Category Archives: Windows Azure

Migrating AD FS 2.0 to AD FS 3.0 for Office365 Single Sign-On

I’ve been getting quite a few requests to write a BLOG post that details the process of migrating your legacy AD FS infrastructure to AD FS 3.0 (released with Windows Server 2012 R2). The step-by-step below details one method.

 

Migration Paths

There are a couple different paths when migrating AD FS from version 2.0 to AD FS 3.0. The one that I am going to detail below is a parallel install, exporting the AD FS 2.0 configuration and importing to AD FS 3.0. There are other methods of completing this task, but prefer this method, because you can build the whole AD FS 3.0 solution, test the complete solution and then cutover to it by updating DNS. There is no user impact. Please visit this Microsoft site for all the supported methods. This method will only work if ADFS 2.0 is in a farm configuration. If you are not in a farm configuration, you must do a manual migration. See the links below.

http://technet.microsoft.com/en-us/library/dn486815.aspx

http://technet.microsoft.com/en-us/library/dn486787.aspx

 

Assumptions

  1. Base build new AD FS 3.0 server with Windows Server 2012 R2
  2. Add server to the local domain
  3. Export SSL certificate on AD FS 2.0 server (with private key)
  4. AD FS service account and password that was used to deploy AD FS 2.0
  5. Directory Sync is running

 

Import SSL Certificate

 

***NOTE*** It’s very important to use the same SSL certificate as you used in your AD FS 2.0 deployment.

***NOTE*** Microsoft recommends that you go to the AD FS 2.0 server and export the SSL certificate (with private key) to be sure that it’s the same one

 

I assume that you have exported the SSL certificate and this is the procedure on how to import it.

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Install AD FS Role on Windows Server 2012 R2

 

Login to the AD FS 3.0 Server

Open Server Manager

Click Local Server

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Active Directory Federation Services

Click Next

 

Click Next

 

Click Next

 

Click Install

Installation starts

 

Install completed. Don’t close and continue to the next step

 

 

Configure AD FS 3.0

 

Click Configure the federation service on this server

 

Select Create the first federation server in a federation farm

Click Next

 

Use an account with Domain Admin rights to perform the install. Please note that this is not the service account. That comes later in the setup.

Click Next

 

Select the certificate that we imported in the previous step. WARNING – This MUST be the same SSL certificate used in the AD FS 2.0 farm

Enter the Federation Service Display Name. WARNING – This MUST match the AD FS 2.0 Farm Name

Click Next

 

Specify the AD FS Service Account. WARNING – This has to be the same AD FS Service account that is used in the AD FS 2.0 farm. No exceptions

Enter Password

Click Next

 

Select the default (Windows Internal Database) – Unless you want to use SQL, but don’t use the same database as the AD FS 2.0 farm.

Click Next

 

Click Next

 

Click Configure

 

Configuration started

 

Configuration Finished

 

If you navigate to the AD FS Management, you will notice that our Relying Party Trusts does not include Office365.

 

 

Export the AD FS 2.0 Configuration

 

Login to the AD FS 2.0 Server

Insert or mount the Windows Server 2012 R2 DVD into the server

Run PowerShell as Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Script

.\export-federationconfiguration.ps1 –path c:\adfs_export”

This will export the AD FS 2.0 configuration and dump it to a folder called adfs_export on the root of C: drive.

Export completed

Copy the ADFS_Export folder to Windows Server 2012 R2 AD FS Server

Import the AD FS Configuration to AD FS 3.0

Login to the AD FS 3.0 Server

Open PowerShell as an Administrator

Navigate to \support\adfs on the Windows Server 2012 R2 DVD

Execute the Import-FederationConfiguration.ps1 script with the path parameter to the exported contents of the AD FS 2.0 configuration

.\import-federationconfiguration.ps1 –path C:\ADFS_Export

    

Import started

Note the warnings that this will remove all existing claims providers and relying party trusts on the target server. So make sure that you are on the right server.

Imported successfully

Verify the Import in AD FS Management

Testing Single Sign-On

 

From a PC connected to the domain, edit the hosts file and add the IP address of the AD FS 3.0 server that points to the AD FS 3.0 Federation Farm

 

Navigate to the IDP Initiated Sign-on page – https://sts.DOMAIN.com/adfs/ls/IdpInitiatedSignon.aspx . You can tell right away that this is the AD FS 3.0 server by the way the web page looks.

Test signing in

 

Once this is completed, then you can test logging into the Microsoft Office365 Portal.

 

Adding Redundancy and WAP Servers

Keep in mind that when you add more AD FS servers to the farm or add the Web Authentication Servers (AD FS Proxy Servers) to this new farm, that you will add the servers directly to the farm. There is no need to repeat the process above once you have the first AD FS 3.0 server setup in the new farm. Also note that if you have not changed DNS to point at the new farm, you will most likely need to use hosts files on the new servers to make sure that are you adding to the new farm. Internal DNS is still set to the AD FS 2.0 farm.

 

Production Cut Over

When the AD FS 3.0 solution has been completed, update internal and external DNS to point at the new AD FS 3.0 farm.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

Now that we have the first AD FS server setup and are federate with Office365, we can add more servers into the AD FS farm. This process can be repeated on one or many more servers depending on the number of servers you need in the AD FS farm to support the load from your user base.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network
  • Primary AD FS server is setup (see previous post in this series)

 

Setting up the Virtual Machine in Windows Azure

 

Click New -> Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2 Datacenter

Click Next

 

Enter the Virtual Machine Name

Select the Tier

Select the Size

Click Next

 

Choose the Cloud Service that the first AD FS Server is installed in (setup earlier in the BLOG series)

Verify Subnet

Choose the Availability Set that was created when we provisioned the first AD FS server

Click Next

 

Click Next

Wait for the Virtual Machine to be provisioned and then continue

 

Connect to the Virtual Machine over RDP

 

Add the Virtual Machine to the Domain

 

Installing the AD FS 3.0 Role on the Virtual Machine and Importing the SSL Certificate

Please reference this BLOG post on how to install the AD FS 3.0 Role on the virtual machine and then import the SSL certificate

Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

 

Adding the Secondary AD FS 3.0 Server to the AD FS Farm

 

Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…

 

Click
Configure the federation service… action on the Post-Deployment Configuration

 

Select Add a federation server to a federation server farm

Click Next

 

Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next

 

Specify the Primary Federation Server

Click Next

 

Select the SSL certificate that was imported earlier (the same certificate that was installed on the primary AD FS server)

*** Note *** Since I am using a multi-name certificate the name of the certificate does not match my AD FS farm name. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the certificate name should match the AD FS farm name e.g. sts.domain.com

Click Next

 

Select the AD FS service account (the same account that was used in the setup of the primary AD FS server in the farm)

Enter the password

Click Next

 

Click Next

 

When the pre-requisites are completed

Click Configure

 

Success

 

We now have a two node AD FS server farm setup in Windows Azure. Keep in mind that you have to continue to the next post to setup load balancing for the servers.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

With a larger push from companies to migrate to the cloud, I have been asked to put together a BLOG series on how to deploy a Single Sign-On solution for Office365 into Windows Azure.

The next series of posts are a step-by-step series on how to deploy a highly available AD FS 3.0 solution in Windows Azure for single sign-on with Office365. The posts detail the process of setting up Windows Azure for this purpose, deploying the servers, configuring AD FS 3.0, configuring the Web Application Proxies (AD FS proxy servers) and then making the whole thing load balanced.

There are a number of considerations that you need to make before deploying this solution. Please read and educate yourself using this TechNet article.

http://technet.microsoft.com/en-us/library/dn509537.aspx

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Connecting to Office365 with PowerShell

The Microsoft Online Services Sign-In Assistant 7.0 is a prerequisite for installing the Microsoft Online Services Module for Windows PowerShell. Use the links below to download the installer.

Once you have the Microsoft Online Services Sign-In Assistant 7.0 installed, now you can install the PowerShell Module. Use the links below to install.

Once you have those two pieces installed, open Windows Azure AD Module for PowerShell as an administrator.

Enter the following commands

$cred = Get-Credential

(Enter Credentials)

Connect-MsolService -credential $cred

 

If you are looking to connect to Exchange Online use the following process.

$Cred = Get-Credential

(Enter Credentials)

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Cred -Authentication Basic -AllowRedirection

Import-PSSession $Session

 

When completed, use the following command to close the connection to Exchange Online.

Remove-PSSession $Session

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN