Step-By-Step: Setting up AD FS Proxy Servers Via Single Sign-On for Office 365

Step-By-Step: Setting up AD FS Proxy Servers Via Single Sign-On for Office 365

  • Comments 2
  • Likes

The AD FS Proxy role is deployed in the DMZ and is used for external client authentication.

People always ask me, do I really need an AD FS Proxy server? The answer is yes for one huge reason.

Security –It is possible to forward TCP 443 right from the internet to the AD FS server, but this would not be very smart security choice. Networking setup for these servers is very easy. We have an A record setup (sts.domain.com) in our public DNS that resolves to an internet accessible IP address. This IP address should be configured as an external interface on your firewall. You are going to want to forward requests for sts.domain.com (port 443) from the external interface on the firewall to the AD FS server. Next, you are going to want to enable bi-directional communication between the AD FS server and the AD FS Proxy Server.

Do not domain join the server since the AD FS Proxy server is in the DMZ. It functions just fine without being domain joined and you will needlessly open firewall ports from the DMZ to the internal network.

 

Set the External Domain

Since the server is not domain joined and is technically a web server, it's recommended that you set the internal domain name.

  1. Login to the AD FS server with the AD FS service account
     
  2. Open Server Manager
     
  3. Click Local Server
     
  4. Click the Computer Name
     

     
  5. On the System Properties page, click Change
     
  6. On the Computer Name / Domain Changes, click More
     
  7. Enter the External domain name
     
  8. On the DNS Suffix and NetBIOS Computer Name, Click OK
     
  9. On the Computer Name / Domain Changes, click OK
     
  10. Reboot

 

Install AD FS Proxy Server Role

  1. Login to the AD FS server with the AD FS service account
     
  2. Open Server Manager
     
  3. Click Manage
     
  4. Click Add Roles and Features
     

     
  5. On Add Roles and Features Wizard, click Next
     
  6. Select Role-based or feature-based installation and click Next
     
  7. Select the local server and click Next
     
  8. Select Active Directory Federation Services
     
  9. Click Add Features, this will install the required features for AD FS
     
  10. Click Next
     
  11. Select .NET Framework 3.5 Features and click Next
     
  12. Click Next
     
  13. Leave default selections for the Web Server Role (IIS) and click Next
     
  14. Click Next
     
  15. Uncheck Federation Service (selected by default)
     
  16. Select Federation Service Proxy and click Next
     
  17. Click Install
     
  18. Install begins. You can close this window or leave it open to view the progress
     
  19. Once the installation has completed, click Close

 

Install Sign-in Assistant

  1. Open the Office 365 Admin Center via your Internet Browser
     
  2. Click Download Software
     
  3. Click Desktop Setup
     
  4. Click Set up to start the Desktop Applications install
     
  5. Click Run
     
  6. Once Desktop Assistant has downloaded, click Run
     
  7. Sign in with a Global Administrator account for Office 365.
     
    NOTE: I create a shared service account for use with AD FS and Directory Sync. This account does not need a license assigned and should be a tenant account (@domain.onmicrosoft.com). Assign the account the Global Administrator role.
     
  8. Once the Desktop Applications setup starts, Uncheck (if checked) Microsoft Outlook, Microsoft SharePoint and Microsoft Lync and click Continue
     
  9. When Open File - Security Warning appears Click Run
     
  10. Click I Accept on the Microsoft Office 365 desktop setup screen
     
  11. Once Microsoft Online Sign-In Assistant has completed its install, click Finish

 

 Install the Windows Azure Active Directory Module for Windows PowerShell 

  1. Go back to the Office 365 Admin Center
     
  2. Click Users and Groups
     
  3. Click Set up link beside Single Sign-On
     
  4. Chose Windows 64-bit Version and click Download
     
  5. Click Run
     
  6. Click Next
     
  7. Accept the License Agreement and click Next
     
  8. On the  Windows Azure Active Directory Module for PowerShell, choose enter the install path and click Next
     
  9. Click Install
     
  10. Click Finish once completed

  

This completes setting up all the pre-required software for the AD FS Proxy server.

Just like the AD FS server, we need a third party certificate on the AD FS Proxy server. The AD FS Proxy server will need to have the same SSL certificate as we used on the AD FS server. The best way to do this is to export the certificate from the AD FS server and then import is on the AD FS proxy server. Once it's on the AD FS Proxy server, we can assign it to the default website, the same way we did on the AD FS server. 

 

Export the AD FS Certificate from the AD FS Server

  1. Login to the AD FS server with an Administrator account
     
  2. Open the Start Screen and type MMC
     
  3. Open the MMC
      
  4. Once the MMC opens, click File and Click Add/Remove Snap-in
     
  5. In the Add/Remove Snap-in screen, select Certificates and click Add>
     
  6. Select Computer Account and click Next
     
  7. Select Local Computer and click Finish
     
  8. Click OK
     
  9. Expand Certificates
     
  10. Expand Personal
     
  11. Select Certificates
     
    Note:
    The certificate shown below is a multi-name SSL certificate for my lab environment. Your certificate should show sts.domain.com.
     
     
     
  12. Right Click the third party certificate
     
  13. Select All Tasks
     
  14. Select Export
     
  15. In the Certificate Export Wizard screen, click Next
     
  16. Select Yes, Export the Private Key and click Next
     
  17. Export in Personal Information Exchange – PKCS #12 (.PFX)
     
  18. Select Include all certificates in the certification path if possible
     
  19. Select Export all extended properties and click Next
     
  20. Select Password
     
  21. Enter password
     
  22. Confirm password and click Next
     
  23. Enter a path to save the exported certificate and click Next
     
  24. Click Finish
     
  25. Once the export is successful, click OK
     
  26. Copy the exported certificate to the AD FS Proxy Server 

 

Import the AD FS Certificate to the AD FS Proxy Server 

  1. Login to the AD FS Proxy server with an Administrator account
     
  2. Open the Start Screen
     
  3. Type MMC
     
  4. Open the MMC
     
  5. Click File
     
  6. Click Add/Remove Snap-in
     
  7. Select Certificates and click Add>
     
  8. On the Certificates snap-in screen, select Computer Account and click Next
     
  9. Select Local Computer and click Finish
     
  10. Click OK
     
  11. Back on the Add or Remove Snap-ins, Expand Certificates
     
  12. Expand Personal
     
  13. Right Click Certificates and select Import
     
  14. Select Local Machine and click Next
     
  15. Browse to the Exported Certificate and click Next
     
  16. Enter Password
     
  17. Select Mark the key as exportable and click Next
     
  18. Place in the Personal certificate store and click Next
     
  19. Click Finish
     
  20. Click Ok on the Certificate Import Wizard has successfully competed

Assign the Imported Certificate

 Now that we have the third party certificate imported on the server, we need to assign and bind it to the default website (HTTPS port 443).

  1. Open Server Manager
     
     
  2. Click Tools
     
     
  3. Click Internet Information Services (IIS) Manager
     
     
  4. Expand the local server
     
     
  5. Expand Sites
     
     
  6. Select Default Web Site
     
     
  7. Click Bindings (actions pane)
      
  8. Click Add
     
     
     
  9. Change the type to HTTPS
     
  10. Select your certificate from the drop down menu
     
    Note: The certificate shown below is a multi-name SSL certificate for my lab environment. When you select your certificate, it should show sts.domain.com, which matches the competed certificate
     
  11. Click OK
     
  12. Click Close
     
  13. Close IIS Manager

 

Now that our certificates are taken care of, we can continue to the last step; completing the AD FS Proxy server setup.

With all the required software is installed on the server, we can verify name resolution for the AD FS Server and the AD FS Proxy Server. After that is completed, then we configure the local AD FS Proxy Server.

 

Verify Name Resolution

Since the AD FS Proxy server is not domain joined, it will not have access to the domain based DNS. We need to add some entries to the local hosts file so that the ADFS Proxy Server can resolve the internal IP for sts.domain.com and the AD FS Server.

 

Domain Based Name Resolution

  1. Login to your Domain Controller
     
  2. Open DNS Management Console
     
  3. Verify A records for the following servers, AD FS Server, AD FS Proxy Server, sts.domain.com (Internal IP) 

 

Internet Based Name Resolution

  1. Login to your Public DNS Management Console
     
  2. Verify and/or Add and A record for the following - sts.domain.com (Internet IP)

 

AD FS Proxy Server Name Resolution

  1. Login to the AD FS Proxy Server with an Administrator Account
     
  2. Open the Start view
     
  3. Type Notepad
     
  4. Right Click Notepad
     
  5. Run as Administrator
     
  6. Click File and click Open
     
  7. Change to All Files
     
  8. Open the hosts file (c:\windows\system32\drivers\etc\hosts)
     
  9. Enter IP and Host name for the AD FS Server and for sts.domain.com
     

     
  10. Click File and click Save 

 

Configure Local AD FS Proxy Server 

  1. Login to the AD FS Proxy Server with an Administrator Account
     
  2. Open Server Manager and click Tools
     
     
  3. Click AD FS Federation Server Proxy Configuration Wizard
      
  4. Click Next
     
     
  5. Verify the Federation Service Name
      
  6. Click Test Connection
     

     
    This is the message you should see if the firewall is configured properly
     
  7. Click OK
     
     
  8. Click Next
     
  9. Enter the AD FS Service account information and click OK
     
     
  10. Click Next
     

     
    All green checks means a successful configuration
      
  11. Click Close

Now that our AD FS server and AD FS Proxy server are setup, we now need to setup Directory Synchronization

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Don't deploy ADFS Proxy, use TMG. Why TMG instead of ADFS Proxy? If the user is marked to reset their password on next log on, they cannot access Office 365 until they log on to a domain joined PC and reset the password. From my testing though, if you are on a mobile device using Activesync and your account is marked for reset, you can still receive email on the mobile device.

  • I guess there are trade offs. Some companies don't want to deploy another firewall solution and AD FS Proxy servers can be setup very quickly. The good news is that both work really well.