Lab
DC1 – Domain controller for techshizz.local
ADFS – Will run the Federation Services Role
ADFSProxy – Will run the Federation Services Proxy role
Client1 – Will act as a testing machine for SSO
Part 1- Preparing for ADFS
Create a certificate request on the ADFS server via the IIS console and submit it to a 3rd party Certificate Authority. Then we Install the certificate in IIS, Export it and install it on the ADFS server and then copy it to the DC and the ADFSProxy server. Finally we create a DNS record.
When I set this up in a real world environment, the O365 world was hosting the email so it was not an on-premises or hybrid environment. I’ve learned that if this is the case only a standard SSL certificate is needed. If your environment has an on-premises or hybrid exchange then you may need a UCC certificate to cover the autodiscover and mail CNAME address like mail.domain.com and autodiscover.domain.com. My steps below are for an Office 365 hosted email environment but I have noted the steps to creating a custom certificate via the mmc snap it should you need to try it that way.
When creating the certificate request in IIS configure as follows:
If you did need to add the additional Subject alternative names in the certificate request you need to configure the request like this from the MMC and certificates snap in.
- Provide a certificate Friendly name
- Add the Common Name (CN) for the ADFS server. Like CN=fs.techshizz.com (other guides use the pre-fix sts (Secure Token Signing) like this: sts.techshizz.com but it really does not matter.
- Add and Alternative name (select DNS).
- mail.techshizz.com
- autodiscover.techshizz.com
- techshizz.com
- Select “Server Authentication” as the cert type
- Change the Key Type to “Exchange”
- Change the Key Size to 2048
- Make the Private Key Exportable
- Continue and export the file. Leave the format as Base64.
- Locate the txt file, copy and submit the request to the CA. You should receive the certificate from the CA in a zip file.
- Extract the certificate and import it into the MMC
- Export the Certificate and the copy it to the DC and ADFSProxy
- In your public DNS, as an A record for “fs” like fs.techshizz.com and point it to your public IP address.
Installing ADFS
First we create an A record on the internal DNS server. Next we install ADFS from server manager. Import the certificate and assign it to the https binding.
- Create a CNAME record on the Domain Controler. This is so that the ADFS server can be resolved internally. (create fs.techshizz.com and point to your ADFS.techshizz.com)
- On the ADFS server to be:Install the Federation Services Role from server manager. IIS will be installed too.
- Import the certificate we copied over in the last section.
- Open IIS, go to the default website and add a HTTPS binding. Select the certificate that was imported.
- Open the ADFS management console and Create a new “Federated Service”.(Stand-Alone). Click through and complete the wizard.
Installing the ADFS Proxy
In the section we install the FS roles on the FS server and the FSProxy server.
- On the ADFSProxy server: Install the Federation Services Proxy Role from server manager. IIS will be installed too.
- Import the certificate we copied over in the last section.
- Open IIS, go to the default website and add a HTTPS binding. Select the certificate that was imported.
- Open the ADFS management console and test the connection to the ADFS server. Enter your credentials and finish the wizard.
Adding and Verifying Domains
In this section we install the Online Services Sign-in assistant and the Azure PowerShell module on the DC. We then associate the local domain with out office 365 domain, and then convert it to be a federated domain.
Before you begin, create a 2nd Global Admin in office 365 like “[email protected]”. Make sure you create it on the OnMicrosoft domain, and NOT the domain you are going to syncronize – You’ll need it in this part.
Also, this first step would normally be done as part of the Azure AD Connect part, but if you try to run the readiness checks after the domain has been converted it just failed miserably.
- Log into O365 Admin Panel > Services > Directory Synchronization: Follow the instructions to enable the sync. This wizard will do all the checks on the domain to ensure it is fit for synchronization. This can be done from any domain joined machine. Do NOT Enable Sync at this point just quit once you have ensured the domain is tidy.
- On the ADFS: Install the Online Services Sign-in assistant
- On the ADFS: Install the Azure Active Directory PowerShell Module
- Log into Office 365 Admin Panel, go to domains and “Add a Domain” Follow instructions to verify.
- You’ll need to log into your Public DNS and configure a TXT record for verification.
- Open the Azure Active Directory PS module and run the following commands:
- Connect-MsolService – Then enter secondary O365 tenant credentials we created above. This is because you’ll get an error if you try yo run the next commands while your logged in as an account that will be synced.
- Get-MsolDomain – You should see the domain we just added
- Set-MsolAdfsContext -Computer ADFS.techshizz.local – This command associates the ADFS server with the O365 domain. YOU MUST ENTER THE FQDN OF THE LOCAL ADFS SERVER NOT THE EXTERNAL DNS ADDRESS.
- For this part I had to log out and log back in on the Enterprise Admin account: Convert-MsolDomainToFederated -DomainName techshizz.local – This converts the domain to be federated.
- Get-MsolFederationProperty – DomainName techshizz.local – The output here should confirm the domain has been converted successfully.
- Log into the O365 Admin Center > Domains > Select Domain > Click “View DNS Settings”. You should see that Single Sign on is Enabled.
Activating Azure AD Connect
- On the ADFS machine, download and run the Active Directory Synchronization tool (Azure AD Connect). Follow the wizard. Do not use the Express Install, as this will skip the Azure ADFS part.
- To start the Sync Manually you can run this PowerShell command:
- Start-OnlineCoexistanceSync
- Assign Licences to the newly added users in AD. REMEMBER to set the service location for these users before assigning a licence.
- Before SSO works, you need to add your domain into the “Intranet Trusted Sites” list in the client browsers. NOTE: SSO need Internet Explorer to work correctly. This is because Firefox, Google Chrome, and Safari dont support Extended Protection for Authentication; the recommended option is to install and use Internet Explorer 10 or later. https://support.office.com/en-us/article/Office-365-single-sign-on-with-third-party-browsers-4a6085c7-7227-4ea7-b202-a5aa65af00e4?ui=en-US&rs=en-US&ad=US
- Finally I got an error/Warning at the end of Azure AD connect that needs addressing.
To do this you need to log on to the ADFS server and make sure the Active Directory PowerShell Module is installed and the CMI tools.
Once thats done you need to run these PowerShell Commands:
Import-Module -Name "C:Program FilesMicrosoft Azure Active Directory ConnectAdPrepAdSyncPrep.psm1";
$aadAdminCred = Get-Credential;
Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;