Category Archives: Office 365 News

Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

Now that we have the first AD FS server setup and are federate with Office365, we can add more servers into the AD FS farm. This process can be repeated on one or many more servers depending on the number of servers you need in the AD FS farm to support the load from your user base.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network
  • Primary AD FS server is setup (see previous post in this series)

 

Setting up the Virtual Machine in Windows Azure

 

Click New -> Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2 Datacenter

Click Next

 

Enter the Virtual Machine Name

Select the Tier

Select the Size

Click Next

 

Choose the Cloud Service that the first AD FS Server is installed in (setup earlier in the BLOG series)

Verify Subnet

Choose the Availability Set that was created when we provisioned the first AD FS server

Click Next

 

Click Next

Wait for the Virtual Machine to be provisioned and then continue

 

Connect to the Virtual Machine over RDP

 

Add the Virtual Machine to the Domain

 

Installing the AD FS 3.0 Role on the Virtual Machine and Importing the SSL Certificate

Please reference this BLOG post on how to install the AD FS 3.0 Role on the virtual machine and then import the SSL certificate

Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

 

Adding the Secondary AD FS 3.0 Server to the AD FS Farm

 

Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…

 

Click
Configure the federation service… action on the Post-Deployment Configuration

 

Select Add a federation server to a federation server farm

Click Next

 

Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next

 

Specify the Primary Federation Server

Click Next

 

Select the SSL certificate that was imported earlier (the same certificate that was installed on the primary AD FS server)

*** Note *** Since I am using a multi-name certificate the name of the certificate does not match my AD FS farm name. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the certificate name should match the AD FS farm name e.g. sts.domain.com

Click Next

 

Select the AD FS service account (the same account that was used in the setup of the primary AD FS server in the farm)

Enter the password

Click Next

 

Click Next

 

When the pre-requisites are completed

Click Configure

 

Success

 

We now have a two node AD FS server farm setup in Windows Azure. Keep in mind that you have to continue to the next post to setup load balancing for the servers.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

This BLOG post covers setting up the primary AD FS 3.0 server on a Windows Server 2012 R2 virtual machine in Windows Azure.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network

 

Create a New Cloud Service

Because we are going to load balance one or more vitural machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)

 

Click New

Select Compute -> Cloud Service -> Custom Create

 

Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net name space.

Select your Region or Affinity Group

Click OK

 

 

Create the Virtual Machine in Windows Azure

 

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Choose Windows Server 2012 R2 Datacenter

Click Next

 

Enter Virtual Machine Name

Select Server Tier

Select Server Size

Click Next

 

Selcect the AD FS Cloud Service that was created earlier. This is very important.

Verify Subnet

Drop down to Create an availability set

Enter name for the availability set

***Note*** This does not load balance the servers, it will just place the VM accordingly so that if a rack of servers goes down, all the members of the set will be placed in different fault domains. This ensures that an outage isn’t extened to all the servers in the set.

Click Next

 

Click Next

Once the VM is provisioned go to the next step

 

Add the Server to the Domain

Since the AD FS server needs to authenticate against Active Directory, they need to be added to the local domain. Add the server to the local domain

 

Install the Windows Azure Active Directory Module for Windows PowerShell

Use this BLOG post to install the Windows Azure Active Directory Module for PowerShell and the required Microsoft Online Services Sign-In Assistant 7.0

Connecting to Office365 with PowerShell

 

Install the AD FS Role

 

Open Server Manager

Click Add roles and features

 

Click Next

 

Select Role-based or feature-based installation

Click Next

 

Make sure that the AD FS Server is listed as the server to install to

Click Next

 

Select Active Directory Federation Services

Click Next

 

Leave defaults

Click Next

 

Click Next

 

Click Install

 

Wait for the install to complete

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Setup and Configure AD FS 3.0

 

Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…

 

Click
Configure the federation service… action on the Post-Deployment Configuration

 

Select Create the first federation server in a federation server farm

Click Next

 

Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next

 

Select the SSL certificate that you imported

Select the Federation Service Name

Enter the Federation Service Display Name

*** Note *** Since I am using a multi-name certificate these three values don’t match for me. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the three values below should all match e.g. sts.domain.com

Click Next

 

Enter the AD FS Service Account Name and Password

***Note*** This can be a managed service account or a domain user account designated for AD FS. If you use a domain user account, it does not need any special permissions. The install will give it the permissions required.

Click Next

 

Select Windows Internal Database or the location of a SQL Server Database. The choice is yours, but for most companies the Windows Internal Database works just fine

Click Next

 

Click Next

 

Wait for the Pre-requisite checks to be completed

Click Configure

 

Successful

 

 

Federate with Office365

 

Open the Desktop on the AD FS server

Find Windows Azure Active Directory Module for Windows PowerShell


Right Click and Run As Administrator

Set the credential variable

$cred=Get-Credential

Enter a Global Administrator account from Office 365.


Connect to Microsoft Online Services with the credential variable set previously

  • Connect-MsolService –Credential $cred

 

Set the MSOL ADFS Context server, to the ADFS server (optional if you are on the AD FS server)

  • Set-MsolADFSContext –Computer adfs_servername.domain_name.com

 

Convert the domain to a federated domain

  • Convert-MsolDomainToFederated –DomainName domain_name.com

 

Successful Federation

  • Successfully updated ‘domain_name.com‘ domain

 

Verify federation

  • Get-MsolFederationProperty –DomainName domain_name.com

 

This concludes the setup of the first AD FS server and federation with Office365. Please continue through the rest of the series to complete the setup for the rest of the servers.

 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

With a larger push from companies to migrate to the cloud, I have been asked to put together a BLOG series on how to deploy a Single Sign-On solution for Office365 into Windows Azure.

The next series of posts are a step-by-step series on how to deploy a highly available AD FS 3.0 solution in Windows Azure for single sign-on with Office365. The posts detail the process of setting up Windows Azure for this purpose, deploying the servers, configuring AD FS 3.0, configuring the Web Application Proxies (AD FS proxy servers) and then making the whole thing load balanced.

There are a number of considerations that you need to make before deploying this solution. Please read and educate yourself using this TechNet article.

http://technet.microsoft.com/en-us/library/dn509537.aspx

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

How Office 365 Saves me Time and my Marriage

Working full time (at HP), caring for a family (including 3 kids under 5 years old) and running my own side business; I don’t have the time to manage my own IT. That doesn’t mean that I have to settle for sub par email, no IM and no collaboration tool. Office 365 affords me the freedom to have enterprise class services on a shoe string budget. I am a company of one, but that doesn’t mean I don’t require enterprise class services. Since I am the whole company, my requirements are more than a normal person.

My favorite Office 365 feature is Exchange Online. I need to stay on top of my email and without Office 365 I don’t think that I would be able to do that. I can access my email from everywhere and have one mailbox that is always up to date no matter what device I choose to access it from. A typical day for me includes checking and replying to my emails from Outlook, smartphone, OWA and tablet. I can be in my Office, meeting a client for coffee or relaxing in bed and I am always up to date.

Being a user of Office 365 and a Microsoft Partner, I can speak from experience when I speak nothing but good words about Office 365. The many clients that I consult for love Office 365 as it’s a great balance of services provided and money spent.

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

 

Microsoft Community Contributor Badge

mcc_email_banner

 

I was recently notified that I received the Microsoft Community Contributor badge from Microsoft for all my help and posts on the Office 365 User Community Forum. This is a really nice acknowledgement of the time and efforts that I put towards promoting and helping people with Office 365.

 

Dear Community, 

Congratulations! We are pleased to inform you that your contributions to Microsoft online technical communities have been recognized with the Microsoft Community Contributor badge. 

This recognition is reserved for participants who made notable contributions in Microsoft online communities such as MSDN, TechNet and Microsoft Answers. The value of these online resources is greatly enhanced by participants like you who voluntarily contribute your time and energy to improve the online community experience for others.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Directory Sync 64bit now Available

Previously there was no option, but to install the 32bit version. Microsoft released the 64bit version.


 

 

The following section is a repost from this site…

http://community.office365.com/en-us/w/sso/555.aspx


The 64-bit version of the directory synchronization tool is now available. The 64-bit version now uses Forefront Identity Manager 2010 as the underlying synchronization engine.

To download the 64-bit version of the directory synchronization tool from the Office 365 portal:

In the header, click Admin.

On the Admin page, in the left pane, click Users.

At the top of the Users page, click the link next to Active Directory synchronization.

Under step 4, select Windows 64-bit version, and then click Download.

To run the 64-bit version of the directory synchronization tool, you must have the following software installed:

The 64-bit edition of the Windows Server 2008 or Windows Server 2008 R2 Standard or Enterprise operating systems.

The 64-bit version of the directory synchronization tool shares exact functional parity with the existing 32-bit software. Therefore, refer to the existing directory synchronization documentation for all other deployment and configuration information.

Upgrading from 32-bit directory synchronization tool

Although the functionality of the 64-bit version of the directory synchronization tool is identical to the 32-bit version, the underlying SQL schema is different. For this reason, you cannot perform a standard upgrade. To upgrade your 32-bit installation of the directory synchronization tool, you must first uninstall it, and then install the 64-bit tool on a new computer.

Although the 32-bit instance of the directory synchronization tool is removed, the overall state of the objects in your on-premises and cloud directories, respectively, is preserved. When you install and configure your 64-bit instance of the directory synchronization tool, it finds and matches objects in the cloud with on-premises objects. However, the 64-bit instance of the tool will not find and match objects in the cloud if on-premises object deletions occurred when the 32-bit instance of the directory synchronization tool was offline.

Therefore, you must minimize changes to your on-premises objects during the upgrade to the 64-bit instance of the directory synchronization tool.

On the computer on which the Directory Synchronization tool is installed, open the Control Panel, select Add and Remove Programs, and then uninstall the Directory Synchronization tool.

Note:
If a synchronization session is in progress, a warning message appears when you try to remove the Directory Synchronization tool. If you receive this warning, wait until synchronization is complete, and then repeat this step.

Install the 64-bit version of the Directory Synchronization tool installation file on another computer. To do this, sign in to the Office 365 portal, click Admin in the header, click Users under Management in the left pane, click Set up in the Users pane, select Windows 64-bit version, and then click the Download button for step 4: Install and configure the Directory Synchronization tool.

On the last page of the installation program, select Start Configuration Wizard now, and then click Finish.
The Microsoft Online Services Directory Configuration Wizard starts.

 

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me