When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate the steps involved when deploying Office 365. In the burgeoning drafts folder ADFS was at the top, so that got finished first!
The act of deploying and configuring ADFS 2012 R2 for Office 365 will be broken down into three separate blog posts
The IT security landscape keeps evolving. One of the recent changes is a move away from ACLs on files in the NTFS file system to an access control system that is based on claims. Claims based authentication is an industry standard security protocol to authenticate users. This is the underlying WS-* standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens. Claims based auth requires these tokens, and by extension an entity that can issue the token. This is the Secure Token Service (STS). The STS server can be based on Active Directory Federation Services (ADFS) or other platforms that provide this service.
ADFS lights up one of the three options for Office 365 identity management, which is option #3 in the below list:
ADFS is the primary choice for customers who want to use federated identities with Office 365. In addition to this there are a variety of qualified third party identity providers that can be connected with Office 365 to provide the necessary plumbing for federation. The shortcut URL aka.ms/SSOProviders links to the ‘Works With Office 365’ Identity program, and lists the identity providers that have been qualified with Office 365. Please read the notes on the TechNet page with regards to the testing and support aspects of these services.
Some customers will use these services as they do not wish to invest in a fault tolerant and geographically dispersed ADFS implementation. The availability of ADFS is a key discussion point when discussing federation. For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365.
In addition since DirSync now replicates the user’s hashed password to WAAD, some customers now use DirSync to provide Same Sign On / Single Sign On (SSO). DirSync version 1.0.6385.12, which was released in May 2013, and latter builds provide the ability to synchronise passwords. DirSync can be downloaded here, and the TechNet Wiki has details on the release history. When running the configuration wizard with this release you will get the shiny “Password Synchronization” window:
This is worthwhile to mention as there is still a perception that ADFS is a hard requirement to get SSO. That is soooooooooooo Q1 2013!
Anyway, I digress let’s get back to ADFS…..
We shall look at installing ADFS 2012 R2 since there are numerous compelling features in this release!
The quick answer is a lot! Some examples include:
There are many others, but check here for them since we are focussing on Office 365 usage for ADFS.
Note that you will not see me call this release ADFS 3.0. Its full and proper name is ADFS 2012 R2. for reference here are the older versions and what some folks call them:
Update 5-5-2014: Please also see this post on exploring ADFS 2012 R2 Extranet Lockout protection.
Update 29-5-2014: Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.
Update 9-9-2014: For the other posts on ADFS, please view this tag cloud.
The prerequisites are listed on TechNet. Of course before jumping into the install the installation needs to be planned.
The ADFS role should be deployed within the corporate network, and not in the DMZ. The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.
Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant ADFS proxy infrastructure.
Please review the design guidance on TechNet.
We can now use a standard service account or a Group Managed Service Account in ADFS 2012 R2.
In this case since the KDS root key was not configured, lets leverage a standard service account.
The installation process should set the required Service Principal Names (SPN) on the account.
Select what name you are to use to access ADFS. Typically this is along the lines of:
sts.wingtiptoys.ca adfs.tailspintoys.ca
sts.wingtiptoys.ca
adfs.tailspintoys.ca
Note that this is the namespace for the ADFS service. Since we will be using Kerberos to access ADFS internally, there must be a Service Principle Name (SPN) registered for this name. This will be associated to the service account, and since SPNs operate in the “Highlander – there can be only one!” mode you do not want to duplicate the SPN on the ADFS server by naming the computer the same as the ADFS namespace.
You also want to discuss what display name should be chosen, as this will be visible to users.
Since ADFS leverages SSL, we need to have a SSL certificate. You could try three options, but only one will work:
Office 365 needs to see a valid Service Communication Certificate on your ADFS infrastructure, so you are going to have to buy a certificate from a public CA. Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears. We can use self-signed certificates for the Token Decrypting and Token Signing Certificate. These are separate from the service communication cert.
Please follow the documentation from your chosen CA to request, install and complete the certificate. The steps required vary from vendor to vendor and also over time. Make sure you are not missing any updated intermediate certificates! How would you know? Follow their process!!
For the purposes of this post we shall deploy the initial ADFS server, and in the future add another ADFS server for redundancy.
After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.
We don’t need to add any additional features. Remember that the IIS dependency was removed in ADFS 2012 R2.
Clicking next takes us to the ADFS splash screen. Note that it helpfully tells us that the specific ADFS proxy role has been removed in Windows 2012 R2 and how to go about installing it. Shame I missed that the very first time I ran this, and could not find the old school ADFS Proxy role…
Clicking next will then install the necessary bits.
Bits are being shuffled around…
Shuffling has been completed, and the installation is complete. You can launch the ADFS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.
Before starting the ADFS configuration wizard I already installed my 3rd party certificate and tested that is was correctly installed.
Additionally a service account called ADFS-Service was also pre-created.
The wizard also states that you must have access to Domain Admin (DA) credentials!
Note that you are only given an option to either make a new ADFS farm or add this box to an existing farm. This saves the painful issue from older ADFS builds, where ADFS was not installed into a farm you were then unable to easily the add the second ADFS server for redundancy.
Provide your domain admin credentials.
We need to select the SSL certificate that we will use and also provide the ADFS name we selected in the design process.
In this case the name is adfs.tailspintoys.ca -- note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on the intranet and internet to locate ADFS. Thus split DNS will make life simple!
Provide your chosen display name, and click next.
As mentioned earlier it is possible to use a GMSA as the ADFS service account. GMSA will automatically update the service account’s credentials and administrators will also be oblivious as to its password.
In this case a standard service account was used.
Select the database configuration as per the design.
The Tailspintoys corporation will use WID.
Review the options, and when happy pull the trigger!
For reference the PowerShell script is shown here:
# # Windows PowerShell script for AD FS Deployment # Import-Module ADFS # Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account." Install-AdfsFarm ` -CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" ` -FederationServiceDisplayName:"Tailspintoys STS" ` -FederationServiceName:"adfs.Tailspintoys.ca" ` -ServiceAccountCredential:$serviceAccountCredential
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
# Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
Install-AdfsFarm ` -CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" ` -FederationServiceDisplayName:"Tailspintoys STS" ` -FederationServiceName:"adfs.Tailspintoys.ca" ` -ServiceAccountCredential:$serviceAccountCredential
The ADFS pre-requisite checks are done, and we can proceed to the configuration:
One coffee later, we have a shiny new ADFS server – whoo!!
We are not quite done yet, and there a couple of additional things to do!
Update 11-12-2014: The above update 2948086 is now bundled in this rollup: May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
Update 16-7-2014: Other updates you may want to review are at the bottom of this post.
When multiple clients (over 200 clients) try to sign in by using an Active Directory Federation Services (AD FS) proxy, the AD FS proxy consumes 100% usage of the CPU. In this situation, the AD FS proxy performance is slow, and causes a delay that exceeds 10seconds. This also causes STS to work under minimal load. Therefore, STS rejects the requests or serves only 5 to 10 requests per second.
We must create the DNS record for the ADFS instance. This maps to the ADFS namespace that we previously planned. Create this A record in your internal DNS infrastructure.
Once the DNS record has been created an propagated ensure that it resolves correctly.
One thing to mention here, if you create a CNAME and point that to the server hosting ADFS chances are that you will run into a never ending authentication prompt situation.
In the below example the ADFS namespace is called adfs.tailspintoys.ca and a CNAME was used to direct traffic to the ADFS server called tail-ca-sts.tailspintoys.ca. This will likely cause the client to obtain a Kerberos ticket for the incorrect name.
The easiest way to stop this is to use a regular A record, like so:
There is also an option contained in KB 911149 that some folks have mentioned.
This topic covers additional steps to configure AD FS after you install the first federation server, including:
For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.
Open Internet Explorer and navigate to your ADFS server’s federation metadata URL.
This will be something like the below, just change the FQDN to match your environment.
https://adfs.tailspintoys.ca/federationmetadata/2007-06/federationmetadata.xml
https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml
The result should show this:
Browse to the ADFS sign-in page and test that you are able to authenticate.
The URL will be similar to the below, again change the FQDN to match your organisation’s.
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm
https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
You should see the below, and be prompted to sign in:
Depending upon how IE is configured you will either be prompted to provide credentials or be automatically signed-in.
If you want to have users be automatically signed-in then configure your browser settings to trust the federation server role by adding your federation service name (for example, https://adfs.tailspintoys.ca) to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.
Once we are happy that the ADFS instance is functioning appropriately we can then move onto installing the ADFS proxy role.
This will be covered in a separate post, to prevent this one getting too long!
Cheers,
Rhoderick
If you would like to have Microsoft Premier Field Engineering (PFE) visit your company and assist with the topic(s) presented in this blog post, then please contact your Microsoft Premier Technical Account Manager (TAM) for more information on scheduling and our varied offerings!
If you are not currently benefiting from Microsoft Premier support and you’d like more information about Premier, please email the appropriate contact below, and tell them you how you got introduced!
US
Canada
For all other areas please use the US contact point.
Excellent Thanks
Nice work
Excellent just what I was looking for.
My configuration fails every time during the WID install and gives an error that the service cannot be started. I've even tried granting the service accounts log on as rights. Still no go.
Excellent, worked a treat
Jason, I had the same issue. http://www.smallbusinesstech.net/more-complicated-instructions/windows/fixing-windows-internal-database-installation-error-on-windows-server-2012 This fixed it for me.
Good write-up but the word "leverage" is overused.
@Adam - it's in there 4 times to annoy one of my ex-colleagues. Bit of a history :)
Rhoderick this is a great post. We just decided to to look into ADFS. A curious question... Does ADFS 3.0 in 2012R2 allow for a single server setup? Meaning we wouldn't have to deploy a server in the DMZ? We only have 100 users and don't require a very complicated setup. Thanks for you time! :)
Hey Rhoderick, your post helped me to just confirm a few differences between the ADSF 2.0 I have done in the past and the 3.0 I need to do now; very succinct thanks! Was a bit surprised when I scrolled down and thought to myself "Hey, I know that guy!" You came in for a review of our environment while I was working in Toronto once.
Hi Hayden - it's a small world innit :) ?? Thanks for the shout out - much appreciated.
Steven - not something I have ever done or thought of doing. On http://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_10 The following AD FS requirements are for the server functionality that is built into the Windows Server® 2012 R2 operating system: • For extranet access, you must deploy the Web Application Proxy role service - part of the Windows Server® 2012 R2 Remote Access server role. Prior versions of a federation server proxy are not supported with AD FS in Windows Server® 2012 R2. • A federation server and the Web Application Proxy role service cannot be installed on the same computer. I'll see if I can find some other references. Cheers Rhoderick
Does O365 support ADFS 2.1 ?
thanks
Mark - Yes, we are using ADFS 2.0 on Windows 2008 R2 servers with o365 and are looking into upgrading to ADFS 3.0 in the near future. The way I understand it, all versions of ADFS are supported by O365. Someone else can correct me if I am wrong on this.