Tagged: ADFS

Office 365 – Manage identity federation by using ADFS 2.0

Configure Directory Synchronisation

Directory synchronisation must be activated within the Office 365 portal; the activation can take 24 hours to complete.

Directory Synchronisation requires:

  • A domain joined computer.
  • Enterprise administrator credentials (it uses these to create a user object in the forest root domain).
  • Global administrative rights within the Office 365 online environment.
  • Computer hardware depends on no. of objects within ADDS but as a rough guide
    • 1.6Ghz CPU
    • minimum of 4GB RAM up to 32GB RAM
    • minimum 70GB hard disk space up to 500GB hard disk space

See this post for more details on deployment and configuration of directory sync.

Configuring and Managing Identity federation using ADFS 2.0

Single sign -on requirements using AD FS 2.0

  • Single Active Directory forest
  • AD FS 2.0
  • Latest client operating system and service packs
  • Public SSL certificate
  • PowerShell 2.0

Relying party trust between federation servers and Office 365 is required the relying trust acts as a secure channel where authentication tokens can pass.

The AD FS 2.0 install wizard will check for and install all the prerequisites with the exception of Microsoft .NET Framework 3.5 SP1 on Microsoft Windows Server 2008.

The federation server(s) requires a public SSL certificate for server authentication purposes. If federation proxies are also implemented then this public certificate should also be installed on them too. The federation servers also require a x.509 token-signing certificate which by default is a self signed certificate created by AD FS and will be sufficient in most scenarios.

It goes without saying but DNS resolution and TCP/IP are fundamental to the operations of AD FS.

Network Load Balancing (NLB) is recommended too to provide fault tolerance at the federation servers and federation proxies.

AD FS Installation

See this post for more details on deployment and configuration of ADFS 2.0.

Implementing single sign-on and two-factor authentication

Office 365 can utilise two-factor authentication but requires single sign-on be implemented first.

Microsoft recommends either using SecurID or using Forefront UAG and it supported two-factor authentication providers.

Two-factor authentication is only supported by Lync, SharePoint and OWA and the computer being used must be joined to a domain.

Advertisements

Office 365 – Lab 2 ADDS and AD FS 2.0

Lab 2

Prerequisites

  • Office 365 trial
    • Directory Synchronisation enabled within Office portal
    • Public domain name
    • Applicable DNS records configured
  • SSL certificate signed by a public authority
  • Active Directory domain controller
  • Windows 7 client
  • Windows Server client (x 3) – in a production environment you should have 5
    • AD FS 2.0
    • AD FS 2.0 Proxy
    • Directory Sync Server
  • Enterprise Administrator credentials
  • Global administrator credentials with Office 365
  • Delegated write access to the Program Data container within ADDS (not required if you’re installing AD FS 2.0 using domain admin credentials)

Purpose

The purpose of this lab is to simulate the implementation of true single sign-on with Office 365 using an Active Directory domain. This domain will be deployed with an internal sub domain of the company’s public domain name. See here on how to build an ADDS domain with a internal sub domain.

Lab Setup

Domain Controller

The domain controller should be built as per the guide here.

DirSync Server

The directory sync server should be built as per the guide here.

Federation Server

Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name.

Computer Name: ADFS01

IP Address 192.168.0.248/24 Gateway 192.168.0.1 Primary DNS should be the IP address your DNS server is listening on. The IP Address 192.168.0.246 has been bound to the network adapter for dedicated use by Federation services.

ipconfig_fed

Join the computer to the domain.

Prerequisite Federation Server configuration

  • Create a internal DNS record for your federation server farm e.g. sts.domain.com
  • Create a service account for ADFS.
  • Install IIS 7.5 with defaults selected.
  • Generate a CSR for your public domain and install the certificate.

Create DNS record for Federation

Create a DNS record on the internal DNS. You’ll need to create a new zone for the public DNS zone e.g.

DNS1

I’ve used sts as the host name for my Federation Server. If you also have public records for Exchange and Lync online etc. you’ll need to replicate those here.

ADFS Service Account

Create a normal domain user account to run the Federation Service.

ADFSSRV1

ADFSSRV2

Install IIS

Using server manager or Windows PowerShell install IIS using the defaults. The screenshots below are verification IIS is installed.

IIS1

ServerManager1

Install SSL Certificate

Generate a CSR for the public DNS name e.g sts.domain.name; obviously there will be content between the BEGIN and END certificate request.

Cert1

Send the certificate to a certificate authority, once complete download the certificate and install it within IIS.

Cert2

Install ADFS

First things first download the ADFS 2.0 installer from the Microsoft download center.

ADFSInstall1

Run the installer and follow the install wizard.

Select Federation server

Federation1

The installer will install the prerequisites if they haven’t already been installed.

Federation2

When the installer is complete you’ll be prompted to run the configuration wizard.

Federation3

Click finish then click the hyperlink below to follow the wizard.

Federation4

Select the certificate SSL certificate installed earlier.

Federation5

Select the user account you created earlier for the Federation service account.

Federation6

When the installation and configuration is complete you’ll see lots of green ticks.

Federation7

Install update rollup 1 for ADFS and reboot.

ADFSInstall2

Optionally add another Federation server and configure network load balancing using Microsoft NLB or something similar. In my lab environment I didn’t but you can find more info here.

Verify ADFS is functioning by browsing to https://sts.domain.name/FederationMetadata/2007-06/FederationMetadata.xml

ADFSInstall2Verify

Federation Proxy Server

Install Windows Server 2008 R2, assign a static IP address, give the computer a suitable name.

Computer Name: ADFSP01

IP Address 192.168.0.99/24 (ideally this would be in the DMZ but in my lab I didn’t have the equipment available). The DNS servers assigned to this computer should be the public DNS servers provided by your ISP.

IPConfig_fedproxy

Do not join this computer to the domain.

Prerequisite Federation Proxy Server configuration

  • Configure the hosts file to point to the internal federation server.
  • Configure an external DNS record to point to the public address of your federation proxy.
  • Install IIS as per the installation on the Federation Server and import the  same SSL certificate; export the original to pfx first.

Configure DNS hosts file

Configure the local hosts to resolve sts.domain.name to the internal Federation server.

ADFSProxyDNS1

Create a external DNS record

Configure a public DNS record for the sts.domain.name which points to your Federation proxy; remember to point it to the public IP Address of the Federation proxy not the private 192.168. address.

ADFSProxyDNS2

Install IIS and SSL certificate

IIS should be installed as per the same process as the Federation server. To install the SSL certificate first export the certificate from the Federation server, ensure the export file type is a pfx file; remember the private key.

Install the pfx using the certificates MMC console ensuring you select the computer account.

Cert3

Cert4

Install ADFS

Copy the ADFSSetup.exe you downloaded for the Federation server installation to the Federation proxy.

Run setup and follow the install wizard.

Select Federation server proxy

FederationProxy1

Once the installation is complete click finish and update ADFS 2.0 to update rollup 1.

FederationProxy2

Configure the Federation server proxy using the configuration wizard.

Enter the Federation server when prompted and click test; if the connection is successful you’ll be prompted to enter credentials to establish a trust, use either the built-in administrator or the ADFS service account user.

FederationProxy3

FederationProxy4

To verify the Federation server proxy has been installed correctly look for event 198 in the ADFS 2.0 Eventing log.

ADFSProxyEventLog

Install the Windows Azure PowerShell modules on the Federation server; more info here.

Once the Azure modules are installed configure a trust between ADFS and Windows Azure AD using the following commands:

Provide the Office 365 credentials

$Cred = Get-Credential – this prompts you for your Office 365 credentials

Msol1

Connect to Office 365

Connect-MsolService -Credential $Cred – Connect to Office 365 using the credentials specified above

Msol2

Convert an existing domain or add a new one

Convert-MsolDomainToFederated -DomainName [domain name] – Converts a existing domain to a federated domain.

Msol5

If the above command is successful a message similar to the one below will appear.

Msol6

Verify Single sign-on

browse to http://login.microsoftonline.com

Enter your username Active Directory UPN e.g. username@domain.name.

VerifySSO1

When you tab to the password field Microsoft Azure will attempt to contact your Federation server e.g.

VerifySSO

If your Federation or Federation proxy URL is not in your intranet trusted sites then you’ll be prompted for authentication. If you’re using a non-domain joined computer then you’ll be prompted for your credentials by the Federation server e.g. image below.

VerifySSO2

I also verified SSO using my mobile phones ActiveSync client.

Phone2

I disconnected the network from the Federation proxy server and my mobile was unable to send emails, reconnecting the network allowed emails to be sent.

FederationProxy5

Email I attempted to send whilst the Federation proxy was offline

Phone3

Post Installation considerations

The token signing certificate expires every 12 months; this is a self signed certificate used by the Federation server to sign all authentication tokens it issues. When the certificate expires on the Federation server you will need to update the trust with Azure. More info here.

The Directory sync server synchronises all Active Directory accounts. If you want to only allow specific users access to cloud services then you need to customise the incoming claim. See here.