Setup Office 365 Single Sign-on with Active Directory Federation Services Muditha Jayath Chathuranga The Cloud Journal
Setup Office 365 Single Sign-on with Active Directory Federation Services Muditha Jayath Chathuranga
The Cloud Journal
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
Table of Contents System Requirements ................................................................................................................................... 1
Planning ........................................................................................................................................................ 1
AD FS Role ................................................................................................................................................. 1
AD FS Service Account .............................................................................................................................. 1
Web Application Proxy .............................................................................................................................. 1
AD FS Namespace ..................................................................................................................................... 1
Network .................................................................................................................................................... 1
DNS ............................................................................................................................................................ 2
Deployment .................................................................................................................................................. 2
Install AD FS .............................................................................................................................................. 2
Configure AD FS Role ................................................................................................................................ 2
Generate the KDS Root Key .................................................................................................................. 2
Configuring the first AD FS Server of the AD FS Farm ........................................................................... 3
Install Web Application Proxy ................................................................................................................. 10
Configuring Web Application Proxy ........................................................................................................ 10
Pre-requisites ...................................................................................................................................... 10
Configure the first Web Application Proxy Server of the Web Application Proxy Farm .................... 10
Configure Office 365 ................................................................................................................................... 14
Disclaimer.................................................................................................................................................... 15
P a g e | 1
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
Setup Office 365 Single Sign-on with Active Directory Federation Services System Requirements To implement AD FS for Office 365 SSO, there are certain system requirements that must be met.
Following TechNet article discusses the system requirements in detail.
https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx
Planning
AD FS Role The AD FS role must be deployed in your corporate LAN. It should not be directly exposed to
authentication requests from Internet. AD FS can store the configuration in a Windows Internal Database
(WID) for deployments of up to 30 nodes and up to 100 relaying part trusts. Exceeding either the number
of nodes or the number of relaying party trusts requires SQL server for the AD FS database.
Since the uptime of AD FS plays a key role in users accessing Office 365, it is important that you deploy a
minimum of 2 AD FS nodes for redundancy to eliminate single point of failure.1
AD FS Service Account You can use either a standard service account or a Group Managed Service Account. Before using a Group
Managed Service Account for AD FS, it is recommended to generate the Key Distribution Services (KDS)
Root Key 10 hours prior to deploying AD FS.
Web Application Proxy AD FS no longer have an AD FS proxy role. Instead, AD FS uses Web Application Proxy feature in Remote
Access server role to proxy all authentication requests from internet to AD FS servers. Same with AD FS
Servers, it is important that you deploy a minimum of 2 Web Application Proxy nodes for redundancy to
eliminate single point of failure.1
AD FS Namespace STS (Secure Token Service) & ADFS are two popular namespace prefixes that many organizations have
chosen. The namespace you decide must be in the common name value in the SSL certificate you’re going
to use. Also, this should not conflict with any AD FS server host names in the AD FS farm.
Network You should open required firewall ports in your environment for AD FS to work properly. AD FS servers
should be able to communicate with your Active Directory Domain Services using the port 389 and it
should honor incoming connections from clients on LAN and Web Applications Proxy servers in DMZ on
port 443.
Also, the Web Application Proxy Servers should be able to communicate with AD FS servers using the port
443 and it should honor requests coming from internet on port 443.
P a g e | 2
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
DNS DNS queries from intranet must resolve the AD FS namespace to the AD FS server and DNS queries from
extranet must resolve the AD FS namespace to the Web Application Proxy server.
1This document discusses on setting up a single instance of each AD FS and WAP.
Deployment
Install AD FS I will not be going in depth about installing the AD FS role on the server.
1. Join servers to the domain
2. Install AD FS Role using Server Manager
Configure AD FS Role
Generate the KDS Root Key Executing below command in a DC will add a root key to the target DC which will be used by the KDS
service immediately. However, Other DCs will not be able to use the root key until replication is successful.
Add-KdsRootKey -EffectiveImmediately
Tip:
For test environments with only one DC, you can create a KDS root key and set the start time in
the past to avoid the interval wait for key generation.
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
P a g e | 3
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
Configuring the first AD FS Server of the AD FS Farm 1. Once the AD FS Role has been installed, click on Configure the federation service on this server
from the Server Manager
2. You will be presented with the Welcome screen. Select Create the first federation server in a federation server farm. Click Next to proceed forward.
P a g e | 4
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
3. Enter credentials of your domain admin account and click Next.
4. Click Import… to import the SSL certificate.
P a g e | 5
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
5. Enter the password for your SSL certificate.
6. Pick the Federation Service Name from the list that matches your AD FS namespace. Enter the Federation Service Display Name that you want to display at federation service landing pages. Click Next to proceed forward.
P a g e | 6
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
7. Here you can choose to create a new Group Managed Service Account or use an existing domain user account or Group Managed Service Account. Click Next to proceed forward.
8. Configure the database. If you’re using WID, proceed forward with default settings or specify the SQL Server details. Click Next to proceed forward.
P a g e | 7
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
9. Review your configuration. Click Next to proceed forward.
10. Configuration Wizard will then run a pre-requisite check. Click Configure to proceed forward.
P a g e | 8
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
11. Configuration Wizard will begin the installation. This will take a few minutes.
12. It will show you results. Click Close to exit from the configuration wizard.
P a g e | 9
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
13. From the Start menu select AD FS Management to access AD FS management console.
14. AD FS Management console will look like below after a successful installation.
Tip:
To verify if the service is functioning, open your web browser and ender the following URL. It should
take you to an AD FS landing page and if you attempt to authenticate, it should work.
https://<FQDN of your AD FS Farm>/ adfs/ls/idpinitiatedsignon
P a g e | 10
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
Install Web Application Proxy I will not be going in depth about installing the Web Application Proxy feature on the server.
1. Deploy Web Application Proxy servers in your DMZ
2. Do not join them to your domain.
3. Select Remote Access server role from the Server Manager
4. From features, select Web Application Proxy
Configuring Web Application Proxy
Pre-requisites 1. Since Web Application Proxy resides in your DMZ and not a domain joined server, it requires
credentials of a local administrator account of your AD FS server. This account is used for A couple
of important tasks such as establishing the proxy trust, renewing proxy trust certificates, etc.
Create a local administrator account using Local Users and Groups MMC snap-in of your AD FS
server.
2. Import the SSL certificate to the local computer store of the Web Application Proxy Server. This is
the same SSL certificate you imported above.
3. Add the IP address of the AD FS server to the host file of the Web Application Proxy server. The
entry should point the FQDN of the AD FS namespace to the IP address of the AD FS server.
Configure the first Web Application Proxy Server of the Web Application Proxy Farm 1. Launch the Web Access Proxy configuration wizard from the Server Manager.
2. Click Next to proceed forward.
P a g e | 11
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
3. Enter the FQDN of your ADFS farm in the Federation service name and credentials of the local
administrator account you’ve created earlier in the AD FS server. Click Next to proceed forward.
4. Select the SSL certificate you imported earlier from the drop-down list. Click Next to proceed
forward.
P a g e | 12
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
5. View the information in the confirmation screen. Click Next to proceed forward.
6. It will take a few minutes to configure the service.
P a g e | 13
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
7. If all goes good, then you will see the message Web Application Proxy was configured
successfully in the result section.
8. To verify the proxy service, open the Remote Access Management Console and select Operation
Status. In the operation status screen, you should be able to see that the AD FS Proxy service is
working.
P a g e | 14
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
Configure Office 365
Once you’ve setup your AD FS environment, next step is to enable federation on your Office 365 tenant.
Run following commands in a PowerShell session on a computer with Azure Active Directory Module
installed, to enable federation on your Office 365 environment.
Connect-MsolService Set-MsolADFSContext -Computer <FQDN of the AD FS server> Convert-MsolDomainToFederated -DomainName domain.tld
Once you’ve enabled federation on your Office 365 tenant, whenever a user with a UPN suffix equivalent
to any domain you’ve federated tries to sign in, the Office 365 service will automatically re-direct the user
to the AD FS authentication landing page which will then authenticate the user on-behalf of Office 365.
I assume you have Azure Active Directory Connect already installed and synchronizing your Active
Directory objects to Azure Active Directory.
P a g e | 15
Muditha Jayath Chathuranga – www.thecloudjournal.net – [email protected]
Disclaimer All opinions, views expressed here are of my own and do not reflect those of my past and present
employers or their clients or business partners.
All data and information provided on this document are for informational purposes only. The Cloud
Journal or the author makes no representations as to accuracy, completeness, currentness, suitability, or
validity of any information on this document and will not be liable for any errors, omissions, or delays in
this information or any losses, injuries, or damages arising from its display or use. All information is
provided on an as-is basis.
Microsoft, Windows, Windows Server, Microsoft Azure, Office 365, Exchange Server, Skype for Business Server, SharePoint Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Any other products that haven't explicitly declared here are either registered trademarks or trademarks of their respective owners.
Setup Office 365 Single Sign-on with Active Directory Federation Services by Muditha Jayath Chathuranga is licensed under a Creative Commons
Attribution-ShareAlike 4.0 International License.
Based on a work at https://www.thecloudjournal.net.