My latest project for my current employer was to integrate office 365 for all pupils for single sign-on using active directory.
So, in this guide i will go through step by step configuration of Active Directory Federation Services (ADFS) for use with Office 365.
Configure Office 365
The first thing we need is the domain name setting up on 365, log into your Office 365 account and go into the Domains area. Click Add a domain link to add your domain.
- Enter the domain that you want to Federate and click the Check Domain button.
- You will then be asked to confirm the domain details.
- Next step
- Finally you be given instructions on how to create a TXT record in your Internet DNS. The TXT record is Microsoft’s way of verifying that you own the domain and creating this record does not impact any existing services. After you create the TXT record in DNS you must return to the Office 365 Administraton site and verify the domain by clicking the Verify button.
Once added and verified continue on.
You can go back into domains and check the DNS records.
Install & Setup AD FS
Now you have your domain added and has been verified, we can move on to installing AD FS onto your local Active Directory.
(this example i’m setting up: student.********academy.com)
For this you must have as a minimum:
- Your Active Directory Domain must be in Windows 2003 mixed or native mode.
- You must have a Windows Server 2008 or Windows Server 2008 R2 to install AD FS on.
Download AD FS 2.0 from: HERE
- Once downloaded launch the install program, click Next.
- Accept the license (Read 1st) then click Next.
- Select Federation Server and click Next.
- The wizard will automatically install all required prerequisites.
- Click Next to begin the installation.
Start Installation
Select Federation Server
Prerequisites
Finish
Certificate for ADFS
In this example, we’ll request a certificate from a public certification authority. Unless you already have a certificate infrastructure deployed, it’s probably best to purchase a certificate instead of generating your own. Trust us on this one, just spend the money on a certificate, it will save you a lot of time.
- On the server you just installed ADFS, open IIS Manager and click on Server Certificates.
Open IIS and Certificates
- Then click on Create Certificate Request…
- Window will pop up, simply fill in your details for the certificate.
- Click Next.
Certificate Details
The important field is the Common Name field. You could use a wildcard *.domainname.com. In most cases (where you want external users on the Internet to be able to authenticate) domainname.com must be your external domain name.
- Choose a Bit Length of at least 2048 then click Next.
Choose 2056 or more
- Finally, specify save path and a file name for the certificate, click Finish.
Now to import the new certificate.
- While still in IIS click on Complete Certificate Request…
- Click on the … and choose the newly created certificate.
- Enter the friendly name. This example server name .domain certificate was used, so the friendly name will be apollo.********high.lancs.sch.uk If you used a different name, such as 365.domainname.com or adfs.domainname.com, you’d enter that name here as well.
Certificate Import
Last to do with the certificate will be to bind it to the Default Web Site.
- Still in IIS select the Default Web Site.
- Under the Actions menu, click Bindings…
- Click Add.
- Select https for the type.
- Now select the certificate just imported.
- Click OK.
Binding
Configure AD FS
With the certificate installed and bound to the default web site, we can finish off the AD FS configuration.
- Open AD FS 2.0 Management.
The first time the snap-in is run, AD FS 2.0 will detect that the federation server has not been configured and will prompt you to launch the AD FS 2.0 Federation Server Configuration Wizard.
- Click the AD FS 2.0 Federation Server Configuration Wizard link in the center pane to start the wizard.
- Select Create a new Federation Service.
- Next
- Choose Stand-alone federation Server, or New federation server farm. If you choose the stand-alone you wont have the option to install a second AD FS server. If you think you might want a second AD FS server some point down the road for redundancy then choose the Farm install, only can have a farm with only a single server.
- On the Federation Service name, choose the certificate to use. This example the name must be specified, apollo.********high.lancs.sch.uk. Users will connect to this so it must be resolvable via DNS both internally and externally.
- Next
- Input a user account with appropriate AD permissions.
- Have a look over the summary then click next to begin the configuration.
Sign In Assistent
- Download the x64 msi from: http://g.microsoftonline.com/0BX20en/571
- Run the msi and follow the install instructions.
Powershell Module
You will need to install the Azure AD PowerShell module.
- Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
- Download and run the program, follow the installation wizard.
Federated domain
- Now with the AD PowerShell module installed go to the Start>Programs>Microsoft Online Services
- Right click and Run as administrator
- Now run the following cmdlet:
$msolcred=Get-Credential
This cmdlet prompts you for credentials. Type in your Office 365 administration username and password.
Connect-MsolService –Credential $msolcred
Type the following, replacing domainname.com with thename of your domain then hit enter.
Convert-MsolDomainToFederated –DomainName domainname.com
If successful, you should see the message.
Successfully updated ‘domainname.com’ domain.
- Done
Microsoft Office 365 Federation Metadata Update Automation Installation Tool
“This tool can be used to automate the update of the Microsoft Office 365 federation metadata regularly to ensure that changes in the case of the token signing certificate configured in Active Directory Federation Services 2.0 are replicated to the identity platform automatically”
- Download that from Here
- Once downloaded place it in an accessible location.
- Open the AD PowerShell module PowerShell, go to the Start>Programs>Microsoft Online Services
- Right click and Run as administrator
- You will need to elevate the permissions to run the ps1 PowerShell script file.
- type and run:
Set-ExecutionPolicy unrestricted
Type Y and press enter when prompted.
- Now navigate to the folder you saved the PowerShell script to (My case root of c:\ drive)
cd /
Now to run the script type:
./O365-Fed-MetaData-Update-Task-Installation.ps1
- Follow the on screen steps.
- If it asks for your MSOL credentials thats your Office 365 admin email username and password.
Enable SSO For Office365
- Log into your office 365 admin console at portal.microsoftonline.com.
- Click on users and groups.
- Click on Set up Active Directory Synchronization.
Highly recommend you go through the first step to make sure you are aware of what requirements are needed.
Prepare for directory synchronization
- Now on step 3, Click Activate.
- Step 4, Download the Windows Azure Active Directory Sync Tool Configuration Wizard.
- Run DirSync.exe.
- Click Next on the welcome screen.
- and install as prompted.
- Tick the Box Start Configuration Wizard Now.
When the configuration wizard appears, click Next on the welcome screen
- Enter your Office 365 admin username and password.
- Then enter a username and password of a domain admin.
- Enable password sync tick the box, then Next.
Done
The first thing you’ll probably need to do is create an account in your local Active Directory (without a mailbox if you have Exchange). You’ll need to make sure the account’s UPN suffix is the same as the Office365 @domainname.com.
If your Internal Active Directory Namespace is something like domain.local, or anything other than domain.com, you’ll probably have to add an additional DNS suffix to the domain so you can assign it to users, See Adding a UPN Suffix to a Forest guide below for help.
You will probably need to modify your Internet Explorer settings so users can automatically authenticate with the AD FS server. The default settings in IE seem to be that Automatic Login occurs only in the Intranet Zone. See GPO IE Security Zones guide below for help.
So under the assumption you have either manually input your users and/or sync has processed, time to test on a computer with a user.
- Log on to a computer as the user as normal.
- Open IE and go to https://portal.microsoftonline.com
- input your users email address (username)
- when you click or tab to the password field it will recognise its a federated address and will attempt to communicate with the ADFS server. Pay close attention to the Address bar in your browser, it will change to the url of your AD FS server.
If you get prompted for credentials, you should check your Internet Explorer settings, make sure you have the url set under intranet security zone.
If you get a page cannot be displayed, check your DNS to make sure the client can resolve the AD FS server.
If all goes well, the users be automatically logged into the Portal.
Input users email address
Contacting AD FS server
Authenticated and SSO
GPO IE Security Zones
- Open Group Policy Management Editor
- Navigate down to Site to Zone Assignment List
Computer Configuration > Policies > Administrative Templates > Windows Components >Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List
- Go to the properties and Enable.
- Click Show.
- Click Add.
- Then enter the https:// url (In this example my DNS server is apollo.********high.lancs.sch.uk
- Enter the zone number required.
Zone Number | Zone Name |
1 | Intranet Zone |
2 | Trusted Sites zone |
3 | Internet zone |
4 | Restricted Sites zone |
Adding a UPN Suffix to a Forest
- Log onto a Domain Controler.
- Open Active Directory Domains and Trusts.
- Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
- In the field Alternative UPN suffixes, type the new UPN suffix that you would like to add to the forest.
- Click Add, and then click OK.
Change the users UPN suffix
Once you have a new UPN suffix added you will need to on a domain controller open Active Directory Users and Computers.
- Select the user(s) you want to be able to log onto the SSO Office 365, right click and go to Properties.
- Under the Account tab
(Single user – The drop down menu next to the user logon name)
(Multiple users selected – tick UPN suffix and change the drop down menu to the new one)