Cloud Solutions Provider

 

This blog post will detail the steps to setup Server 2012 R2 ADFS 3.0 for use with Office 365. Many new things have happened with ADFS 3.0 compared to 2.0. The biggest one being that 3.0 does not require IIS, the new ADFS is now built with IIS components it needs. Another big change is that Server 2012 R2 includes a new role for Proxy for ADFS call Web Application Proxy. The 3rd big thing in the ability to easily update the login page for ADFS using PowerShell.

Setting up ADFS 3.0

My primary UPN domain is already setup for DirSync with Password Sync, so instead of converting the domain, I decided to go out and get another domain name. I searched for a bit and came up with TheCloudAdvocate.com that was not owned. I bought the domain, added it to my Tenant and setup a user with the @thecloudadvocate.com UPN. DirSync did its thing and I licensed the user.

So here are the steps, I did this all via my lab and servers that are fully hosted on Windows Azure!

Setting up ADFS 3.0 (Server 2012 R2) For Office 365

Install ADFS

Add Server 2012 R2 to the Domain

Setting up ADFS 3.0

Select ADFS Role click Next

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Click Restart the destination server automatically if required and accept the popup and then click Install

Setting up ADFS 3.0

Wait for completion and reboot

Setting up ADFS 3.0

If no reboot, select the Caution sign next to the flag at the top of the Server Manager and ‘Select Configure the federation service’ on this server. Also if you didn’t close the original setup page you can select the same link mentioned.

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

I kept the default creds I was logged in with (my account is a member of the Domain Admin Group) click Next

Setting up ADFS 3.0

Select the Public Certificate (needed to be added to the server previously) and the then give a Service Display Name and click Next

Setting up ADFS 3.0

Create a normal domain user account in AD and then select and enter the passwords for the account, click Next (You can also use a Managed Service Account, read more here http://technet.microsoft.com/en-us/library/hh831782.aspx)

Setting up ADFS 3.0

Select the database type, since this is my test lab and a small environment I went with a WID database, Here is some information on using WID or SQL, http://technet.microsoft.com/en-us/library/ee913581.aspx, click Next

Setting up ADFS 3.0

Review the settings, you can click on view script to see the script to automate additional server installs

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Verify prerequisites completed successfully and click Configure

Setting up ADFS 3.0

Wait for competition

Setting up ADFS 3.0

Once completed you can click Close

To test, go to https://adfs.thecloudadvocate.com/adfs/ls/IdpInitiatedSignon.aspx (obviously change adfs.thecloudadvocate.com to your URL)

Setting up ADFS 3.0

You should also ensure that the site is added to the Local Intranet Sites in Internet Explorer

Setting up ADFS 3.0

I do a *.domain.com for this and it will enable auto-login for domain joined machines when internal to the network. Best practice would be to configure a GPO to add this to all domain machines.

Install Web Application Proxy (WEP)

Do not add WEP Server 2012 R2 to Domain, should be in your DMZ and in a workgroup, you cannot and should not run WEP on the Federation internal server

Setting up ADFS 3.0

WEP is a part of the Remote Access Role, select that and click Next

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Click on Web Application Proxy and a popup will appear and then click on Add Features

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Review the settings, select Restart if needed and click Install

Setting up ADFS 3.0

Wait for completion

Setting up ADFS 3.0

Select the ‘Open the Web Application Proxy Wizard’

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Ensure you have entered the ADFS internal server into the HOSTS file located at c:windowssystems32driversetc directory pointing to the internal IP

Setting up ADFS 3.0

Ensure you have imported the Public Certificate to the WEP server and then give the Service Name and an admin account on the internal ADFS server creds (only used once and not saved) click Next

Setting up ADFS 3.0

Select the Imported Cert and click Next

Setting up ADFS 3.0

Copy the script if wanted to automate the install and then click Configure

Setting up ADFS 3.0

Wait for the Proxy Config to complete

Setting up ADFS 3.0

Click Close, the Remote Access Management Console with automatically start

Setting up ADFS 3.0

Select Publish on the right side

Setting up ADFS 3.0

Click Next

Setting up ADFS 3.0

Select Pass-through and click Next

Setting up ADFS 3.0

Enter the Name, External URL and select the External certificate and click next (not the backend server URL should automatically match the External URL)

Setting up ADFS 3.0

Review the information and click Publish

Setting up ADFS 3.0

Click Close

Setting up ADFS 3.0

Setting up ADFS 3.0

Test from an external machine and go to https://adfs.thecloudadvocate.com/adfs/ls/IdpInitiatedSignon.aspx

Configure Federation for your Domain

Do this all on you primary internal ADFS server

You will need to install the Windows Azure Active Directory cmdlts, http://technet.microsoft.com/library/jj151815.aspx (several prerequisites are required)

Setup the Federation trust for your domain, http://technet.microsoft.com/en-us/library/jj205461.aspx

Once completed you should be able to login, with your on-premises credentials, to http://portal.microsoftonline.com

Next up, you may want to customize your ADFS Login page using ADFS 3.0, well check out this: http://technet.microsoft.com/en-us/library/dn280950.aspx

After customization, below is what my ADFS Login looks like:

Setting up ADFS 3.0

GO Broncos! Win the Super Bowl! J