Step by Step ADFS
Hussain Shakir
LinkedIn: https://www.linkedin.com/in/mrhussain
Twitter: https://twitter.com/hshakir_ms
Blog: http://mstechguru.blogspot.com/
Table of Contents
About Author ........................................................................................................................................................ 2
Product Overview ................................................................................................................................................. 3
Role description .................................................................................................................................................... 3
ADFS in Azure Test Lab Requirements ............................................................................................................... 4
Prerequisite ........................................................................................................................................................... 4
Prepare the Base Servers ...................................................................................................................................... 4
AD FS Server ......................................................................................................................................................... 4
AD FS Proxy Server ............................................................................................................................................... 4
Directory Sync Server ........................................................................................................................................... 5
Prepare Active Directory ...................................................................................................................................... 5
Add UPN Suffix ..................................................................................................................................................... 5
Clean up Active Directory .................................................................................................................................... 5
Create the SSL Certificate Request (CSR) ............................................................................................................ 6
Fulfill the Certificate Signing Request (CSR) ...................................................................................................... 11
Complete the Certificate Request (CSR) ............................................................................................................. 11
Assign the Completed SSL Certificate ................................................................................................................ 15
Configure Local AD FS Federation Server .......................................................................................................... 18
Configure Federation Trust with Office 365 .......................................................................................................25
Synchronizing your directory with Office 365 ...................................................................................................27
Requirements for running the Directory Sync tool ...........................................................................................27
It must be joined to Active Directory .................................................................................................................27
It must run Windows PowerShell ...................................................................................................................... 28
To add an alternative UPN suffix ....................................................................................................................... 29
Match On-Premise UPN with Office 365 UPN ................................................................................................. 29
Monitoring and Testing Directory Sync ............................................................................................................ 39
About Author
Shakir is IT Consultant with over 13 years of extensive experience working with Microsoft
Technologies AD, Exchange, O365, Windows Azure, PowerShell, Skype for Business, SQL,
SharePoint and Microsoft public clouds, and providing solutions to different local & international
Enterprise customers.
Shakir has been involved in Infrastructure Designing and Implementation, Virtualization, and
Disaster Recovery. Extensive hands-on experience in Core Server Infrastructure, Cloud Computing,
Virtualization/ Management and Information Protection. Analysis and Support of Microsoft
Windows Server based Client / Server network, AD, Messaging, Skype for Business, SQL Always ON,
Virtualization and System Center Infrastructure Products. Shakir has various industry certifications:
MCT, MCTS, MCITP, MCSA, MCSE: Messaging, MCPS, MCSE: Cloud Platform and Infrastructure
and also providing trainings on Microsoft Based Technologies.
Product Overview
Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-
based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-
sign-on (SSO) technologies that help information technology (IT) organizations collaborate across
organizational boundaries. AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor
to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available
as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred
to collectively as AD FS 1.x.
Role description
AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end
users who want to access applications within an AD FS-secured enterprise, in federation partner
organizations, or in the cloud.
In Windows Server® 2012 R2, AD FS includes a federation service role service that acts as an identity provider
(authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider
(consumes tokens from other identity providers and then provides security tokens to applications that trust
AD FS).
ADFS in Azure Test Lab Requirements
Prerequisite Azure Subscription for Creating Virtual Machines
Public Certificate
Public IP Address on ADFS
Public IP Address on ADFS Proxy
Four physical/virtual Server’s required for this Lab, (ADFS, ADFS Proxy, DC, DirSync)
Virtual Machines can be setup Azure cloud as per this guide.
Prepare the Base Servers
AD FS Server
Base build the AD FS server with Windows Server 2012
Setup a connection to the internal network
Add the server to the local domain
Update the server with all Windows Updates
AD FS Proxy Server
Base Build the AD FS Proxy server with Windows Server 2012
Setup a connection to the DMZ network (verify connectivity to the AD FS server on port 443)
DO NOT add the server to the local domain
Update the server with all Windows Updates
Directory Sync Server
Base build the Directory Synchronization server with Windows Server 2012
Setup a connection to the internal network
Add the server to the local domain
Update the server with all Windows Updates
Prepare Active Directory
Add UPN Suffix
If you are using and internal domain name that doesn’t match the domain that you want to federate with
Office 365 you will have to add a custom UPN suffix that matches that external name space. If you need to
add the UPN suffix, please follow these instructions, http://support.microsoft.com/kb/243629
Example
Internal Domain Name – yourdomain.local
Desired Federated Domain – contoso.com
Clean up Active Directory
This makes sense for so many reasons, but the most for Directory Sync. I generally make an OU for all the
Office 365 Services; then create more OUs within that one for all the user accounts, services accounts, groups,
servers and computers. This will allow us to filter on user accounts and groups when we enable Directory
Synchronization with Office 365. The less number of objects that you sync with Office 365 is better. If you
have thousands of objects replicating, that don’t need to be, things will get messy really quick. Keep it clean
and neat. This will prevent mistakes and keep you head ache free.
Setting up AD FS requires the use of a third party SSL certificate. In a production situation, I would
recommend that a single name SSL certificate. Wildcard and multi-name certificates will work, but I like to
keep things simple and use a standard SSL certificate in a production situation. Make sure that the common
name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you
use the host name, STS (secure token service). In the example below, I have used the value sts.domain.com.
Create the SSL Certificate Request (CSR)
1. Open Server Manager
2. Click Tools
3. Click Internet Information Services (IIS) Manager
4. Select the local server
5. Select Server Certificates
6. Click Open Feature (actions pane)
7. Click Create Certificate Request
8. Fill out the certificate request properties. Make sure that the common name matches what you
plan to call the AD FS server farm. Microsoft best practices recommends that you use the host
name STS (secure token service). In the example below, I have used the
value sts.domain.com.
9. lick Next
10. Leave the Cryptographic service provider at the default
11. Change the Bit Length to 2048
12. Click Next
Fulfill the Certificate Signing Request (CSR)
We need to take the CSR generated in the last step to a third party SSL certificate provider. I
choose to use GoDaddy. Here are GoDaddy’s instructions to fulfill the CSR at their site
– Requesting a Standard or Wildcard SSL Certificate. Once the certificate is issued, download the
completed CSR to the AD FS server.
Complete the Certificate Request (CSR)
1. Open Server Manager
2. Click Tools
3. Click Internet Information Services (IIS) Manager
4. Select the local server
5. Select Server Certificates
6. Click Open Feature (actions pane)
7. Click Complete Certificate Request
8. Select the path to the complete CSR file that you competed and downloaded from the third party certificate provider
9. Enter the friendly name for the certificate
10. Select Personal as the certificate store
11. Click OK
12. The certificate will be added
***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment.
When your certificate is added, it should show sts.domain.com, which matches the request.
Assign the Completed SSL Certificate
Now that we have the third party certificate completed on the server, we need to assign and
bind it to the default website (HTTPS port 443).
1. Expand the local server
2. Expand Sites
3. Select Default Web Site
4. Click Bindings (actions pane)
5. Click Add
6. Change the type to HTTPS
7. Select your certificate from the drop down menu.
***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. When you select your certificate, it should show sts.domain.com, which matches the competed certificate.
8. Click OK
9. Click Close
10. Close IIS Manager
Now that we have the required software installed and the certificate in place, we can finally configure the AD FS role and federate with Microsoft.
Configure Local AD FS Federation Server
Open Server Manager
1. Open Server Manager
2. Click Tools
3. Click AD FS Management
4. Click AD FS Federation Server Configuration Wizard
5. Create a new Federation Service
6. New Federation Server Farm – Choose this option all the time, even if you only plan on deploying one server. If you choose Stand-alone federation server, then you won’t
be able to add more servers.
7. Click Next
8. SSL Certificate – This should be pre-populated. If it isn’t, go back and assign/bind the third party certificate to the default web site
9. Federation Service Name – This should match the SSL certificate name
*** NOTE *** Since I am using a multi-name certificate in a lab environment, my SSL
certificate name and Federation Service name don’t match. This is not recommended for
production environments. Use best practices always; a single name certificate.
10. Click Next
11. Enter the AD FS service account name and password
12. Click Next
13. Click Next
14. All green check marks mean everything is setup correctly
15. Click Close
Configure Federation Trust with Office 365
Now that we have our side of the federation setup, we can complete the federation with Office 365
Open the Desktop on the AD FS server
Download Windows Azure Active Directory Module for Windows PowerShell
Right Click and Run As Administrator
Set the credential variable
o $cred=Get-Credential
Enter a Global Administrator account from Office 365. I have a dedicated tenant
(@domain.onmicrosoft.com) service account setup for AD FS and Directory
Synchronization.
Connect to Microsoft Online Services with the credential variable set previously
o Connect-MsolService –Credential $cred
Set the MSOL ADFS Context server, to the ADFS server
o Set-MsolADFSContext –Computer adfs_servername.domain_name.com
Convert the domain to a federated domain
o Convert-MsolDomainToFederated –DomainName domain_name.com
Successful Federation
o Successfully updated ‘domain_name.com‘ domain.
Verify federation
o Get-MsolFederationProperty –DomainName domain_name.com
This completes the setup for federation to Office 365. Keep in mind that before you can
successfully use single sign-on with Office 365, you will need to setup and configure Directory
Synchronization. After Directory Synchronization is setup, you will have to license the synchronized
user in Office 365. This will provision the services for the user. If they want to access Office 365
from outside the internal network, the AD FS Proxy server needs to be setup and configured.
First we need to setup ADFS & SSO than we will configure DirSync server with O365.
Synchronizing your directory with Office 365
All customers of Azure Active Directory and Office 365 have a default object limit of 50,000 objects
(users, mail-enabled contacts, and groups) by default.
This limit determines how many objects you can create in your tenant.
Objects can be created using DirSync, Powershell or the GRAPH API.
When you verify your first domain, this object limit is automatically increased to 300,000 objects.
Requirements for running the Directory Sync tool
The directory synchronization computer must meet the following requirements:
It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:
64-bit edition of Windows Server 2008 Datacenter
64-bit edition of Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008
R2 Datacenter
64-bit edition of Windows Server 2012 Standard or Datacenter
64-bit edition of Windows Server 2012 R2 Standard or Datacenter
It must be joined to Active Directory
The computer must be joined to the Active Directory forest that you plan to synchronize.
It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.0. If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations:
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.0
It must run Windows PowerShell
If you are running Windows Server 2003, you need to download Windows PowerShell. If you are
running Windows Server 2008, you need to enable Windows PowerShell.
Hardware Requirements for DirSync: -
To set up directory synchronization, you must designate one computer as your directory
synchronization computer, and then install the Directory Sync tool on that computer.
Number of objects in Active Directory CPU Memory Hard drive size
Fewer than 10,000 1.6 GHz 4 GB 70 GB
10,000–50,000 1.6 GHz 4 GB 70 GB
50,000–100,000
Requires full SQL Server
1.6 GHz 16 GB 100 GB
100,000–300,000
Requires full SQL Server
1.6 GHz 32 GB 300 GB
300,000–600,000 1.6 GHz 32 GB 450 GB
Requires full SQL Server
More than 600,000
Requires full SQL Server
1.6 GHz 32 GB 500 GB
UPN Requirement: -
Your Active Directory environment must be properly configured in order for your users to sign-in to
Microsoft online services. In particular, the userPrincipalName (UPN) attribute, also known as a user
logon name, must be set up correctly for each user in a specific way. The UserPrincipalName attribute
must use a publically routable domain. If you are not currently using a publically routable domain, you
will need to update your users UserPrincipalNames. To do this, add an alternative UPN suffix in your
on-premises Active Directory.
To add an alternative UPN suffix
Click Start, Administrative Tools, and then click Active Directory Domains and Trusts.
Log on to one your organization’s Active Directory domain controllers
In the console tree, right-click Active Directory Domains and Trusts and then click Properties.
Select the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
Repeat step 3 to add additional alternative UPN suffixes.
Match On-Premise UPN with Office 365 UPN
If you have not yet set up Active Directory synchronization, you can skip this task and continue
with the next section.
If you have already set up Active Directory synchronization, the user’s UPN for Office 365 may
not match the user’s on-premises UPN defined in Active Directory. This can occur when a user
was assigned a license before the domain was verified.
To remedy this issue, use Windows PowerShell to update users’ UPNs to ensure that their Office
365 UPN matches their corporate user name and domain.
The first thing we want to do is tell our Office 365 tenant that we are going to setup directory
synchronization. This can take some time, so best do this step first.
1. Log into Microsoft Online Portal
2. Select the Users and Groups button within the Office 365 admin center.
On the right-hand page select Active Directory Synchronization set up
4. Select Activate under Step 3, Activate Active Directory Synchronization. Please note that
this can take up to 24 hours to complete.
5. Once Active Directory Synchronization has been activated, you will see the task change to
activated
At this point we can go ahead and install the DirSync tool. From a member server in your on-
premise domain, open up a browser a log into your Office 365 tenant.
7. Repeat steps 1 -3 to get back to the Active Directory Synchronization page.
8. Select download against option 4, Install and Configure the Directory Sync Tool, this will
downloaddirsync.exe onto your local machine.
9. Once downloaded, run dirsync.exe (NOTE: You must have .NET Framework 3.51 and .NET
Framework 4.0 installed on the computer in order to run this tool) If you see an error message at
this point then you can install .NET 3.51 from the Administrative Tools > Server Manager >
Features > Add Features.
10. Select .Net Framework 3.5.1 Features and follow the installation instructions.
11. You may at this point need to check that you have also installed all security updates to .Net
Framework 3.5.1.
12. .NET Framework 4.0 can be downloaded from here.
13. Once you have the right version of .NET Framework, go ahead and install dirsync.exe. At
theWelcome screen click Next
14. Accept the EULA
15. Select the Installation Folder you wish to install the binaries into. The installation will begin.
16. When the installation is complete click Next
17. Check the Start Configuration Wizard now and click Finish
18. On the DirSync tool Configuration wizard welcome screen click Next
19. Provide credentials of an account with administrative permissions for your online tenant. These
credentials will be saved and used to synchronize changes from your organization’s on-premise
Active Directory with Windows Azure Active Directory.
Important: When you change the password for this account, you must run this wizard again to
change the password used by the DirSync tool. Click Next
20. Provide the credentials for an account with administrative permissions on your organizations
Active Directory. These credentials will be used to set the permission for the DirSync tool, which
will sync changes in your organization’s Active Directory with Windows Azure Active Directory.
These credentials are not saved.
21. The Hybrid Deployment page, if used, provides a unified email experience for you Office 365
and on-premise environment. A Hybrid deployment boasts features such as unified GAL, off-
boarding and others. A full list of these can be found here.
This requires an Exchange 2010 server on-premise, as we don’t have one for this setup, this is
greyed out.
22. Password Synchronization. The Sync’ing of password from on-premise to cloud allows users
to access Office 365 with the same password as the one they use for on-premise resources. If
you require this then select Enable Password Sync, and click Next.
23. The DirSync tool will now configure your settings.
24. Select Synchronize your directories now and click Finish.
25. The configuration wizard presents you with a link to see how you can verify your directory
has been synchronized. Click OK.
Monitoring and Testing Directory Sync
Once you have the dirsync tool installed we will need to test that it works correctly. There are a
couple of ways you can test and monitor dirsync, ideally what we want to do is test both forced &
automatic updates.
To monitor our changes, we can use the Synchronization Service Manager tool, which ships
with DirSync.
Navigate to the following directory on the member server you installed the dirsync tool C:\Program
Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
Double-click miisclient
To summarize, in the top frame you have a list of when DirSync ran, the bottom left frame gives
you finer detail of the changes, for example the number of changes, add, deletes, etc.
To test a forced sync, navigate to you on-premise Active Directory and make a simple change
on an account that you have on both platforms. In this example I’ve updated the Job Title details
on the accountEdward Tester.
Then log onto the member server where the dirsync tool is installed.
Navigate to the following directory. C:\Program Files\Windows Azure Active Directory
Sync and runDirSyncConfigShell.psc1
Type Start-OnlineCoexistenceSync. Press Enter. This will force a sync between you on-
premise Active Directory and Windows Azure Directory Services.
If you now open up the Sync Service Manager and you will see the update going through.
If you click and navigate further you can see the finer detail of the updated object, in this
instance the object field we are attempting to sync.
You can now check your user object in Office 365, the change has been replicated.
The default sync between Office 365 and on premise Active Directory is 3 hours. This can be
changed to whatever suits your companies need. This previous article on changing the default
Office 365 DirSync Schedule outline the steps for this.