Setup Office 365 Single Sign-on with Active Directory Federation Services Muditha Jayath Chathuranga

The Cloud Journal

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

Table of Contents System Requirements ................................................................................................................................... 1

Planning ........................................................................................................................................................ 1

AD FS Role ................................................................................................................................................. 1

AD FS Service Account .............................................................................................................................. 1

Web Application Proxy .............................................................................................................................. 1

AD FS Namespace ..................................................................................................................................... 1

Network .................................................................................................................................................... 1

DNS ............................................................................................................................................................ 2

Deployment .................................................................................................................................................. 2

Install AD FS .............................................................................................................................................. 2

Configure AD FS Role ................................................................................................................................ 2

Generate the KDS Root Key .................................................................................................................. 2

Configuring the first AD FS Server of the AD FS Farm ........................................................................... 3

Install Web Application Proxy ................................................................................................................. 10

Configuring Web Application Proxy ........................................................................................................ 10

Pre-requisites ...................................................................................................................................... 10

Configure the first Web Application Proxy Server of the Web Application Proxy Farm .................... 10

Configure Office 365 ................................................................................................................................... 14

Disclaimer.................................................................................................................................................... 15

P a g e | 1

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

Setup Office 365 Single Sign-on with Active Directory Federation Services System Requirements To implement AD FS for Office 365 SSO, there are certain system requirements that must be met.

Following TechNet article discusses the system requirements in detail.

https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx

Planning

AD FS Role The AD FS role must be deployed in your corporate LAN. It should not be directly exposed to

authentication requests from Internet. AD FS can store the configuration in a Windows Internal Database

(WID) for deployments of up to 30 nodes and up to 100 relaying part trusts. Exceeding either the number

of nodes or the number of relaying party trusts requires SQL server for the AD FS database.

Since the uptime of AD FS plays a key role in users accessing Office 365, it is important that you deploy a

minimum of 2 AD FS nodes for redundancy to eliminate single point of failure.1

AD FS Service Account You can use either a standard service account or a Group Managed Service Account. Before using a Group

Managed Service Account for AD FS, it is recommended to generate the Key Distribution Services (KDS)

Root Key 10 hours prior to deploying AD FS.

Web Application Proxy AD FS no longer have an AD FS proxy role. Instead, AD FS uses Web Application Proxy feature in Remote

Access server role to proxy all authentication requests from internet to AD FS servers. Same with AD FS

Servers, it is important that you deploy a minimum of 2 Web Application Proxy nodes for redundancy to

eliminate single point of failure.1

AD FS Namespace STS (Secure Token Service) & ADFS are two popular namespace prefixes that many organizations have

chosen. The namespace you decide must be in the common name value in the SSL certificate you’re going

to use. Also, this should not conflict with any AD FS server host names in the AD FS farm.

Network You should open required firewall ports in your environment for AD FS to work properly. AD FS servers

should be able to communicate with your Active Directory Domain Services using the port 389 and it

should honor incoming connections from clients on LAN and Web Applications Proxy servers in DMZ on

port 443.

Also, the Web Application Proxy Servers should be able to communicate with AD FS servers using the port

443 and it should honor requests coming from internet on port 443.

P a g e | 2

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

DNS DNS queries from intranet must resolve the AD FS namespace to the AD FS server and DNS queries from

extranet must resolve the AD FS namespace to the Web Application Proxy server.

1This document discusses on setting up a single instance of each AD FS and WAP.

Deployment

Install AD FS I will not be going in depth about installing the AD FS role on the server.

1. Join servers to the domain

2. Install AD FS Role using Server Manager

Configure AD FS Role

Generate the KDS Root Key Executing below command in a DC will add a root key to the target DC which will be used by the KDS

service immediately. However, Other DCs will not be able to use the root key until replication is successful.

Add-KdsRootKey -EffectiveImmediately

Tip:

For test environments with only one DC, you can create a KDS root key and set the start time in

the past to avoid the interval wait for key generation.

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

P a g e | 3

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

Configuring the first AD FS Server of the AD FS Farm 1. Once the AD FS Role has been installed, click on Configure the federation service on this server

from the Server Manager

2. You will be presented with the Welcome screen. Select Create the first federation server in a federation server farm. Click Next to proceed forward.

P a g e | 4

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

3. Enter credentials of your domain admin account and click Next.

4. Click Import… to import the SSL certificate.

P a g e | 5

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

5. Enter the password for your SSL certificate.

6. Pick the Federation Service Name from the list that matches your AD FS namespace. Enter the Federation Service Display Name that you want to display at federation service landing pages. Click Next to proceed forward.

P a g e | 6

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

7. Here you can choose to create a new Group Managed Service Account or use an existing domain user account or Group Managed Service Account. Click Next to proceed forward.

8. Configure the database. If you’re using WID, proceed forward with default settings or specify the SQL Server details. Click Next to proceed forward.

P a g e | 7

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

9. Review your configuration. Click Next to proceed forward.

10. Configuration Wizard will then run a pre-requisite check. Click Configure to proceed forward.

P a g e | 8

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

11. Configuration Wizard will begin the installation. This will take a few minutes.

12. It will show you results. Click Close to exit from the configuration wizard.

P a g e | 9

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

13. From the Start menu select AD FS Management to access AD FS management console.

14. AD FS Management console will look like below after a successful installation.

Tip:

To verify if the service is functioning, open your web browser and ender the following URL. It should

take you to an AD FS landing page and if you attempt to authenticate, it should work.

https://<FQDN of your AD FS Farm>/ adfs/ls/idpinitiatedsignon

P a g e | 10

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

Install Web Application Proxy I will not be going in depth about installing the Web Application Proxy feature on the server.

1. Deploy Web Application Proxy servers in your DMZ

2. Do not join them to your domain.

3. Select Remote Access server role from the Server Manager

4. From features, select Web Application Proxy

Configuring Web Application Proxy

Pre-requisites 1. Since Web Application Proxy resides in your DMZ and not a domain joined server, it requires

credentials of a local administrator account of your AD FS server. This account is used for A couple

of important tasks such as establishing the proxy trust, renewing proxy trust certificates, etc.

Create a local administrator account using Local Users and Groups MMC snap-in of your AD FS

server.

2. Import the SSL certificate to the local computer store of the Web Application Proxy Server. This is

the same SSL certificate you imported above.

3. Add the IP address of the AD FS server to the host file of the Web Application Proxy server. The

entry should point the FQDN of the AD FS namespace to the IP address of the AD FS server.

Configure the first Web Application Proxy Server of the Web Application Proxy Farm 1. Launch the Web Access Proxy configuration wizard from the Server Manager.

2. Click Next to proceed forward.

P a g e | 11

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

3. Enter the FQDN of your ADFS farm in the Federation service name and credentials of the local

administrator account you’ve created earlier in the AD FS server. Click Next to proceed forward.

4. Select the SSL certificate you imported earlier from the drop-down list. Click Next to proceed

forward.

P a g e | 12

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

5. View the information in the confirmation screen. Click Next to proceed forward.

6. It will take a few minutes to configure the service.

P a g e | 13

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

7. If all goes good, then you will see the message Web Application Proxy was configured

successfully in the result section.

8. To verify the proxy service, open the Remote Access Management Console and select Operation

Status. In the operation status screen, you should be able to see that the AD FS Proxy service is

working.

P a g e | 14

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

Configure Office 365

Once you’ve setup your AD FS environment, next step is to enable federation on your Office 365 tenant.

Run following commands in a PowerShell session on a computer with Azure Active Directory Module

installed, to enable federation on your Office 365 environment.

Connect-MsolService Set-MsolADFSContext -Computer <FQDN of the AD FS server> Convert-MsolDomainToFederated -DomainName domain.tld

Once you’ve enabled federation on your Office 365 tenant, whenever a user with a UPN suffix equivalent

to any domain you’ve federated tries to sign in, the Office 365 service will automatically re-direct the user

to the AD FS authentication landing page which will then authenticate the user on-behalf of Office 365.

I assume you have Azure Active Directory Connect already installed and synchronizing your Active

Directory objects to Azure Active Directory.

P a g e | 15

Muditha Jayath Chathuranga – www.thecloudjournal.net – muditha@thecloudjournal.net

Disclaimer All opinions, views expressed here are of my own and do not reflect those of my past and present

employers or their clients or business partners.

All data and information provided on this document are for informational purposes only. The Cloud

Journal or the author makes no representations as to accuracy, completeness, currentness, suitability, or

validity of any information on this document and will not be liable for any errors, omissions, or delays in

this information or any losses, injuries, or damages arising from its display or use. All information is

provided on an as-is basis.

Microsoft, Windows, Windows Server, Microsoft Azure, Office 365, Exchange Server, Skype for Business Server, SharePoint Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Any other products that haven't explicitly declared here are either registered trademarks or trademarks of their respective owners.

Setup Office 365 Single Sign-on with Active Directory Federation Services by Muditha Jayath Chathuranga is licensed under a Creative Commons

Attribution-ShareAlike 4.0 International License.

Based on a work at https://www.thecloudjournal.net.