Category Archives: Setup

Setting up the Second Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

In the previous post, we created the first of two WAP servers. This is the continuation of the series.

Create the Virtual Machine

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created when creating the first WAP server

Verify Virtual Network

Select an Availability Set that you created when creating the first WAP server

Click Next arrow

 

Click the complete checkmark

 

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

 

Install the Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

Success

Click Close

 

At this point the WAP server is functioning. Now all that remains is that we need to do is that we need to add an end point for port 443 and load balance the two servers.

Continue onto the next post in the series to finish the configuration.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

The Web Application Proxy servers are the new way to publish AD FS to the internet. They replace the old AD FS proxy servers and are new to Windows Server 2012 R2. These servers should be deployed in a DMZ network and are non-domain joined.

Create a New Cloud Service

Because we are going to load balance one or more virtual machines, we need to create a Cloud Service to put them in. Think of it as a bucket to hold your virtual machines and to apply ACLs to secure the virtual machines. You will require one for the AD FS Servers and one for the Web Application Proxies (AD FS Proxy Servers)

 

Click New

Select Compute -> Cloud Service -> Custom Create

 

Enter a URL or Name for the Cloud Service. This name must be unique across the .cloudapp.net name space.

Select your Region or Affinity Group

Click OK

 

Create the Virtual Machine

 

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created above

Verify Virtual Network

Create an Availability Set

Click Next arrow

 

Click the complete checkmark

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

Install Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

 

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

 

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

 

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

 

Setting up the WAP server

 

Success

Click Close

 

At this point the WAP server is functioning. To test the WAP server, you can edit your local workstation hosts file to point at the external IP of the WAP cloud service. This will allow you to test the configuration without editing global DNS.

Continue on to the rest of the series where we will add a second WAP server and then load balance the two.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

If you read the earlier posts in the series, you would have noted that there is two methods to deploy the AD FS server load balancing. Because I am in an all Azure environment, I choose to deploy with method 2, using Azure load balancing on port 443 for AD FS. The following post details how to setup Azure ACLs to allow communication from the DMZ network to the production network and then deny all others.

This post needs the cloud service for the WAP servers created along with at least one WAP server deployed to the cloud service so that we can get the Public Virtual IP. This need to be completed before we can add the WAP servers as proxies for the AD FS servers. There is no real clean way to blog this so you will have to jump back and forth between this post and Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On to complete the task.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • The cloud service for the WAP servers is created.

 

The first thing that you need to do is gather the Public Virtual IP for the WAP cloud service.


 

 

Change ACLs to allow WAP access

 

Navigate to the Primary AD FS Server

Select Endpoints

Select HTTPS (or whatever you called the endpoint for AD FS)

Click Manage ACL


 

You will notice that the ACL list is not populated, which means that it’s wide open to the internet. We need to secure the AD FS load balanced set, while still giving the WAP servers access. This will allow the WAP servers to talk to the AD FS servers. We are going to create two rules; one permit and one deny.

 

The first rule will grant access from the WAP servers to the AD FS servers

Enter a description of the rule

Select Permit

Enter the IP address of the WAP cloud service in CIDR format. You will notice the /32 at the end, which will limit the rule to that one IP address.


 

Now that we have granted access on port 443 to the WAP servers, we need to deny all others. Keep in mind that this is for external traffic only. Internal users will still be able to access the AD FS servers on the domain network. This is just for the NAT address from external client access in Azure.

 

Enter a description of the rule

Select Deny

Enter the 0.0.0.0/0

This will deny all traffic


 

Click the complete checkmark

Azure will update the rule. There is no need to complete this on the other servers as the rule will apply to the load balanced endpoint.


 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On

 

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • WAP servers are deployed on a differnet network than the ADFS Servers. If you are unsure, see this BLOG post.

 

Reference this TechNet Article – http://msdn.microsoft.com/en-us/library/azure/dn655055.aspx

 

 

Creating the Load Balanced Set on the Primary ADFS Server

 

Open Azure Management Portal

Click Virtual Machines

Click the Primary AD FS Server

Click Endpoints Tab

 

Click Add (+)

Select Add a Stand-alone Endpoint

Click Next

 

Configure as follows:

Name – HTTPS

Protocol – TCP

Public Port – 443

Private Port – 443

 

Select Create a Load-Balanced Set

Click Next

 

Configure as follows:

Load-Balanced Set Name – ADFS_SSL

Probe Protocol – TCP

Probe Port – 443

Probe Internal – 15

Number of Probes – 2

 

Click the complete check mark

 

The load balanced set is created

 

 

Adding the Second ADFS Server to the Load Balanced Set

 

Click the Primary AD FS Server

Click Endpoints Tab

 

Click Add (+)

Select Add an Endpoint to an Existing Load Balanced Set

Select ADFS_SSL or whatever you called it

Click Next

 

Enter Name – ADFS_SSL

Click the complete checkmark

 

The end point will be re-configured to load balance across the two ADFS servers.

 

At this point ADFS have now been load balanced. If you have more than two ADFS servers, keep adding them to the load balanced endpoint.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Load Balance the AD FS Servers in Windows Azure for Office365 Single Sign-On

Azure has two methods of load balancing services out of the box. Depending on your needs and the security requirements of your company will help decide the method that you will use. I have detailed both methods in two blog posts below. Be sure to reference the Microsoft link for the details on both and decide what method is best for your company.

 

 

Method 1 – Azure Internal Load Balancing (ILB)

 

 

Azure Internal Load Balancing (ILB) provides load balancing between virtual machines that reside inside of a cloud service or a virtual network with a regional scope

 

Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On

 

With this method you have one network with different address spaces for the internal (10.0.0.0) and DMZ (172.16.0.0) networks. This method works, because Azure allows routing between the different address spaces on the same network.

 

 

Method 2 – Azure Load Balanced Set

 

 

Azure load balanced set is layer 4 load balancing across the virtual machines of a cloud service

 

Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On

 

With this method, you have two physical networks in Azure. With this method, we rely on end points and hosts files for routing between the networks. This is the more secure way of implementing the solution since we will control access with ACLs between the networks.

 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On

 

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • VPN connection setup from Azure to your on-premise network
  • Primary and Secondary AD FS servers are setup (see previous posts in this series)
  • WAP servers are deployed on the same network, different subnet as the ADFS Servers. If you are unsure, see this BLOG post.

 

Reference this TechNet Article – http://msdn.microsoft.com/en-us/library/azure/dn690125.aspx

 

Connect to Windows Azure with PowerShell

If you are unsure how to or have never connected to Windows Azure with PowerShell, please reference the article below. This will guide you to install the tools and connect with PowerShell

http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/#Install

 

Open the Start Screen

Right Click Windows Azure PowerShell and Run as administrator

 

Click Yes to the UAC

 

Type Add-AzureAccount

Press Enter

 

Enter email address used login to your Azure account

Click Continue

 

Enter email address and password used login to your Azure account

Click Continue

 

Azure authenticates your account and then takes you back to the PowerShell window.

 

 

Create the Internal Load-Balanced Set Instance

Before we can continue, we need to gather some information. This information is used to set variables in the PowerShell command that will be used to create the ILB instance

 

Cloud Service Name – This was created prior to creating the first AD FS 3.0 Virtual Machine and can be found in the Azure Management Portal under Cloud Services

Internal Load-Balanced Instance Name – This is a name that is used to reference the ILB Set

Subnet Name – This was created when Azure Networking was created and can be found in the Azure Management Portal under Networking

IP Address for the Internal Load-Balanced Instance – This can be set or automatically generated

 

Set the variables in PowerShell

$svc=”ConceppsADFS”

$ilb=”ConceppsADFS-ILB”

$subnet=”Subnet-1″

$IP=”10.0.0.8″

 

Execute the command in PowerShell

Add-AzureInternalLoadBalancer -ServiceName $svc -InternalLoadBalancerName $ilb –SubnetName $subnet –StaticVNetIPAddress $IP

 

 

Add End Points to the Internal Load-Balanced Set

Below is a script that will set the variables, create the end points and update the Virtual Machines with the configuration.

$svc=”ConceppsADFS”

$ilb=”ConceppsADFS-ILB”

$prot=”tcp”

$locport=443

$pubport=443

$epname=”ADFS01″

$vmname=”ConceppsADFS01″

 

Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM

 

$epname=”ADFS02″

$vmname=”ConceppsADFS02″

 

Get-AzureVM –ServiceName $svc –Name $vmname | Add-AzureEndpoint -Name $epname –LBSetName “ADFS-SSL” -Protocol $prot -LocalPort $locport -PublicPort $pubport –DefaultProbe -InternalLoadBalancerName $ilb | Update-AzureVM

 

 

Add DNS Record

Now that we have our farm configured and the servers are load balanced, we need to ensure that the clients can get to them using the virtual IP of the Internal Load-Balanced Set.

In the steps above we created an Internal Load-Balanced set with the IP of 10.0.0.8. We now need to create an A record in the internal DNS, with a name of STS that points to the VIP. In my case sts.office365supportlab.com points at 10.0.0.8

 

Testing AD FS Sign-On

Open IE

Browse to the URL – https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx

Click Sign in

 

 

Testing Server High Availability

Shutdown the AD FS Servers one at a time and check that you can still access AD FS with each server offline. This will test the failure of losing one of the servers in the ILB set.

 

We are now setup with a highly available AD FS solution for all internal users. Continue on with the series to setup the Web Application Proxies (AD FS Proxy) so that the external users have access.

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

I’ve been getting quite a few requests to write a BLOG post that details the process of migrating your legacy AD FS infrastructure to AD FS 3.0 (released with Windows Server 2012 R2). The step-by-step below details one method.

 

Migration Paths

There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one that I am going to detail below is a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but prefer this method, because you can build the whole AD FS 3.0 solution, test the complete solution and then cutover to it by updating DNS. There is no user impact. Please visit this Microsoft site for all the supported methods. This method will only work if ADFS 2.0 is in a farm configuration. If you are not in a farm configuration, you must do a manual migration. See the links below.

http://technet.microsoft.com/en-us/library/dn486815.aspx

http://technet.microsoft.com/en-us/library/dn486787.aspx

 

Assumptions

  1. Base build new AD FS 3.0 server with Windows Server 2012 R2
  2. Add server to the local domain
  3. Export SSL certificate on AD FS 2.0 server (with private key)
  4. AD FS service account and password that was used to deploy AD FS 2.0
  5. Directory Sync is running

 

Import SSL Certificate

 

***NOTE*** It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.

***NOTE*** Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one

 

I assume that you have exported the SSL certificate and this is the procedure on how to import it.

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Install AD FS Role on Windows Server 2012 R2

 

Login to the AD FS 3.0 Server

Open Server Manager

Click Local Server

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Active Directory Federation Services

Click Next

 

Click Next

 

Click Next

 

Click Install

Installation starts

 

Install completed. Don’t close and continue to the next step

 

 

Configure AD FS 3.0

 

Click Configure the federation service on this server

 

Select Create the first federation server in a federation farm

Click Next

 

Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.

Click Next

 

Select the certificate that we imported in the previous step. WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm

Enter the Federation Service Display Name. WARNING – This MUST match the AD FS 2.0 Farm Name

Click Next

 

Specify the AD FS Service Account. WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions

Enter Password

Click Next

 

Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm.

Click Next

 

Click Next

 

Click Configure

 

Configuration started

 

Configuration Finished

 

If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.

 

 

Export the AD FS 2.0 Configuration

 

Login to the AD FS 2.0 Server

Insert or mount the Windows Server 2012 R2 DVD into the server

Run PowerShell as Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Script

.\export-federationconfiguration.ps1 –path c:\adfs_export”

This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.

Export completed

Copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server

Import the AD FS Configuration to AD FS 3.0

Login to the AD FS 3.0 Server

Open PowerShell as an Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration

.\import-federationconfiguration.ps1 –path C:\ADFS_Export

    

Import started

Note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server.

Imported successfully

Verify the Import in AD FS Management

Testing Single Sign-On

 

From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm

 

Navigate to the IDP Initiated Sign-on page – https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.

Test signing in

 

Once this is completed, then you can test logging into the Microsoft Office365 Portal.

 

Adding Redundancy and WAP Servers

Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.

 

Production Cut Over

When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN