Unified Communications

Peter Wohlers

Office 365 hybrid with AD FS SSO

Senior System ConsultantTimengo

Agenda

• Office 365 deployment choices• Cutover, Staged, Hybrid

• What is AD FS (Active Directory Federation Services)• Attribute Stores, ADFS Configuration Database etc.

• Certificates – what to choose: Public, Internal, Wildcard, SAN

• SPN records – What type of SPN is needed, for the ADFS Service account

• DNS – Where to point the records

• WAAD (Windows Azure Active Directory Sync Tool)

• Demo

Office 365 deployment choices

• Cutover• For fast cutover migrations• No Exchange upgrades required on-

premises• Staged

• No Exchange upgrades required on-premises

• DirSync• Hybrid deployment

• Manage users on-premises and online• DirSync• Enable cross-premises calendaring• True move mailbox using MRS

AD FS Key Concepts

• ADFS is designed to provide SSO – Single Sign On with other security providers (Office 365, Windows Azure and many others as long as they support OIO SAML).

• ADFS provides client (internal or external to your network) with seamless SSO access to services, even when the user accounts and applications are located in completely different networks or organizations.

• Federation Service: Functions as a security token service (STS) and routes authentication requests from external user accounts in partner organizations and clients on the Internet.

• Federation Service Proxy: Functions as a proxy for the Federation Service in a perimeter network. This component is optional in an ADFS deployment.

AD FS Key Concepts

• Attribute Stores• Directories or databases that store user accounts and their associated attribute values

• ADFS Configuration Database• database defines the set of parameters that a Federation Service requires to identify partners

• Claims• This enables organizations to securely project digital identity and entitlement rights

• Claims Engine• the claims engine in ADFS is a rule-based engine that is dedicated to serving and processing claim requests

• Claims Pipeline• The claims pipeline in ADFS represents the path that claims must follow through the Federation Service before they can be

issued.

• Claim Rule Language• The ADFS claim rule language acts as the administrative building block for the behavior of incoming and outgoing claims

ADFS 2.0, 2.1 and 2.2

• ADFS 2.0• Has to be downloaded• RU 3 needs to be installed

• ADFS 2.1• Is now a role in server Server 2012• New powershell cmdlets to perform powershell-based deployment within your

federated identity installations• ADFS 2.2

• Same as 2.1• Easy MFA (Multi-Factor Authentication)• 3rd party MFA also possible e.g. SafeNet• No proxy server using wep application proxy

Identity types

• Cloud Identity• Seperate credential from corporate credential• Authentication occures via cloud directory service• Password stored in O365

• Federate indentity• Same credential as corporate credential• Authentication occures via on-premises AD• Password stored on-premises• Requires DirSync (WAAD)

Enterprise Perimeter Network

ADFS ServerProxy

External user

Internaluser

ActiveDirector

y

ADFS Server

ADFS Server

ADFS ServerProxy

Single server configurationADFS server farm and load-balancerADFS proxy server

`

Internal Client

Federation ServerFederation Server

Active Directory

https://outlook.office365.com/owa/ad-fs.dk

ADFS in Action

A. DatumAccount Forest

Trey ResearchResource Forest

Federation TrustFederation Trust

Microsoft(Users)

E-Company Store(Resource)

Contoso(Users)

Office 365(Resource)

prerequisite

A 64-bit computer (Win7, Win8, Server 2012) with WAAD PowerShell and MOSSIA assistant

Microsoft Online Services Sign-In Assistant (MOSSIA) 7.2 Beta, 64-bit can be downloaded directly from Microsoft. Beta version is the one currently shipping with Office 365 Dirsync Tool (end of June 2013) and it is safe to use

Windows Azure Active Directory PowerShell Module (WAAD), 64-bit can be downloaded directly from Microsoft. WAAD requires MOSSIA.

The latest versions of both components can also be obtained from Office 365 Portal, but only after the domain is added via the portal UI

Global Administrator credentials to an Office 365 account

Certificates – what to choose:

Public, Internal, Wildcard, SAN

• Public certificate for Service Communication• single certificate• SAN certificate• Wildcard certificate

• Token Signing Certificate• AD FS 2.x does by default create a self-signed certificates for signing tokens.

• Token Decrypting Certificate• AD FS 2.x will by default use another self-signed certificate for the Token decrypting/encrypting certificate

and as stated above

• Extend certificate expirey to 3 years• Set-AdfsProperties -CertificateDuration 1095

• Office 365 do not process automatic federation metadata updates• http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

SPN records – What type of SPN is needed?

• To run the ADFS service a domain account is needed and nothing more

• ADFS only requires HOST SPN records for the ADFS service account. This is the same of using WID or SQL databases.

• How to create the SPN• setspn -s host/{your_Federation_Service_name} {domain_name}\{service_account}

• How to check the SPN• Setspn –l {service_account}

• Will show this in the demo.

DNS – Where to point the records

• Users should always contact their “local” ADFS instance

• Internet users must resolve to the ADFS-P servers

• The ADFS-P’s must resolve to the FS servers

• Internal users must resolve to the ADFS servers

What does DirSync brings to the table?

• An application that synchronizes on-premises Active Directory Objects with Office 365• Provisions objects in Office 365 with same email addresses as the objects in the

on-premises environment• Provides a unified Global Address List experience between on-premises and Office

365• Objects hidden from the GAL on-premises are also hidden from the GAL in Office

365• Enables coexistence for Exchange• Works in both simple and hybrid deployment scenarios

DemoLet´s have a look

EvaluationCreate a Text message on your phone and send it to 1919 with the content:

UC302 5 5 5 I liked it a lotSession Code

Peter Performance (1 to 5)

Match of technical

Level(1 to 5)

Relevance(1 to 5) Comments

(optional)

Evaluation Scale: 1 = Very bad 2 = Bad 3 = Relevant 4 = Good 5 = Very Good!

Questions:• Speaker Performance• Relevance according to

your work • Match of technical level

according to published level• Comments

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.  Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.  MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Thank you