In the first part of the article series, we created new windows Azure LAB, installed and configured a new domain controller and Exchange server. We also created additional windows 2012 Azure servers for ADFS, ADFS Proxy and Directory synchronization (DirSync). ADFS (Krisadfs.cloupdapp.net) and Dirsync (krisdrisync.cloudapp.net) are joined to the windows domain ‘checkwhatsin.com’. ADFS Proxy (krisadfsproxy.cloudapp.net) is not joined to the domain, since it is designed to be placed in DMZ
In this part of the article series, we will perform the activities shown below to configure Single Sign on (SSO). With single sign-on (SSO), users in your organization will be able to use their corporate credentials to access the Office 365 service offerings, thereby, removing the burden of managing multiple logon identities and passwords. Without an SSO, an Office 365 user would have to maintain separate user names and passwords.
I. Installation and configuration of ADFS server
II. Installation and configuration of ADFS proxy server
Installation and configuration of ADFS server
Active Directory Federation Services (AD FS) is a server role in Windows Server that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. At the outset, we need to create a service account before configuring Exchange
1. Login to the Krisadc.cloudapp.net with the domain admin credentials
2. Using Active Directory users and computers, Create a new service account to configure ADFS federation server and set password never expires
Account name: svr-federation
3. Access DNS Manager and create a new ‘A’ record to point to the internal IP address of ADFS server.
4. Login to ADFS server Krishadfs.cloudapp.net with the domain credentials
5. ADFS server needs a Third Party CA Certificate. Since, we already have wild card certificate configured on the Exchange server, we will have to simply export it from the exchange server and import into the ADFS server
Export the wildcard certificate with the private key from the Exchange 2013 server and copy to the root (C:\) directory of the server krisadfs.cloudapp.net
6. Start the PowerShell on the server krisadfs.cloudap.net and execute the command given below. Type the certificate password which had been used to export the certificate. Given below is the command that imports the certificate into the local computer personal certificate folder
Certutil.exe –f –importpfx c:\checkwhatsin.pfx
7. Install Active Directory Federation Server is as simple as running a PowerShell command. Execute the below PowerShell cmdlet to install ADFS server
8. ADFS server need to be configured once is it installed. Start Server manager and click on the amber symbol -> click on ‘Run the AD FS management snap-in’ to configure it.
9. It will open a new ADFS Snap-in page. Click on “AD FS federation server configuration Wizard” to start the configuration wizard.
10. To create new federation service, select ‘Create a new Federation service’ on the welcome page and click on ‘Next’
11. Select ‘New Federation Server Farm’ on the Development type page and click on ‘Next’
12. At the Federation Service Name page, select the SSL certificate as ‘Checkwhatsin’ and provide the Federation service name as ‘sts.checkwhatsin.com’ and click on ‘Next’
13. Input the ADFS service account ‘checkwhatsin\svr-federation’ and password at ‘Specify service Account’ page and click on ‘Next’
14. Verify details at the summary page and click on ‘Next’ to start the installation
15. Wait for the installation to be completed and make sure that the entire component configuration is finished and click on ‘Close’ to finish the installation.
16. To validate the successful installation, click on the below link and make sure you get the page displayed below image on the Internet Explorer
With this we have created and configured ADFS server and it is ready to use.
Installation and configuration of ADFS proxy server
The AD FS 2.0 Proxy is a service that brokers a connection between external users and internal AD FS 2.0 server. It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ). Since the Krisadfsproxy.cloudapp.net is not a domain joined computer, it does not know to resolve nodes at the internal network. We need to create a host entry to resolve internal ADFS server.
1. Login to Krisadfsproxy.cloupdapp.net using the local admin credentials
2. Create a manual host entry to connect to point to the AD FS server
Access the ‘Hosts’ file using the notepad from the path C:\Windows\System32\drivers\etc\. Add a new entry to point to the ADFS server IP address with domain name sts.checkwhatsin.com
3. ADFS Proxy server also needs a Third Party CA Certificate. Since, we already have wild card certificate on the Exchange server, we will just need to export it and configure on the ADFS server
Export the wildcard certificate with private key from the Exchange 2013 server and copy to the root (C:\) directory of the server krisadfs.cloudapp.net
4. Start the PowerShell on the server krisadfsproxy.cloudapp.net and execute the below command. Type the certificate password which was used to export the certificate. Shown below is the command that imports the certificate into the local computer personal certificate folder
c:\KrishnaCertutil.exe –f –importpfx c:\checkwhatsin.pfx
5. Configure the Imported certificate on the Internet Information Service (IIS) Manager
a. Start IIS from the control panel, select ‘Default Web Site’ and select ‘Bindings’ on the action pane
b. Click on ‘Add’ to add a new site binding. Make sure to select the type as “https” and “Checkwhatsin” for SSL certificate and click on “OK”.
c. Click on “Close” to finish the IIS configuration
6. Install ADFS proxy using the below PowerShell cmdlet
7. Post installation of ADFS Proxy, it needs to be configured. Start ‘Server Manager’ and click on the amber symbol and select ‘Run the AD FS Federation Server Proxy Configuration’
8. On the Welcome page of ‘AD FD Federation Server proxy configuration wizard’ click on ‘Next’
9. Specify Sts.checkwhatsin.com as the Federation Server name and click ‘Test Connection’ to get connection successful status. Click on ‘Next’ to continue
10. Input the ADFS service account credentials at the windows security credentials pop up and click on ‘OK’ to continue.
11. Verify the settings on the ‘Ready to Apply Page’ and click on ‘Next’ to start the configuration
12. Verify the ‘configuration results’ page with the successful completion status and click on ‘Close’
13. Since ADFS proxy server is the internet facing server and ADFS server is configured using STS.checkwhatsin.com as federation name. We need to create a CNAME record at DNS for STS.checkwhatsin.com to point it to ADFS proxy server ‘Krisadfsproxy.cloudapp.net’.
Below is the reference snap from Go Daddy DNS.
With this we have created and configured ADFS and ADFS Proxy server. We have also made all the necessary changes in configuration so as to deploy SSO.
In the next part of the article, we will be completing the configuration of SSO and Directory Sync between Office 365 and on-premises exchange server.