Category Archives: Get to know the NEW Office 365

Making AD FS Highly Available for the NEW Office 365

Since we configured AD FS into a farm configuration, making the solution highly available, is relatively straight forward. We essentially add another server to the farm, then load balance through hardware or software. This will be a two part post; the first part will cover adding another server to the AD FS farm and the second part will detail how to load balance those servers.

 

Prepare the Server for AD FS

 

We are going to jump between a few of my other posts, to prepare the server. Sorry, but I am too lazy to re-write the content.

  1. Domain join the new AD FS server
  2. Use, Prepare the Local AD FS Server, and complete the following sections
    1. Install AD FS Server Role
    2. Install Sign-in Assistant
    3. Install the Windows Azure Active Directory Module for Windows PowerShell
    1. Follow the instructions and import and assign the certificate on the new AD FS server

This will get us to the point where we can add the AD FS server to the existing AD FS Farm

 

Method 1 – Adding a Server to an AD FS farm with the AD FS Configuration Wizard

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Open Server Manager
  3. Click Tools
  4. Click AD FS Management
  5. Click AD FS Federation Server Configuration Wizard

  6. Walk through the wizard and the second server is added.

 

Method 2 – Adding a Server to an AD FS Farm from the Command Prompt

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Get the Thumbprint from the certificate that you imported on the AD FS server. This is located on the certificate.

  3. Open a Command Window as an Administrator
  4. Change the directory to the path where AD FS 2.0 was installed.
    1. Windows Server 2008 C:\Program Files\Active Directory Federation Services 2.0
    2. Windows Server 2012 C:\Windows\ADFS
  5. Add the server with FsConfig.exe

FsConfig.exe JoinFarm /PrimaryComputerName PRIMARY AD FS SERVER /ServiceAccount DOMAIN\SERVICE ACCOUNT /ServiceAccountPassword PASSWORD /CertThumbprint “ff eb 43 bb 8b f9 34 56 4b 45 ec 6f 53 bb 99 7f bf 48 7e”

Now we have the second AD FS server added to the AD FS farm.

 

 

Network Load Balance the AD FS Servers in the Farm

Now that we have two servers in the AD FS Farm, we still have to load balance them. In an Enterprise production environment, I always recommend that you use a hardware based load balancing solution. In non-production and small to medium organizations you can use Windows Network Load Balancing. Regardless of the load balancing solution, you need to make sure that you are load balancing TCP 443 to the AD FS Farm name.

NLB Cluster Name – sts.office365supportlab.com

Nodes –

FS01.office365supportlab.com

FS02.office365supportlab.com

 

If you need help configuring Windows NLB, please use Configuring Windows NLB for AD FS 2.0

 

DNS Configuration

Since we are now using network load balancing, we need to make sure that our A record for sts.office365supportlab.comis updated with the IP address that you assigned as the VIP to the NLB cluster.

Type Name IP
A sts.office365supportlab.com 10.0.0.20
A fs01. office365supportlab.com 10.0.0.14
A fs02. office365supportlab.com 10.0.0.17

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

 

Testing Single Sign-on to the NEW Office 365

Now that we have AD FS setup and Directory Sync up and running. We can test single sign-on to Office 365. Let’s clear up on misconception about single sign-on. Most people think that single sign-on implies that they sign on once and they never get prompted for credentials again. This is wrong. What single-sign on allows us to do is use a single account (username and password) to authenticate to multiple services. In our case, our user name and password, from local AD, will allow us to access services in Office 365.

In order to complete our testing, we need to test single-sign on from the internal network and from the internet. This post is going to make the assumption that you have activated and licensed the synchronized user in Office 365. If you haven’t please use this BLOG post to do that.

 

Testing from Internal

Before we test single sign-on, we need take some additional steps.

  1. Make sure that the client computer is domain joined

     

  2. Make sure that the user is logging into the computer with domain credentials

     

  3. Verify name resolution to the internal AD FS server farm. This can be done by simply pinging the AD FS server farm name. If the name does not resolve, please verify that the correct DNS entries are added to the private DNS servers.

     

  4. Add the internal AD FS server farm address to the Local Intranet zone. If this is not done, the users will be prompted for credentials from the AD FS server. Adding the AD FS server farm address to the Local Intranet zone allows IE to pass your credentials to the webpage added to the zone.
    1. Open Internet Explorer
    2. Open Internet Options
    3. Click Security
    4. Click Local Intranet
    5. Click Sites
    6. Click Advanced
    7. Enter the address to your internal AD FS server farm (https://sts.domain.com)
    8. Click Add
    9. Click Close

       

Verify AD FS with the Microsoft Office 365 Portal Site

  1. Open Internet Explorer

     

  2. Navigate to the Office 365 Portal Site

     

  3. Enter your user account in UPN format (username@domain.com)

     

  4. As soon as to tab to the password field, Office 365 will check to see if your domain is enabled for single sign-on. If it is, you’ll be redirected to your local AD FS farm for authentication. Since we added this site to our local intranet zone, the local credentials are passed to the webpage and authentication should be seamless to the user.

     

  5. Once authentication happens, you are redirected to the Microsoft Office 365 portal site and logged in as the user.

     

 

 

Testing from External

Before we can test the client logon there is some information that we should verify.

  1. Make sure that the user knows their domain credentials

     

  2. Verify name resolution to the external AD FS Proxy server. This can be done by simply pinging the AD FS server farm name. If the name does not resolve, please verify that the correct DNS entries are added to the public DNS servers.

     

Verify AD FS with the Microsoft Office 365 Portal Site

  1. Open Internet Explorer

     

  2. Navigate to the Office 365 Portal Site

     

  3. Enter your user account in UPN format (username@domain.com)

     

    As soon as to tab to the password field, Office 365 will check to see if your domain is enabled for single sign-on. If it is, you’ll be redirected to your AD FS Proxy Server for authentication

     

     

  4. Enter your User ID in UPN format (userid@domain.com)

     

  5. Enter your password

     

  6. Click Sign In

     

  7. The user us authenticated and then redirected back to the Office 365 Portal Site.

 

Testing External Connection while Connected to the Internal Network

When testing AD FS, you are usually on the inside of the network and won’t have access to an outside connection. Microsoft has a tool that allows for an external test to be run while providing some more troubleshooting information.

  1. Open Internet Explorer

     

  2.  

  3. Click Office 365 tab

     

  4. Click Office 365 Single Sign-On Test

     

  5. Click Next

     

  6. Enter your user account and password

     

  7. Check that you understand the acknowledgement

     

  8. Enter the verification information

     

  9. Click Perform Test

     

  10. The test starts

     

  11. When the test is complete, you will get some detailed information on the process. My test passed, but had some warnings. After viewing the warnings, I can dismiss them.

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Activating and Licensing a Synchronized User in the NEW Office 365

In the last step we setup directory synchronization, which will allow us to synchronize our local Active Directory users to our Office 365 tenant account. Now that we have the users in our tenant account, we need to license them. Licensing them is what activates and provisions their services (Exchange, Lync, SharePoint and Office)

One thing that we notice in our Office 365 Admin Center is that the users are categorized as to where their account is. You’ll notice ‘In cloud’ and ‘Synced with Active Directory’.

As we saw in this blog post, when you create cloud users, you can assign them a license at that time. Since Directory Synchronization creates the users for us, we have to go back and license the users. You can activate and license one or many users at the same time. This can also be done via script through PowerShell; but that’s not covered in this post.

 

  1.  

  2. Find the user or users that you wish to activate

     

  3. Select the user or users

     

  4. Click Activate Synced User

     

  5. Select the user location

     

  6. Select the license and services you want to assign to the user (based on license type)

     

  7. Click Next

     

  8. Choose if you want the results to be emailed

     

  9. Click Activate

     

  10. Click Finish

     

One thing to note is that there is no password assigned to the user. This is because the password is keep and authenticated on premise through AD FS.

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Setting up Directory Synchronization with the NEW Office 365

Now that we have the AD FS and the AD FS Proxy Servers setup, we need to setup Directory Synchronization. Directory Sync gives you the ability to synchronize (one way to the cloud) your local Active Directory (or a portion of) to your Office 365 Account. This is a critical piece of the single sign-on solution for Office 365 as it works together with AD FS. Directory Sync is installed as a single server and cannot be made highly available.

We have AD FS setup already and we have base built the Directory Sync server with Windows Server 2012. The server has a static IP address and is domain joined.

Activate Directory Synchronization

Before we can setup and use the Directory Sync software, we need to activate it in the Office 365 Admin Center

  1. Open Internet Explorer

     

  2.  

  3. Click Users and Groups

     

  4. Click the Activate link next to Active Directory® synchronization

This process can take up to 24 hours.

 

Install Directory Sync Software

We need to download and install the Directory Sync software from the Office 365 Admin Center. This is a 64bit installer.

  1. Login to the Directory Sync Server with an Administrator account

     

  2. Open Internet Explorer

     

  3.  

  4. Click Users and Groups

     

  5. Click the Set up link next to Active Directory® synchronization

     

  6. Skip down to step 4 and click download

     

  7. Navigate to the downloaded file (dirsync.exe) and open it

     

  8. Click Next

     

  9. Accept the License Agreement

     

  10. Click Next

     

  11. Choose an install location

     

  12. Click Next

     

  13. Installing – This process takes a while, so be patient.

     

  14. Install complete, click Next

     

  15. Uncheck Start Configuration Wizard now

     

  16. Click Finish

     

  17. REBOOT the Directory Sync server before running the Configuration Wizard

 

Configure Directory Sync

Picking up from the last setup, we can now configure Directory Sync.

  1. Login to the Directory Sync Server with an Administrator account

     

  2. Open the Configuration Wizard from the Desktop shortcut

     

  3. Run the Wizard while logged in with an Administrator account.

     

  4. Click Next

     

  5. Enter a cloud account (@domain.onmicrosoft.com) that has Global Administrator role assigned in Office 365.

     

    ***Note*** I create an unlicensed service account in Office 365 for AD FS and Directory Sync. Assign these accounts Global Administrator role and set the passwords to not expire. This will prevent issues if the password changes or the

     

  6. Click Next

     

  7. Enter an Enterprise Administrator account

     

    *** Note*** Running the Wizard needs Enterprise Administrator credentials. Once the Wizard has completed, the credentials will not be used again.

     

  8. Click Next

     

  9. Enable Exchange Hybrid Deployment

     

    ***Note*** If Directory Sync detects that you have at least once Exchange 2010 SP1 or newer server in your Active Directory, you will be prompted to Enable Exchange Hybrid Deployment.

     

  10. Click Next

     

  11. The wizard will start the configuring process

     

  12. Completed click Next

     

  13. Uncheck Synchronize now (if you plan to implement OU filtering)

     

    ***Note*** If you want to filter the OUs that get synchronized to Office 365, then follow this BLOG post, Directory Synchronization – Filtering OUs to Synchronize to Office 365. Do not start the synchronization until you have setup OU filtering. This will prevent cleanup in Office 365.

     

    If you don’t want to do OU filtering, then leave this option checked.

     

  14. Click Finish

     

 

Force Synchronization to Office 365

 

Since we stopped the initial sync job in the last step, we need to manually start the first sync job. This is done automatically, if you give Directory Sync more time, or we can force it with PowerShell.

  1. Login to the Directory Sync Server with an Administrator account

     

  2. Open DirSyncConfigShell.psc1 (C:\Program Files\Microsoft Online Directory Sync\)

     

    ***Note*** I create a short cut to this file on my desktop

     

  3. Type Start-OnlineCoexistenceSync

     

  4. Press enter to execute the command

Successful synchronization can be confirmed in the Application Log on the Directory Sync server

You can also verify that the users are now shown in the Office 365 Admin Center. You will notice that the users status is now ‘Synced with Ac’, rather than ‘In cloud’.

 

Now that we have Federation and Directory Sync setup, we can test single-sign on with Office 365.

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Part 3 – AD FS Proxy Server Setup

Now that all the required software is installed on the server, we can verify name resolution for the AD FS Server and the AD FS Proxy Server. After that is completed, then we configure the local AD FS Proxy Server.

 

Verify Name Resolution

Since the AD FS Proxy server is not domain joined, it will not have access to the domain based DNS. We need to add some entries to the local hosts file so that the ADFS Proxy Server can resolve the internal IP for sts.domain.com and the AD FS Server.

Domain Based Name Resolution

  1. Login to your Domain Controller

     

  2. Open DNS Management Console

     

  3. Verify A records for the following servers
  • AD FS Server
  • AD FS Proxy Server
  • sts.domain.com (Internal IP)

 

Internet Based Name Resolution

  • Login to your Public DNS Management Console

     

  • Verify and/or Add and A record for the following
    • sts.domain.com (Internet IP)

AD FS Proxy Server Name Resolution

  1. Login to the AD FS Proxy Server with an Administrator Account

     

  2. Open the Start view

     

  3. Type Notepad

     

  4. Right Click Notepad

     

  5. Run as Administrator

     

  6. Click File

     

  7. Click Open

     

  8. Change to All Files

     

  9. Open the hosts file (c:\windows\system32\drivers\etc\hosts)

     

  10. Enter IP and Host name for the AD FS Server and for sts.domain.com

     

  11. Click File

     

  12. Click Save

 

Configure Local AD FS Proxy Server

 

  1. Login to the AD FS Proxy Server with an Administrator Account

     

  2. Open Server Manager

     

  3. Click Tools

     

  4. Click AD FS Federation Server Proxy Configuration Wizard

     

  5. Click Next

     

  6. Verify the Federation Service Name

     

  7. Click Test Connection

     

    This is the message you should see if the firewall is configured properly

     

  8. Click OK

     

  9. Click Next

     

  10. Enter the AD FS Service account information

     

  11. Click OK

     

  12. Click Next

     

    All green checks means a successful configuration

     

  13. Click Close

 

Now that our AD FS server and AD FS Proxy server are setup, we now need to setup Directory Synchronization

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Part 2 – Export, Import and Assign the Third Party Certificate

Just like the AD FS server, we need a third party certificate on the AD FS Proxy server. The AD FS Proxy server will need to have the same SSL certificate as we used on the AD FS server. The best way to do this is to export the certificate from the AD FS server and then import is on the AD FS proxy server. Once it’s on the AD FS Proxy server, we can assign it to the default website, the same way we did on the AD FS server.

 

Export the AD FS Certificate from the AD FS Server

  1. Login to the AD FS server with an Administrator account

     

  2. Open the Start Screen

     

  3. Type MMC

     

  4. Open the MMC

     

  5. MMC opens

     

  6. Click File

     

  7. Click Add/Remove Snap-in

     

  8. Select Certificates

     

  9. Click Add>

     

  10. Select Computer Account

     

  11. Click Next

     

  12. Select Local Computer

     

  13. Click Finish

     

  14. Click OK

     

  15. Expand Certificates

     

  16. Expand Personal

     

  17. Select Certificates

 

***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. Your certificate should show sts.domain.com.

  1. Right Click the third party certificate

     

  2. Select All Tasks

     

  3. Select Export

     

  4. Click Next

     

  5. Yes, Export the Private Key

     

  6. Click Next

     

  7. Export in Personal Information Exchange – PKCS #12 (.PFX)

     

  8. Select Include all certificates in the certification path if possible

     

  9. Select Export all extended properties

     

  10. Click Next

     

  11. Select Password

     

  12. Enter password

     

  13. Confirm password

     

  14. Click Next

     

  15. Enter a path to save the exported certificate

     

  16. Click Next

     

  17. Click Finish

     

  18. Successful

     

  19. Copy the exported certificate to the AD FS Proxy Server

 

Import the AD FS Certificate to the AD FS Proxy Server

 

  1. Login to the AD FS Proxy server with an Administrator account

     

  2. Open the Start Screen

     

  3. Type MMC

     

  4. Open the MMC

     

  5. MMC opens

     

  6. Click File

     

  7. Click Add/Remove Snap-in

     

  8. Select Certificates

     

  9. Click Add>

     

  10. Select Computer Account

     

  11. Click Next

     

  12. Select Local Computer

     

  13. Click Finish

     

  14. Click OK

     

  15. Expand Certificates

     

  16. Expand Personal

     

  17. Right Click Certificates

     

  18. Select Import

     

     

  19. Select Local Machine

     

  20. Click Next

     

  21. Browse to the Exported Certificate

     

  22. Click Next

     

  23. Enter Password

     

  24. Mark the key as exportable

     

  25. Click Next

     

  26. Place in the Personal certificate store

     

  27. Click Next

     

  28. Click Finish

     

  29. Successful

 

Assign the Imported Certficate

 

Now that we have the third party certificate imported on the server, we need to assign and bind it to the default website (HTTPS port 443).

  1. Open Server Manager

     

  2. Click Tools

     

  3. Click Internet Information Services (IIS) Manager

     

  4. Expand the local server

     

  5. Expand Sites

     

  6. Select Default Web Site

     

  7. Click Bindings (actions pane)

     

  8. Click Add

     

  9. Change the type to HTTPS

     

  10. Select your certificate from the drop down menu.

     

    ***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. When you select your certificate, it should show sts.domain.com, which matches the competed certificate.

     

  11. Click OK

     

  12. Click Close

     

  13. Close IIS Manager

Now that our certificates are taken care of, we can continue to the last step; completing the AD FS Proxy server setup.

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Part 1 – Prepare the Local AD FS Proxy Server

Since the AD FS Proxy server is in the DMZ, do not domain join the server. It functions just fine without being domain joined and you will needlessly open firewall ports from the DMZ to the Internal network.

 

Set the External Domain

Since the server is not domain joined and is technically a web server, it’s recommended that you set the internal domain name.

  1. Login to the AD FS server with the AD FS service account

     

  2. Open Server Manager

     

  3. Click Local Server

     

  4. Click the Computer Name

     

  5. Click Change

     

  6. Click More

     

  7. Enter the External domain name

     

  8. Click OK

     

  9. Click OK

     

  10. Reboot

 

Install AD FS Proxy Server Role

  1. Login to the AD FS server with the AD FS service account

     

  2. Open Server Manager

     

  3. Click Manage

     

  4. Click Add Roles and Features

     

  5. Click Next

     

  6. Select Role-based or feature-based installation

     

  7. Click Next

     

  8. Select the local server

     

  9. Click Next

     

  10. Select Active Directory Federation Services

     

  11. Click Add Features, this will install the required features for AD FS

     

  12. Click Next

     

  13. Select .NET Framework 3.5 Features

     

  14. Click Next

     

  15. Click Next

     

  16. Leave default selections for the Web Server Role (IIS)

     

  17. Click Next

     

  18. Click Next

     

  19. Uncheck Federation Service (selected by default)

     

  20. Select Federation Service Proxy

     

  21. Click Next

     

     

  22. Click Install

     

  23. Install begins. You can close this window or leave it open to view the progress

     

    Installation completed

     

  24. Click Close

 

Install Sign-in Assistant

  1. Open Internet Explorer

     

  2.  

  3. Click Download Software

     

  4. Click Desktop Setup

     

  5. Click Set up to start the Desktop Applications install

     

  6. Click Run

     

  7. Desktop Assistant is downloaded

     

  8. Click Run

     

  9. Sign in with a Global Administrator account for Office 365.

     

    I create a shared service account for use with AD FS and Directory Sync. This account does not need a license assigned and should be a tenant account (@domain.onmicrosoft.com). Assign the account the Global Administrator role. Use this BLOG post for setting up the user.

     

     

  10. Desktop Applications setup starts

     

  11. Uncheck (if checked) Microsoft Outlook, Microsoft SharePoint and Microsoft Lync

     

  12. Click Continue

     

  13. Click Run

     

  14. Click I Accept

     

  15. Installing Microsoft Online Sign-In Assistant

     

  16. Click Finish

 

Install the Windows Azure Active Directory Module for Windows PowerShell

 

  1.  

  2. Click Users and Groups

     

  3. Click Set up link beside Single Sign-On

     

  4. Chose Windows 64-bit Version

     

  5. Click Download

     

  6. Click Run

     

  7. Click Next

     

  8. Accept the License Agreement

     

  9. Click Next

     

  10. Choose and install path

     

  11. Click Next

     

  12. Click Install

     

  13. Click Finish

 

This completes setting up all the pre-required software for the AD FS Proxy server.

 

Complete Series:

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me