Proxy
- Finish the rest of the wizard, this will install any necessary prerequisites
- At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
- Import certificate in IIS and bind certificate to Default Web Site (adfs.domain.com)
- Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard
- Enter the federation namespace (ex. adfs.domain.com)
- Click the Test connection button
- Enter the service account credentials
- Make sure the service account has the SPN set correctly (details)
- Finish the Wizard
- Log into portal with UPN credentials. Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server
Notes / Links
- To create a smart link (which reduces the number of redirects during login to Office 365) – Click here for details
- Certificate Requirements for Federation Server Proxies – Click here for details
- Name Resolution Requirements for Federation Server Proxies – Click here for details
- Troubleshooting federation server proxy problems with AD FS 2.0 – Click here for details