Active Directory Federation Services (ADFS) 2.0 with Office 365: Part 2 – Configuring

In Part 1 of this post, we introduced ADFS 2.0 in relation to Office 365 and discussed environmental requirements in implement. Part 2 will actually cover the configuration and validation steps needed to implement ADFS 2.0 with Office 365. Note: this post is based on the Office 365 Beta for Enterprises.

Assumptions:

• Domain has been added and verified in the Office 365 Admin portal
• Directory Sync Tool is installed and configured
• 2 Windows 2008 R2 servers are built and prepared to install ADFS 2.0
  • Internal ADFS server is joined to the domain
  • Proxy ADFS server is not joined to domain and located in perimeter network
• Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
• Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
• External DNS record has been implemented for ADFS (our example will use sts.UPNdomain.com)

The following steps are used to prepare the environment:

1. Add UPN Suffix to AD and configure for each user (this is required if your AD is using a non-routable domain internally like .local or .priv)
   • UPNs used for identity federation can only contain letters, numbers, periods, dashes and underscores.
   • Open AD Domains and Trusts tool
   • Right-click AD Domains and Trusts and click Properties
   • On the UPN suffixes tab, type the alternative UPN suffix for the forest and then click Add
   • 
   • Repeat to add additional UPN suffixes
   • Open user properties, navigate to Account Tab.
   • Select the external namespace UPN for the “User logon name”
   • 
2. Create service account for ADFS – this can be a regular Domain User, no special permissions needed.
3. Add internal ADFS server(s) to AD forest
4. Download ADFS 2.0 RTW (HERE). During the install process, the following Windows components will be automatically installed:
   • Windows PowerShell
   • .NET Framework 3.5 SP1
   • Internet Information Services (IIS)
   • Windows Identity Foundation
5. Download Microsoft Online Services Identity Federation Management Tool (32-bit or 64-bit)
6. (Optional) Install and configure SQL Server 2005 or 2008 if your organization has more than 30,000 users who will use Office 365
7. Configure external DNS A record for ADFS Proxy (ex. Sts.domain.com)

Now we are ready to install and configure ADFS 2.0 on internal server:

1. Double-click AdfsSetup.exe (this is the ADFS 2.0 RTW download)
2. Click Next on the Welcome Screen and Accept the License Agreement
3. On the Server Role Option screen, select Federation Server
   • 
4. Finish the rest of the wizard, this will install any necessary prerequisites
5. At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
   • 
6. Request and provision public certificate through IIS
   • 
7. Bind certificate to IIS on port 443
   • 
8. Configure ADFS utilizing ADFS 2.0 Management
   • 
9. Select ADFS 2.0 Federation Server Configuration Wizard
   • 
10. Select Create a new Federation Service
11. Select New Federation server farm (this is recommended even if you plan on installing only one server in case in the future you want to add another server)
    • 
12. Select the public certificate and validate the Federation Service name.  This will automatically fill in the name on the certificate Subject Name.  If a wildcard certificate is used, you must enter the name for the Federation Service.
    • 
13. Enter in the service account credentials that were created earlier
    • 
14. Finish Wizard
15. Run Office 365 Desktop Setup from portal
16. Install Identity Federation Management Tool (FederationConfig.msi, use default install parameters)
17. Enable Identity Federation within Office 365 portal for your domain
18. Launch the Identity Federation Management Tool
19. Type $cred=Get-Credential and press Enter
20. Enter you Microsoft Online Services administrator logon and password and click ok
    • 
21. Type Set-MSOLContextcredential –msolAdminCredentials $cred –LogFile c:\logfile.log and press enter
22. Type Add-MSOLFederatedDomain –domainname UPNdomain.com
23. If prompted that the domain already exists as a standard domain, type Convert-MSOLDomainToFederated –domainname UPNdomain.com
24. Type Update-MSOLFederatedDomain –domainname UPNdomain.com
25. Verify Identity Federation Functionality

Install ADFS 2.0 Proxy server

1. Export public certificate from ADFS internal server and copy to proxy server
2. Validate DNS resolution of sts.UPNdomain.com resolves to internal ADFS server from ADFS Proxy Server (a HOST file can be used for this if needed)
3. Validate DNS resolution of sts.UPNdomain.com resolves to external A record from an internet PC
4. Double-click AdfsSetup.exe (this is the ADFS 2.0 RTW download)
5. Click Next on the Welcome Screen and Accept the License Agreement
6. On the Server Role Option screen, select Federation Server Proxy
   • 
7. Finish the rest of the wizard, this will install any necessary prerequisites
8. At the end of the wizard, uncheck box to Start the ADFS 2.0 Management Snap-in
   • 
9. Import certificate in IIS and bind certificate to Default Web Site
10. Configure ADFS proxy by selecting ADFS 2.0 Federation Server Proxy Configuration Wizard
    • Enter the federation namespace (ex. Sts.UPNdomain.com)
    • Test connection
    • 
    • Service account credentials
11. Finish Wizard
12. Log into portal with UPN credentials.  Note that once the UPN login is entered, the password field is grayed out and a link activates to log into the ADFS server
    • 

 

Hopefully this will help you navigate the ADFS waters in regards to Office 365 Beta.