Featured post

Disclaimer

The information contained in this website is for general information purposes only. The information is provided by www.office365support.ca and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.

Through this website you are able to link to other websites which are not under the control of www.office365support.ca. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.

Every effort is made to keep the website up and running smoothly. However, www.office365support.ca takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

I’ve been getting quite a few requests to write a BLOG post that details the process of migrating your legacy AD FS infrastructure to AD FS 3.0 (released with Windows Server 2012 R2). The step-by-step below details one method.

 

Migration Paths

There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one that I am going to detail below is a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but prefer this method, because you can build the whole AD FS 3.0 solution, test the complete solution and then cutover to it by updating DNS. There is no user impact. Please visit this Microsoft site for all the supported methods.

http://technet.microsoft.com/en-us/library/dn486815.aspx

http://technet.microsoft.com/en-us/library/dn486787.aspx

 

Assumptions

  1. Base build new AD FS 3.0 server with Windows Server 2012 R2
  2. Add server to the local domain
  3. Export SSL certificate on AD FS 2.0 server (with private key)
  4. AD FS service account and password that was used to deploy AD FS 2.0
  5. Directory Sync is running

 

Import SSL Certificate

 

***NOTE*** It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.

***NOTE*** Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one

 

I assume that you have exported the SSL certificate and this is the procedure on how to import it.

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Install AD FS Role on Windows Server 2012 R2

 

Login to the AD FS 3.0 Server

Open Server Manager

Click Local Server

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Active Directory Federation Services

Click Next

 

Click Next

 

Click Next

 

Click Install

Installation starts

 

Install completed. Don’t close and continue to the next step

 

 

Configure AD FS 3.0

 

Click Configure the federation service on this server

 

Select Create the first federation server in a federation farm

Click Next

 

Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.

Click Next

 

Select the certificate that we imported in the previous step. WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm

Enter the Federation Service Display Name. WARNING – This MUST match the AD FS 2.0 Farm Name

Click Next

 

Specify the AD FS Service Account. WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions

Enter Password

Click Next

 

Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm.

Click Next

 

Click Next

 

Click Configure

 

Configuration started

 

Configuration Finished

 

If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.

 

 

Export the AD FS 2.0 Configuration

 

Login to the AD FS 2.0 Server

Insert or mount the Windows Server 2012 R2 DVD into the server

Run PowerShell as Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Script

.\export-federationconfiguration.ps1 –path c:\adfs_export”

This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.

Export completed

Copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server

Import the AD FS Configuration to AD FS 3.0

Login to the AD FS 3.0 Server

Open PowerShell as an Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration

.\import-federationconfiguration.ps1 –path C:\ADFS_Export

    

Import started

Note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server.

Imported successfully

Verify the Import in AD FS Management

Testing Single Sign-On

 

From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm

 

Navigate to the IDP Initiated Sign-on page – https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.

Test signing in

 

Once this is completed, then you can test logging into the Microsoft Office365 Portal.

 

Adding Redundancy and WAP Servers

Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.

 

Production Cut Over

When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

 

 

Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On

Now that we have our two AD FS 3.0 servers setup in the same cloud service and installed into an AD FS farm configuration, we need to load balance them. Azure has a load balancer built into the product, we just have to configure it.

 

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)

 

Reference this TechNet Article – http://msdn.microsoft.com/en-us/library/azure/dn690125.aspx

 

Connect to Windows Azure with PowerShell

If you are unsure how to or have never connected to Windows Azure with PowerShell, please reference the article below. This will guide you to install the tools and connect with PowerShell

http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/#Install

 

Open the Start Screen

Right Click Windows Azure PowerShell and Run as administrator

 

Click Yes to the UAC

 

Type Add-AzureAccount

Press Enter

 

Enter email address used login to your Azure account

Click Continue

 

Enter email address and password used login to your Azure account

Click Continue

 

Azure authenticates your account and then takes you back to the PowerShell window.

 

 

Create the Internal Load-Balanced Set Instance

Before we can continue, we need to gather some information. This information is used to set variables in the PowerShell command that will be used to create the ILB instance

 

Cloud Service Name – This was created prior to creating the first AD FS 3.0 Virtual Machine and can be found in the Azure Management Portal under Cloud Services

Internal Load-Balanced Instance Name – This is a name that is used to reference the ILB Set

Subnet Name – This was created when Azure Networking was created and can be found in the Azure Management Portal under Networking

IP Address for the Internal Load-Balanced Instance – This can be set or automatically generated

 

Set the variables in PowerShell

$svc=”ConceppsADFS”

$ilb=”ConceppsADFS-ILB”

$subnet=”Subnet-1″

$IP=”10.0.0.8″

 

Execute the command in PowerShell

Add-AzureInternalLoadBalancer -ServiceName $svc -InternalLoadBalancerName $ilb –SubnetName $subnet –StaticVNetIPAddress $IP

 

 

Add End Points to the Internal Load-Balanced Set

Below is a script that will set the variables, create the end points and update the Virtual Machines with the configuration.

$svc=”ConceppsADFS”

$ilb=”ConceppsADFS-ILB”

$prot=”tcp”

$locport=443

$pubport=443

$epname=”ADFS01″

$vmname=”ConceppsADFS01″

 

Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM

 

$epname=”ADFS02″

$vmname=”ConceppsADFS02″

 

Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM

 

 

Add DNS Record

Now that we have our farm configured and the servers are load balanced, we need to ensure that the clients can get to them using the virtual IP of the Internal Load-Balanced Set.

In the steps above we created an Internal Load-Balanced set with the IP of 10.0.0.8. We now need to create an A record in the internal DNS, with a name of STS that points to the VIP. In my case sts.office365supportlab.com points at 10.0.0.8

 

Testing AD FS Sign-On

Open IE

Browse to the URL – https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx

Click Sign in

 

 

Testing Server High Availability

Shutdown the AD FS Servers one at a time and check that you can still access AD FS with each server offline. This will test the failure of losing one of the servers in the ILB set.

 

We are now setup with a highly available AD FS solution for all internal users. Continue on with the series to setup the Web Application Proxies (AD FS Proxy) so that the external users have access.

 

My BLOG Series

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  3. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  6. Configure the Web Application Proxy Servers in a Load-Balanced Set in Windows Azure for Office365 Single Sign-On – To be released soon

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

Now that we have the first AD FS server setup and are federate with Office365, we can add more servers into the AD FS farm. This process can be repeated on one or many more servers depending on the number of servers you need in the AD FS farm to support the load from your user base.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network
  • Primary AD FS server is setup (see previous post in this series)

 

Setting up the Virtual Machine in Windows Azure

 

Click New -> Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2 Datacenter

Click Next

 

Enter the Virtual Machine Name

Select the Tier

Select the Size

Click Next

 

Choose the Cloud Service that the first AD FS Server is installed in (setup earlier in the BLOG series)

Verify Subnet

Choose the Availability Set that was created when we provisioned the first AD FS server

Click Next

 

Click Next

Wait for the Virtual Machine to be provisioned and then continue

 

Connect to the Virtual Machine over RDP

 

Add the Virtual Machine to the Domain

 

Installing the AD FS 3.0 Role on the Virtual Machine and Importing the SSL Certificate

Please reference this BLOG post on how to install the AD FS 3.0 Role on the virtual machine and then import the SSL certificate

Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

 

Adding the Secondary AD FS 3.0 Server to the AD FS Farm

 

Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…

 

Click
Configure the federation service… action on the Post-Deployment Configuration

 

Select Add a federation server to a federation server farm

Click Next

 

Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next

 

Specify the Primary Federation Server

Click Next

 

Select the SSL certificate that was imported earlier (the same certificate that was installed on the primary AD FS server)

*** Note *** Since I am using a multi-name certificate the name of the certificate does not match my AD FS farm name. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the certificate name should match the AD FS farm name e.g. sts.domain.com

Click Next

 

Select the AD FS service account (the same account that was used in the setup of the primary AD FS server in the farm)

Enter the password

Click Next

 

Click Next

 

When the pre-requisites are completed

Click Configure

 

Success

 

We now have a two node AD FS server farm setup in Windows Azure. Keep in mind that you have to continue to the next post to setup load balancing for the servers.

 

My BLOG Series

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  3. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  6. Configure the Web Application Proxy Servers in a Load-Balanced Set in Windows Azure for Office365 Single Sign-On – To be released soon

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

This BLOG post covers setting up the primary AD FS 3.0 server on a Windows Server 2012 R2 virtual machine in Windows Azure.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network

 

Create a New Cloud Service

Because we are going to load balance one or more vitural machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)

 

Click New

Select Compute -> Cloud Service -> Custom Create

 

Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net name space.

Select your Region or Affinity Group

Click OK

 

 

Create the Virtual Machine in Windows Azure

 

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Choose Windows Server 2012 R2 Datacenter

Click Next

 

Enter Virtual Machine Name

Select Server Tier

Select Server Size

Click Next

 

Selcect the AD FS Cloud Service that was created earlier. This is very important.

Verify Subnet

Drop down to Create an availability set

Enter name for the availability set

***Note*** This does not load balance the servers, it will just place the VM accordingly so that if a rack of servers goes down, all the members of the set will be placed in different fault domains. This ensures that an outage isn’t extened to all the servers in the set.

Click Next

 

Click Next

Once the VM is provisioned go to the next step

 

Add the Server to the Domain

Since the AD FS server needs to authenticate against Active Directory, they need to be added to the local domain. Add the server to the local domain

 

Install the Windows Azure Active Directory Module for Windows PowerShell

Use this BLOG post to install the Windows Azure Active Directory Module for PowerShell and the required Microsoft Online Services Sign-In Assistant 7.0

Connecting to Office365 with PowerShell

 

Install the AD FS Role

 

Open Server Manager

Click Add roles and features

 

Click Next

 

Select Role-based or feature-based installation

Click Next

 

Make sure that the AD FS Server is listed as the server to install to

Click Next

 

Select Active Directory Federation Services

Click Next

 

Leave defaults

Click Next

 

Click Next

 

Click Install

 

Wait for the install to complete

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Setup and Configure AD FS 3.0

 

Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…

 

Click
Configure the federation service… action on the Post-Deployment Configuration

 

Select Create the first federation server in a federation server farm

Click Next

 

Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next

 

Select the SSL certificate that you imported

Select the Federation Service Name

Enter the Federation Service Display Name

*** Note *** Since I am using a multi-name certificate these three values don’t match for me. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the three values below should all match e.g. sts.domain.com

Click Next

 

Enter the AD FS Service Account Name and Password

***Note*** This can be a managed service account or a domain user account designated for AD FS. If you use a domain user account, it does not need any special permissions. The install will give it the permissions required.

Click Next

 

Select Windows Internal Database or the location of a SQL Server Database. The choice is yours, but for most companies the Windows Internal Database works just fine

Click Next

 

Click Next

 

Wait for the Pre-requisite checks to be completed

Click Configure

 

Successful

 

 

Federate with Office365

 

Open the Desktop on the AD FS server

Find Windows Azure Active Directory Module for Windows PowerShell


Right Click and Run As Administrator

Set the credential variable

$cred=Get-Credential

Enter a Global Administrator account from Office 365.


Connect to Microsoft Online Services with the credential variable set previously

  • Connect-MsolService –Credential $cred

 

Set the MSOL ADFS Context server, to the ADFS server (optional if you are on the AD FS server)

  • Set-MsolADFSContext –Computer adfs_servername.domain_name.com

 

Convert the domain to a federated domain

  • Convert-MsolDomainToFederated –DomainName domain_name.com

 

Successful Federation

  • Successfully updated ‘domain_name.com‘ domain

 

Verify federation

  • Get-MsolFederationProperty –DomainName domain_name.com

 

This concludes the setup of the first AD FS server and federation with Office365. Please continue through the rest of the series to complete the setup for the rest of the servers.

 

 

My BLOG Series

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  3. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  6. Configure the Web Application Proxy Servers in a Load-Balanced Set in Windows Azure for Office365 Single Sign-On – To be released soon

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

With a larger push from companies to migrate to the cloud, I have been asked to put together a BLOG series on how to deploy a Single Sign-On solution for Office365 into Windows Azure.

The next series of posts are a step-by-step series on how to deploy a highly available AD FS 3.0 solution in Windows Azure for single sign-on with Office365. The posts detail the process of setting up Windows Azure for this purpose, deploying the servers, configuring AD FS 3.0, configuring the Web Application Proxies (AD FS proxy servers) and then making the whole thing load balanced.

There are a number of considerations that you need to make before deploying this solution. Please read and educate yourself using this TechNet article.

http://technet.microsoft.com/en-us/library/dn509537.aspx

My BLOG Series

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  3. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On – To be released soon
  6. Configure the Web Application Proxy Servers in a Load-Balanced Set in Windows Azure for Office365 Single Sign-On – To be released soon

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Connecting to Office365 with PowerShell

The Microsoft Online Services Sign-In Assistant 7.0 is a prerequisite for installing the Microsoft Online Services Module for Windows PowerShell. Use the links below to download the installer.

Once you have the Microsoft Online Services Sign-In Assistant 7.0 installed, now you can install the PowerShell Module. Use the links below to install.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN