Body:
This blog post will detail the steps to setup Server 2012 R2 ADFS 3.0 for use with Office 365. Many new things have happened with ADFS 3.0 compared to 2.0. The biggest one being that 3.0 does not require IIS, the new ADFS is now built with IIS components it needs. Another big change is that Server 2012 R2 includes a new role for Proxy for ADFS call Web Application Proxy. The 3rd big thing in the ability to easily update the login page for ADFS using PowerShell.
My primary UPN domain is already setup for DirSync with Password Sync, so instead of converting the domain, I decided to go out and get another domain name. I searched for a bit and came up with TheCloudAdvocate.com that was not owned. I bought the domain, added it to my Tenant and setup a user with the @thecloudadvocate.com UPN. DirSync did its thing and I licensed the user.
So here are the steps, I did this all via my lab and servers that are fully hosted on Windows Azure!
Setting up ADFS 3.0 (Server 2012 R2) For Office 365
Install ADFS
Add Server 2012 R2 to the Domain
Select ADFS Role click Next
Click Next
Click Next
Click Restart the destination server automatically if required and accept the popup and then click Install
Wait for completion and reboot
If no reboot, select the Caution sign next to the flag at the top of the Server Manager and ‘Select Configure the federation service’ on this server. Also if you didn’t close the original setup page you can select the same link mentioned.
Click Next
I kept the default creds I was logged in with (my account is a member of the Domain Admin Group) click Next
Select the Public Certificate (needed to be added to the server previously) and the then give a Service Display Name and click Next
Create a normal domain user account in AD and then select and enter the passwords for the account, click Next (You can also use a Managed Service Account, read more here http://technet.microsoft.com/en-us/library/hh831782.aspx)
Select the database type, since this is my test lab and a small environment I went with a WID database, Here is some information on using WID or SQL, http://technet.microsoft.com/en-us/library/ee913581.aspx, click Next
Review the settings, you can click on view script to see the script to automate additional server installs
Click Next
Verify prerequisites completed successfully and click Configure
Wait for competition
Once completed you can click Close
To test, go to https://adfs.thecloudadvocate.com/adfs/ls/IdpInitiatedSignon.aspx (obviously change adfs.thecloudadvocate.com to your URL)
You should also ensure that the site is added to the Local Intranet Sites in Internet Explorer
I do a *.domain.com for this and it will enable auto-login for domain joined machines when internal to the network. Best practice would be to configure a GPO to add this to all domain machines.
Install Web Application Proxy (WEP)
Do not add WEP Server 2012 R2 to Domain, should be in your DMZ and in a workgroup, you cannot and should not run WEP on the Federation internal server
WEP is a part of the Remote Access Role, select that and click Next
Click Next
Click Next
Click on Web Application Proxy and a popup will appear and then click on Add Features
Click Next
Review the settings, select Restart if needed and click Install
Wait for completion
Select the ‘Open the Web Application Proxy Wizard’
Click Next
Ensure you have entered the ADFS internal server into the HOSTS file located at c:\windows\systems32\drivers\etc directory pointing to the internal IP
Ensure you have imported the Public Certificate to the WEP server and then give the Service Name and an admin account on the internal ADFS server creds (only used once and not saved) click Next
Select the Imported Cert and click Next
Copy the script if wanted to automate the install and then click Configure
Wait for the Proxy Config to complete
Click Close, the Remote Access Management Console with automatically start
Select Publish on the right side
Click Next
Select Pass-through and click Next
Enter the Name, External URL and select the External certificate and click next (not the backend server URL should automatically match the External URL)
Review the information and click Publish
Click Close
Test from an external machine and go to https://adfs.thecloudadvocate.com/adfs/ls/IdpInitiatedSignon.aspx
Configure Federation for your Domain
Do this all on you primary internal ADFS server
You will need to install the Windows Azure Active Directory cmdlts, http://technet.microsoft.com/library/jj151815.aspx (several prerequisites are required)
Setup the Federation trust for your domain, http://technet.microsoft.com/en-us/library/jj205461.aspx
Once completed you should be able to login, with your on-premises credentials, to http://portal.microsoftonline.com
Next up, you may want to customize your ADFS Login page using ADFS 3.0, well check out this: http://technet.microsoft.com/en-us/library/dn280950.aspx
After customization, below is what my ADFS Login looks like: