Setup AD Federation Services with Office 365

I have been meaning to post this up for sometime now but just have not got around to it and with the new version of Office 365 going live and the fact we are now seeing quite a few organizations adopting Microsoft Cloud Services with SSO I thought this would be an ideal time to post this up.

At the moment if you require Single-Sign On with Office 365 the only way of doing this is by using Active Directory Federation Services although in the near future Microsoft will be announcing other ways for you to do this with-out the requirement for AD FS but I will cover that at a later date ;)

If you activate Active Directory Federation Services within your Office 365 Tenancy it is recommended that you keep at least 1 account using your tenancy.onmicrosoft.com domain so that if your AD FS Service should fail you still have the ability to authenticate and sign-in  to your tenancy.

So, make sure that you have verified your private domain in your Office 365 Tenancy and then setup a sub-domain which will act as your AD FS accessible domain the sub-domain that will be published for AD FS does not really have to be the same as a domain your using with-in Office 365 so for those of you who maybe have long wait times for DNS changes you may wish to use a domain with the DNS Management you control.

• Create a new A Record for adfs.domain.tld in internal DNS pointing to Internal IP of NLB Cluster or/ Single ADFS Server
• Create a new A Record for adfs.domain.tld in public DNS pointing to Public IP that you have assigned for ADFS Traffic.

Ensure Firewall Rule points to Internal IP of NLB Cluster Address of your ADFS Server or/ Proxy Server if you have chosen to use an AD FS Proxy.

Install Microsoft Online Services Tools

•  Single Sign-In Assistant: https://g.microsoftonline.com/0BX00en/501
• Online Services Administration Tool: https://g.microsoftonline.com/0BD00en-US/126

Add UPN Suffix to Active Directory & Configure User

UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.

•  Open AD Domains and Trusts tool
• Right-click AD Domains and Trusts and click Properties
• On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
• Open user properties, navigate to Account Tab.
• Select the external namespace UPN for the “User logon name”

Simple Topology: - for HA please add multiple AD FS / Proxy Servers and use a Network Load Balancer (NLB)

 

Note: for Site DR you can add a READ-ONLY ADFS Server within your Secondary Data Center.

Install AD FS Primary Server

Note: You will only need to generate a new CSR for a Public CA Certificate if you don't already have a certificate with your AD FS Federation Domain added as a Subject Alternative Name.

• Download AD FS 2.0 from: https://www.microsoft.com/en-us/download/details.aspx?id=10909
• The AD FS Installation will install the AD FS Pre-Reqs (Windows Powershell, .NET Framework 3.5 SP1, Internet Information Services (IIS) & Windows Identity Foundation.
• Generate SSL Certificate for adfs.domain.tld
• Submit Request to Public CA (GoDaddy)
• Import CA Response to complete certificate request
• Export Certificate & Private Key for Backup & Other Servers
• Launch AD FS Management Snap-In
• Launch AD FS 2.0 Configuration Wizard
• Create a New Federation Service
• Select Single Server or Farm
• Enter Federation Server Name
• Service Account Credentials
• Launch Active Directory Users and Computers
• Create a New AD Account to be used as AD FS Service Account (General User, No Special Permissions)
• Complete ADFS Installation

Add Secondary Server to ADFS Farm (Ignore if your using a standalone server)

•  Import SSL Certificate *PFX* into Local Certificate Store
• Download AD FS 2.0 from: https://www.microsoft.com/en-us/download/details.aspx?id=10909
• Launch AD FS Snap-In once installation of ADFS is complete
• Launch AD FS 2.0 Configuration Wizard
• Connect to Existing Farm
• Type in Server Address of Primary ADFS Server
• Type in Service Account Details for ADFS
• Complete ADFS Configuration

Add an AD FS Proxy Server

• Import SSL Certificate *PFX* into Local Certificate Store
• Download AD FS 2.0 from: https://www.microsoft.com/en-us/download/details.aspx?id=10909
• Select Federation Server Proxy
• Launch AD FS Snap-In once installation of ADFS is complete
• Launch AD FS 2.0 Configuration Wizard
• Enter Federation Service Name (Test Connection)
• Type in the Service Account Details for AD FS
• Complete AD FS Configuration

Install Required Hotfix for Multiple Domains

Download Hotfix KB2607496 (If you get the following error in the source code of the page: HR=8004789A when signing into Online Services then you will know that this Hotfix is required. https://support.microsoft.com/kb/2607496

Publish AD FS using ISA/TMG

• ISA/TMG- Add a new Firewall Policy, choose the Publish Web Sites Task.
• Name the Rule, I call mine ADFS, click Next
• Accept Defaults, Click Next on the following 3 screens
• You should be on the Internal Publishing Rule Wizard Page, you need to type in the internal site name for your ADFS system, for example adfs.company.com. Then if applicable, check the box below and type in a resolvable name or IP address in the bottom section. Click Next.
• For Path use /* and check the box for Forward the Original Host Header, click Next.
• For Public Name Details, use adfs.company.com (or whatever you use for your ADFS system name), click Next.
• Click the drop down box and use the web listener you set up for Exchange in the previous sections. Click Next.
• Authentication Delegation, Choose No Delegation but client may authenticate directly. Click Next.
• Ensure the rule applies to All Users in the User Sets dialog box, click Next.
• Click Finish.
• Right click your new ADFS rule and choose Configure HTTP. On the General Tab, you will uncheck both the Verify Normalization and Block high bit characters boxes in the URL protection section.
• Right Click your ADFS rule, choose Properties and select the To Tab. Check the Forward the original host header box (if it isn't checked, it should be, but this is a step people normally miss in the publishing wizard.) click apply.
• Select the Link Translation Tab, Uncheck the Apply Link translation to this rule. Click Apply, then OK.
• Go back into properties and choose Test Rule, you should get a successful test.

Verify ADFS is working correctly - (these should show various XML information) https://adfs.domain.tld/adfs/fs/federationserverservice.asmx https://adfs.domain.tld/adfs/services/trust/mex https://adfs.domain.tld/FederationMetadata/2007-06/FederationMetadata.xml

Convert Existing Office 365 Domain to Federated Domain & Update Meta Data

• Launch MOSM Powershell Console
• Type: $cred=Get-Credential (then type in your local admin credentials on office 365 (administrator.tenancy.onmicrosoft.com)
• Type: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
• Type: Import-PSSession $Session
• Type: Import-Module MSOnline
• Type: Connect-MsolService –Credential $Cred
• Run - Convert-MSOLDomainToFederated –domainname domain.com -SupportMultipleDomain
• Run - Update-MSOLFederatedDomain –domainname domain.com

Verify SSO works with User Accounts for Federation Services

If you have made the changes to your users UPN before a scheduled Directory Sync has taken place, then for this to complete before testing SSO or you can force a Directory Sync by logging on to your DirSync Server and then navigate to C:Program FilesMicrosoft Online Directory Sync and then launch configuration shell by typing in  .DirSyncConfigShell.psc1

Once the configuration shell has launched, type in the following command: Start-OnlineCoexistenceSync

When the Directory Sync has completed, Logon to Microsoft Online Portal and ensure that the user account ID has now changed from the .onmicrosoft.com account to the federated domain and then Logon to portal.microsoftonline.com with a federated user to test Single Sign On (SSO)

Note: You can test SSO services using Microsoft RCA - https://www.testexchangeconnectivity.com/

Cheers,

James.