Thursday, April 19, 2012

ADFS configuration for Office 365

Copy-pasted from blog - http://howdouc.blogspot.com/2011/04/active-directory-federation-services_11.html

 

Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 2 – Configuring

In Part 1 of this post, we introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements in implement. Part 2 will actually cover the configuration and validation steps needed to implement ADFS 2.0 with Office 365. Note: this post is based on the Office 365 Beta for Enterprises.
Assumptions:
  • Domain has been added and verified in the Office 365 Admin portal
  • Directory Sync Tool is installed and configured
  • 2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
    • Internal ADFS server is joined to the domain
    • Proxy ADFS server is not joined to domain and located in perimeter network
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • External DNS record has been implemented for ADFS (our example will use sts.UPNdomain.com)
The following steps are used to prepare the environment:
  1. Add UPN Suffix to AD and configure for each user (this is required if your AD is using a non-routable domain internally like .local or .priv)
    • UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
    • Open AD Domains and Trusts tool
    • Right-click AD Domains and Trusts and click Properties
    • On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
    • UPNSuffix
    • Repeat to add additional UPN suffixes
    • Open user properties, navigate to Account Tab.
    • Select the external namespace UPN for the “User logon name”
    • UPN-Account
  2. Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
  3. Add internal ADFS server(s) to AD forest
  4. Download ADFS 2.0 RTW (HERE). During the install process, the following Windows components will be automatically installed:
    • Windows PowerShell
    • .NET Framework 3.5 SP1
    • Internet Information Services (IIS)
    • Windows Identity Foundation
  5. Download Microsoft Online Services Identity Federation Management Tool (32-bit or 64-bit)
  6. (Optional) Install and configure SQL Server 2005 or 2008 if your organization has more than 30,000 users who will use Office 365
  7. Configure external DNS A record for ADFS Proxy (ex. Sts.domain.com)
Now we are ready to install and configure ADFS 2.0 on internal server:
  1. Double-click AdfsSetup.exe (this is the ADFS 2.0 RTW download)
  2. Click Next on the Welcome Screen and Accept the License Agreement
  3. On the Server Role Option screen, select Federation Server
    • ADFS - Role select - ADFS Server - markup
  4. Finish the rest of the wizard, this will install any necessary prerequisites
  5. At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
    • ADFS - install - uncheck box - markup
  6. Request and provision public certificate through IIS
    • ADFS - IIS - cert request - markup
  7. Bind certificate to IIS on port 443
    • ADFS - IIS - bind - markup
  8. Configure ADFS utilizing ADFS 2.0 Management
    • ADFS - start management tool
  9. Select ADFS 2.0 Federation Server Configuration Wizard
    • ADFS - management - wizard start - markup
  10. Select Create a new Federation Service
  11. Select New Federation server farm (this is recommended even if you plan on installing only one server in case in the future you want to add another server)
    • ADFS - management - wizard - farm - markup
  12. Select the public certificate and validate the Federation Service name.  This will automatically fill in the name on the certificate Subject Name.  If a wildcard certificate is used, you must enter the name for the Federation Service.
    • ADFS - management - wizard - name - markup
  13. Enter in the service account credentials that were created earlier
    • ADFS - management - wizard - service account - markup
  14. Finish Wizard
  15. Run Office 365 Desktop Setup from portal
  16. Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
  17. Enable Identity Federation within Office 365 portal for your domain
  18. Launch the Identity Federation Management Tool
  19. Type $cred=Get-Credential and press Enter
  20. Enter you Microsoft Online Services administrator logon and password and click ok
    • ADFS - Fed tool - creds - markup
  21. Type Set-MSOLContextcredential –msolAdminCredentials $cred –LogFile c:\logfile.log and press enter
  22. Type Add-MSOLFederatedDomain –domainname UPNdomain.com
  23. If prompted that the domain already exists as a standard domain, type Convert-MSOLDomainToFederated –domainname UPNdomain.com
  24. Type Update-MSOLFederatedDomain –domainname UPNdomain.com
  25. Verify Identity Federation Functionality
Install ADFS 2.0 Proxy server
  1. Export public certificate from ADFS internal server and copy to proxy server
  2. Validate DNS resolution of sts.UPNdomain.com resolves to internal ADFS server from ADFS Proxy Server (a HOST file can be used for this if needed)
  3. Validate DNS resolution of sts.UPNdomain.com resolves to external A record from an internet PC
  4. Double-click AdfsSetup.exe (this is the ADFS 2.0 RTW download)
  5. Click Next on the Welcome Screen and Accept the License Agreement
  6. On the Server Role Option screen, select Federation Server Proxy
    • ADFS - Role select - ADFS Proxy Server - markup
  7. Finish the rest of the wizard, this will install any necessary prerequisites
  8. At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
    • ADFS - install - uncheck box - markup
  9. Import certificate in IIS and bind certificate to Default Web Site
  10. Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard
    • Enter the federation namespace (ex. Sts.UPNdomain.com)
    • Test connection
    • adfs - proxy - wiz - test conn - markup
    • Service account credentials
  11. Finish Wizard
  12. Log into portal with UPN credentials.  Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server
    • ADFS - portal - signin - markup
Hopefully this will help you navigate the ADFS waters in regards to Office 365 Beta. 

1 comment:

  1. You guys allow it to be quite simple for all your folks available.

    Cloud Migration

    ReplyDelete