Setting up ADFS with Office 365

ADFS (Active Directory Federation Services) – What is it ? 
Complete setup details for federated identity access from on-premise AD to Office 365. – Video
The Following is how to connect your on premise Active Directory  Server / ADFS Server to Microsoft’s Office 365. Office 365 is still currently in Beta and will only allow a maximum of 25 user to access its services. – not sure when it is actually going to be released….
Assumptions:
  • 2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
  • Internal ADFS server is joined to the domain
  • Proxy ADFS server is not joined to domain and located in perimeter network (aka DMZ)
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • External DNS record has been implemented for ADFS (our example will use sts.domain.com)
  • Domain and Forest functional levels need to be at Windows Server 2003 before you can install ADFS

The following steps are used to prepare the environment:

  • Add UPN Suffix to AD and configure for each user
    • domain.com was used for the UPN in this example
  • UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
  • Open AD Domains and Trusts tool
  • Right-click AD Domains and Trusts and click Properties
  • On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
  • Open user properties, navigate to Account Tab.
  • Select the external namespace UPN for the “User logon name”
  • Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
  • Add internal ADFS server to AD forest
  • Download ADFS 2.0 (here). During the install process, the following Windows components will be automatically installed:
    • Windows PowerShell
    • .NET Framework 3.5 SP1
    • Internet Information Services (IIS)
    • Windows Identity Foundation
  • Download Microsoft Online Services Identity Federation Management Tool (64-bit)
  • Configure external DNS A record for ADFS Proxy (adfs.domain.com)

Installing and configure ADFS 2.0 on internal server:

  • Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
  • Click Next on the Welcome Screen and Accept the License Agreement
  • On the Server Role Option screen, select Federation Server
  • Finish the rest of the wizard, this will install any necessary prerequisites
  • At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
  • Request and provision public certificate through Entrust
  • Bind certificate to IIS on port 443 (remove binding for port 80)
  • Configure ADFS utilizing ADFS 2.0 Management
  • Select ADFS 2.0 Federation Server Configuration Wizard
  • Select Create a new Federation Service
  • Select New Federation server farm (during the POC we did a Stand-alone configuration to prevent the need to add a container to the production AD for certificate sharing in the farm)
  • Select the public certificate and validate the Federation Service name. This will automatically fill in the name on the certificate Subject Name. (adfs.domain.com was the federation name)
  • Finish the Wizard
  • Run Office 365 Desktop Setup from the Office 365 portal. Unselect all tools (Outlook, Sharepoint, & Lync) to install the Microsoft Online Connector.
  • Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
    • The tool could be installed and run on a workstation, but the remote administration for the internal server needs to be activated and configured to trust the workstation.

Enable Identity Federation within Office 365 portal

  • Launch the Identity Federation Management Tool
  • Type $cred=Get-Credential and press Enter
    • Note: It’s a really good idea to setup an admin account that is not part of the domain you are converting to SSO
  • Enter you Microsoft Online Services administrator logon and password and click ok
    • Use the admin account the is NOT a member of the domain being converted
  • Type Set-MSOLContextcredential –msolAdminCredentials $cred and press enter
    • This logs you into the Online Services
  • For a new domain – Type Add-MSOLFederatedDomain –domainname domain.com
  • For existing domain – Type Convert-MSOLDomainToFederated –domainname domain.com
  • Type Update-MSOLFederatedDomain –domainname domain.com
    • This updates and activates the SSO
  • Exit the Federation Management Tool
  • Launch the ADFS Management console and check the Relying Party Trust to see if Microsoft Federation Gateway was added to the list.

Install ADFS 2.0 Proxy server 

  • Export public certificate from ADFS internal server and copy to proxy server
  • Add a HOST file entry for adfs.domain.com to point to the internal ADFS server
  • Validate DNS resolution of adfs.domain.com resolves to external A record from an internet connected PC
  • Double-click AdfsSetup.exe (this is the ADFS 2.0 download)
  • Click Next on the Welcome Screen and Accept the License Agreement
  • On the Server Role Option screen, select Federation Server Proxy
  • Finish the rest of the wizard, this will install any necessary prerequisites
  • At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
  • Import certificate in IIS and bind certificate to Default Web Site (adfs.domain.com)
  • Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard
    • Enter the federation namespace (ex. adfs.domain.com)
    • Click the Test connection button
    • Enter the service account credentials
      • Make sure the service account has the SPN set correctly (details)
    • Finish the Wizard
  • Log into portal with UPN credentials. Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server

Notes / Links

  • To create a smart link (which reduces the number of redirects during login to Office 365) – Click here for details
  • Certificate Requirements for Federation Server Proxies – Click here for details
  • Name Resolution Requirements for Federation Server Proxies – Click here for details
  • Troubleshooting federation server proxy problems with AD FS 2.0 – Click here for details
Advertisements

2 comments on “Setting up ADFS with Office 365

  1. Just a question here.

    We have 2 DCs running Server 2003 (not R2) and we are moving to Office 365.

    Can ADFS run on a Server 2008 R2 server within our domain (Native 2003 functional level)?

    Or do we need to go to 2008 first?

  2. Hi, sorry for the late response but as long as the forest functional level is Windows server 2003, you will be able to run ADFS on a server 2008 R2 box.
    I hope it goes well for you. Once again sorry for the late response.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s