Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

Now that we have the first AD FS server setup and are federate with Office365, we can add more servers into the AD FS farm. This process can be repeated on one or many more servers depending on the number of servers you need in the AD FS farm to support the load from your user base.

Assumptions:

  • Azure account is setup
  • Directory Sync is activated, setup and running
  • Valid SSL certificate is available (with private key)
  • VPN connection setup from Azure to your on-premise network
  • Primary AD FS server is setup (see previous post in this series)

 

Setting up the Virtual Machine in Windows Azure

 

Click New -> Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2 Datacenter

Click Next

 

Enter the Virtual Machine Name

Select the Tier

Select the Size

Click Next

 

Choose the Cloud Service that the first AD FS Server is installed in (setup earlier in the BLOG series)

Verify Subnet

Choose the Availability Set that was created when we provisioned the first AD FS server

Click Next

 

Click Next

Wait for the Virtual Machine to be provisioned and then continue

 

Connect to the Virtual Machine over RDP

 

Add the Virtual Machine to the Domain

 

Installing the AD FS 3.0 Role on the Virtual Machine and Importing the SSL Certificate

Please reference this BLOG post on how to install the AD FS 3.0 Role on the virtual machine and then import the SSL certificate

Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

 

Adding the Secondary AD FS 3.0 Server to the AD FS Farm

 

Open Server Manger

Select AD FS

Click More
where it says Configuration required for Active Directory Federation Servers at…

 

Click
Configure the federation service… action on the Post-Deployment Configuration

 

Select Add a federation server to a federation server farm

Click Next

 

Enter credentials for a user that has domain administrator permissions. This is used to complete the install, it’s not used as the AD FS service account

Click Next

 

Specify the Primary Federation Server

Click Next

 

Select the SSL certificate that was imported earlier (the same certificate that was installed on the primary AD FS server)

*** Note *** Since I am using a multi-name certificate the name of the certificate does not match my AD FS farm name. In production I always recommend that you use a single name certificate to keep things simple. If that’s the case then the certificate name should match the AD FS farm name e.g. sts.domain.com

Click Next

 

Select the AD FS service account (the same account that was used in the setup of the primary AD FS server in the farm)

Enter the password

Click Next

 

Click Next

 

When the pre-requisites are completed

Click Configure

 

Success

 

We now have a two node AD FS server farm setup in Windows Azure. Keep in mind that you have to continue to the next post to setup load balancing for the servers.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

2 thoughts on “Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On

  1. DRN

    I have setup a secondaryADFS server but am having issues with “linking” it to a WAP.

    The error message “An error occurred when attempting to establish a trust relationship with the federation service. Error: Unauthorized. Verify that the service account has administrative access on the target Federation Server.” appears.

    The account and password used is correct. Is it possible to link or connect a WAP to a secondary ADFS server??

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Sounds like there is a DNS or Firewall issue. Run some testing to narrow down the issue. Use telnet and try to connect to the hostname, nlb hostname, host ip, nlb host ip all over 443. If you can make a connection then the firewall is open, if you cannot, then the firewall is the issue.

      Reply

Leave a Reply