When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate the steps involved when deploying Office 365. In the burgeoning drafts folder ADFS was at the top, so that got finished first!
The act of deploying and configuring ADFS 2012 R2 for Office 365 will be broken down into three separate blog posts
Install ADFS (this post)
Install ADFS Proxy
Leverage ADFS with Office 365
Identity, Identity, Identity
The IT security landscape keeps evolving. One of the recent changes is a move away from ACLs on files in the NTFS file system to an access control system that is based on claims. Claims based authentication is an industry standard security protocol to authenticate users. This is the underlying WS-* standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens. Claims based auth requires these tokens, and by extension an entity that can issue the token. This is the Secure Token Service (STS). The STS server can be based on Active Directory Federation Services (ADFS) or other platforms that provide this service.
ADFS lights up one of the three options for Office 365 identity management, which is option #3 in the below list:
Cloud Identity – users are created, and managed, in Windows Azure Active Directory (WAAD). No connection to any other directory. This is the simplest model as there is no integration to any other directory. Each user has an account created in the cloud which does not synchronise anywhere else. Note that you will still typically need additional on-premises credentials to gain access to a local workstation and local resources.
Directory Synchronisation – Users are created and managed in the on-premises directory and get synchronised up to Office 365 so they can access Office 365 resources. Typically this means running the DirSync appliance, or in some cases FIM with the Windows Azure Active Directory Connector. The newer builds of DirSync allow for the user’s password hash to be synchronised up to Office 365. Note this does not say clear text password. This allows user’s to logon to Office 365 using the same credentials as on-premises with no additional infrastructure.
Federated Identity – Federation relies on directory synchronisation so that WAAD is populated. When the authentication request is presented to Office 365, the service will then contact the on-premises ADFS infrastructure so that AD is responsible for authenticating the request.
ADFS is the primary choice for customers who want to use federated identities with Office 365. In addition to this there are a variety of qualified third party identity providers that can be connected with Office 365 to provide the necessary plumbing for federation. The shortcut URL aka.ms/SSOProviders links to the ‘Works With Office 365’ Identity program, and lists the identity providers that have been qualified with Office 365. Please read the notes on the TechNet page with regards to the testing and support aspects of these services.
Some customers will use these services as they do not wish to invest in a fault tolerant and geographically dispersed ADFS implementation. The availability of ADFS is a key discussion point when discussing federation. For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365.
In addition since DirSync now replicates the user’s hashed password to WAAD, some customers now use DirSync to provide Same Sign On / Single Sign On (SSO). DirSync version 1.0.6385.12, which was released in May 2013, and latter builds provide the ability to synchronise passwords. DirSync can be downloaded here, and the TechNet Wiki has details on the release history. When running the configuration wizard with this release you will get the shiny “Password Synchronization” window:
This is worthwhile to mention as there is still a perception that ADFS is a hard requirement to get SSO. That is soooooooooooo Q1 2013!
Anyway, I digress let’s get back to ADFS…..
We shall look at installing ADFS 2012 R2 since there are numerous compelling features in this release!
What’s New And Improved In ADFS 2012 R2
The quick answer is a lot! Some examples include:
IIS dependency removed
Single server installation option removed and now have single farm install (recommended to install a farm always in prior release anyway)
Separate ADFS proxy role removed. ADFS proxy now based off Web Application Proxy (WAP), and is used to publish the ADFS server to the Internet. WAP can publish many other applications, not just ADFS.
ADFS extranet lockout – ADDS account lockout protection on the ADFS proxy
Access control based on network location to control user authentication to ADFS
There are many others, but check here for them since we are focussing on Office 365 usage for ADFS.
Note that you will not see me call this release ADFS 3.0. Its full and proper name is ADFS 2012 R2. for reference here are the older versions and what some folks call them:
|ADFS 1.0||Released with Windows 2003 R2. Built into OS.|
|ADFS 1.1||Released with Windows 2008 and 2008 R2. Built into OS.|
|ADFS 2.0||Released After Windows 2008 / 2008 R2. Separate download from here.|
|ADFS 2.1||Windows 2012|
|ADFS 3.0||Windows 2012 R2|
Planning And Prerequisites, And Other Fun Details
The prerequisites are listed on TechNet. Of course before jumping into the install the installation needs to be planned.
ADFS Role Planning
The ADFS role should be deployed within the corporate network, and not in the DMZ. The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.
Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant ADFS proxy infrastructure.
Please review the design guidance on TechNet.
ADFS Service Account
We can now use a standard service account or a Group Managed Service Account in ADFS 2012 R2.
In this case since the KDS root key was not configured, lets leverage a standard service account.
The installation process should set the required Service Principal Names (SPN) on the account.
Select what name you are to use to access ADFS. Typically this is along the lines of:
Note that this is the namespace for the ADFS service. Since we will be using Kerberos to access ADFS internally, there must be a Service Principle Name (SPN) registered for this name. This will be associated to the service account, and since SPNs operate in the “Highlander – there can be only one!” mode you do not want to duplicate the SPN on the ADFS server by naming the computer the same as the ADFS namespace.
You also want to discuss what display name should be chosen, as this will be visible to users.
Since ADFS leverages SSL, we need to have a SSL certificate. You could try three options, but only one will work:
Certificate issued from internal PKI
Certificate from 3rd party public CA
Office 365 needs to see a valid Service Communication Certificate on your ADFS infrastructure, so you are going to have to buy a certificate from a public CA. Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears. We can use self-signed certificates for the Token Decrypting and Token Signing Certificate. These are separate from the service communication cert.
Please follow the documentation from your chosen CA to request, install and complete the certificate. The steps required vary from vendor to vendor and also over time. Make sure you are not missing any updated intermediate certificates! How would you know? Follow their process!!
For the purposes of this post we shall deploy the initial ADFS server, and in the future add another ADFS server for redundancy.
Installing ADFS On Windows Server 2012 R2
After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.
We don’t need to add any additional features. Remember that the IIS dependency was removed in ADFS 2012 R2.
Clicking next takes us to the ADFS splash screen. Note that it helpfully tells us that the specific ADFS proxy role has been removed in Windows 2012 R2 and how to go about installing it. Shame I missed that the very first time I ran this, and could not find the old school ADFS Proxy role…
Clicking next will then install the necessary bits.
Bits are being shuffled around…
Shuffling has been completed, and the installation is complete. You can launch the ADFS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.
Before starting the ADFS configuration wizard I already installed my 3rd party certificate and tested that is was correctly installed.
Additionally a service account called ADFS-Service was also pre-created.
The wizard also states that you must have access to Domain Admin (DA) credentials!
Note that you are only given an option to either make a new ADFS farm or add this box to an existing farm. This saves the painful issue from older ADFS builds, where ADFS was not installed into a farm you were then unable to easily the add the second ADFS server for redundancy.
Provide your domain admin credentials.
We need to select the SSL certificate that we will use and also provide the ADFS name we selected in the design process.
In this case the name is adfs.tailspintoys.ca — note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on the intranet and internet to locate ADFS. Thus split DNS will make life simple!
Provide your chosen display name, and click next.
As mentioned earlier it is possible to use a GMSA as the ADFS service account. GMSA will automatically update the service account’s credentials and administrators will also be oblivious as to its password.
In this case a standard service account was used.
Select the database configuration as per the design.
The Tailspintoys corporation will use WID.
Review the options, and when happy pull the trigger!
For reference the PowerShell script is shown here:
# Windows PowerShell script for AD FS Deployment
# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message “Enter the credential for the Federation Service Account.”
-FederationServiceDisplayName:”Tailspintoys STS” `
The ADFS pre-requisite checks are done, and we can proceed to the configuration:
One coffee later, we have a shiny new ADFS server – whoo!!
We are not quite done yet, and there a couple of additional things to do!
DNS A Record
We must create the DNS record for the ADFS instance. This maps to the ADFS namespace that we previously planned. Create this A record in your internal DNS infrastructure.
Once the DNS record has been created an propagated ensure that it resolves correctly.
One thing to mention here, if you create a CNAME and point that to the server hosting ADFS chances are that you will run into a never ending authentication prompt situation.
In the below example the ADFS namespace is called adfs.tailspintoys.ca and a CNAME was used to direct traffic to the ADFS server called tail-ca-sts.tailspintoys.ca. This will likely cause the client to obtain a Kerberos ticket for the incorrect name.
The easiest way to stop this is to use a regular A record, like so:
There is also an option contained in KB 911149 that some folks have mentioned.
This topic covers additional steps to configure AD FS after you install the first federation server, including:
For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.
Verify Federation Service Metadata
Open Internet Explorer and navigate to your ADFS server’s federation metadata URL.
This will be something like the below, just change the FQDN to match your environment.
The result should show this:
Verify ADFS Sign-In Page
Browse to the ADFS sign-in page and test that you are able to authenticate.
The URL will be similar to the below, again change the FQDN to match your organisation’s.
You should see the below, and be prompted to sign in:
Depending upon how IE is configured you will either be prompted to provide credentials or be automatically signed-in.
If you want to have users be automatically signed-in then configure your browser settings to trust the federation server role by adding your federation service name (for example, https://adfs.tailspintoys.ca) to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.
Once we are happy that the ADFS instance is functioning appropriately we can then move onto installing the ADFS proxy role.
This will be covered in a separate post, to prevent this one getting too long!