How To Install ADFS 2012 R2 For Office 365


When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate the steps involved when deploying Office 365.   In the burgeoning drafts folder ADFS was at the top, so that got finished first!

The act of deploying and configuring ADFS 2012 R2 for Office 365 will be broken down into three separate blog posts

  1. Install ADFS (this post)

Identity, Identity, Identity

The IT security landscape keeps evolving.  One of the recent changes is a move away from ACLs on files in the NTFS file system to an access control system that is based on claims.  Claims based authentication is an industry standard security protocol to authenticate users.  This is the underlying WS-* standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens.  Claims based auth requires these tokens, and by extension an entity that can issue the token.  This is the Secure Token Service (STS).  The STS server can be based on Active Directory Federation Services (ADFS) or other platforms that provide this service.

ADFS lights up one of the three options for Office 365 identity management, which is option #3 in the below list:

  1. Cloud Identity – users are created, and managed,  in Windows Azure Active Directory (WAAD).  No connection to any other directory.  This is the simplest model as there is no integration to any other directory.  Each user has an account created in the cloud which does not synchronise anywhere else.  Note that you will still typically need additional on-premises credentials to gain access to a local workstation and local resources.
  2. Directory Synchronisation – Users are created and managed in the on-premises directory and get synchronised up to Office 365 so they can access Office 365 resources.  Typically this means running the DirSync appliance, or in some cases FIM with the Windows Azure Active Directory Connector.  The newer builds of DirSync allow for the user’s password hash to be synchronised up to Office 365.  Note this does not say clear text password.    This allows user’s to logon to Office 365 using the same credentials as on-premises with no additional infrastructure.
  3. Federated Identity – Federation relies on directory synchronisation so that WAAD is populated.  When the authentication request is presented to Office 365, the service will then contact the on-premises ADFS infrastructure so that AD is responsible for authenticating the request.

ADFS is the primary choice for customers who want to use federated identities with Office 365.  In addition to this there are a variety of qualified third party identity providers that can be connected with Office 365 to provide the necessary plumbing for federation.  The shortcut URL aka.ms/SSOProviders  links to the ‘Works With Office 365’ Identity program, and lists the identity providers that have been qualified with Office 365.  Please read the notes on the TechNet page with regards to the testing and support aspects of these services.

Some customers will use these services as they do not wish to invest in a fault tolerant and geographically dispersed ADFS implementation.  The availability of ADFS is a key discussion point when discussing federation.  For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365.

In addition since DirSync now replicates the user’s hashed password to WAAD, some customers now use DirSync to provide Same Sign On / Single Sign On (SSO).  DirSync version 1.0.6385.12, which was released in May 2013, and latter builds provide the ability to synchronise passwords.  DirSync can be downloaded here, and the TechNet Wiki has details on the release history.   When running the configuration wizard with this release you will get the shiny “Password Synchronization” window:

Windows Azure Active Directory Sync Tool Enable Password Sync

This is worthwhile to mention as there is still a perception that ADFS is a hard requirement to get SSO.  That is soooooooooooo  Q1 2013!

Anyway, I digress let’s get back to ADFS…..

We shall look at installing ADFS 2012 R2 since there are numerous compelling features in this release!

What’s New And Improved In ADFS 2012 R2

The quick answer is a lot!  Some examples include:

  • IIS dependency removed
  • Single server installation option removed and now have single farm install (recommended to install a farm always in prior release anyway)
  • Separate ADFS proxy role removed.  ADFS proxy now based off Web Application Proxy (WAP), and is used to publish the ADFS server to the Internet.  WAP can publish many other applications, not just ADFS.
  • ADFS extranet lockout – ADDS account lockout protection on the ADFS proxy
  • Access control based on network location to control user authentication to ADFS

There are many others, but check here for them since we are focussing on Office 365 usage for ADFS.

Note that you will not see me  call this release ADFS 3.0.  Its full and proper name is  ADFS 2012 R2.  for reference here are the older versions and what some folks call them:

ADFS Build

Notes

ADFS 1.0 Released with Windows 2003 R2.  Built into OS.
ADFS 1.1 Released with Windows 2008 and 2008 R2.  Built into OS.
ADFS 2.0 Released After Windows 2008 / 2008 R2.  Separate download from here.
ADFS 2.1 Windows 2012
ADFS 3.0 Windows 2012 R2

Update 5-5-2014:    Please also see this post on exploring ADFS 2012 R2 Extranet Lockout protection.

Update 29-5-2014:  Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.

Update 9-9-2014:    For the other posts on ADFS, please view this tag cloud.

Planning And Prerequisites, And Other Fun Details

Prerequisites

The prerequisites are listed on TechNet.  Of course before jumping into the install the installation needs to be planned.

ADFS Role Planning

The ADFS role should be deployed within the corporate network, and not in the DMZ.  The ADFS proxy role is intended to be installed into the DMZ.

The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.

Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant ADFS proxy infrastructure.

Please review the design guidance on TechNet.

ADFS Service Account

We can now use a standard service account or a Group Managed Service Account in ADFS 2012 R2.

In this case since the KDS root key was not configured, lets leverage a standard service account.

The installation process should set the required Service Principal Names (SPN) on the account.

ADFS Namespace

Select what name you are to use to access AD FS.  Typically this is along the lines of:

sts.wingtiptoys.ca

adfs.tailspintoys.ca

Note that this is the namespace for the ADFS service.  Since we will be using Kerberos to access ADFS internally, there must be a Service Principle Name (SPN) registered for this name.  This will be associated to the service account, and since SPNs operate in the “Highlander – there can be only one!” mode you do not want to duplicate the SPN on the ADFS server by naming the computer the same as the ADFS namespace.

You also want to discuss what display name should be chosen, as this will be visible to users.

Internet Access

The AD FS server will require access to the Internet in order to complete the configuration of the solution.  This may be an issue if your servers are behind a proxy solution.

Certificates

Since AD FS leverages SSL, we need to have a SSL certificate.  You could try three options, but only one will work:

  1. Self-signed certificate
  2. Certificate issued from internal PKI
  3. Certificate from 3rd party public CA

Office 365 needs to see a valid Service Communication Certificate on your ADFS infrastructure, so you are going to have to buy a certificate from a public CA.  Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears.  We can use self-signed certificates for the Token Decrypting and Token Signing Certificate.  These are separate from the service communication cert.

Please follow the documentation from your chosen CA to request, install and complete the certificate.  The steps required vary from vendor to vendor and also over time.  Make sure you are not missing any updated intermediate certificates!  How would you know?  Follow their  process!!

For the purposes of this post we shall deploy the initial ADFS server, and in the future add another ADFS server for redundancy.

Installing ADFS On Windows Server 2012 R2

After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.

ADFS 2012 R2 Role Installation

We don’t need to add any additional features.  Remember that the IIS dependency was removed in ADFS 2012 R2.

ADFS 2012 R2 Role Installation

Clicking next takes us to the ADFS splash screen.  Note that it helpfully tells us that the specific ADFS proxy role has been removed in Windows 2012 R2 and how to go about installing it.  Shame I missed that the very first time  I ran this, and could not find the old school ADFS Proxy role…

ADFS 2012 R2 Role Installation

Clicking next will then install the necessary bits.

ADFS 2012 R2 Role Installation Confirmation

Bits are being shuffled around…

ADFS 2012 R2 Role Installation In Progress

Shuffling has been completed, and the installation is complete.   You can launch the ADFS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.

ADFS 2012 R2 Install Role

Before starting the ADFS configuration wizard I already installed my 3rd party certificate and tested that is was correctly installed.

Additionally a service account called ADFS-Service  was also pre-created.

The wizard also states that you must have access to Domain Admin (DA) credentials!

Note that you are only given an option to either make a new ADFS farm or add this box to an existing farm.  This saves the painful issue from older ADFS builds, where ADFS was not installed into a farm you were then unable to easily the add the second ADFS server for redundancy.

ADFS 2012 R2 Install Welcome Screen

Provide your domain admin credentials.

ADFS 2012 R2 Install Connect To AD

We need to select the SSL certificate that we will use and also provide the ADFS name we selected in the design process.

In this case the name is adfs.tailspintoys.ca   — note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace.  Clients will use the same name on the intranet and internet to locate ADFS.  Thus split DNS will make life simple!

Provide your chosen display name, and click next.

ADFS 2012 R2 Install Specify Service Properties

As mentioned earlier it is possible to use a GMSA as the ADFS service account.  GMSA will automatically update the service account’s credentials and administrators will also be oblivious as to its password.  Note that if you do want to use a GMSA, please review the required setup for this, noting the DC version requirements and the steps you must manually perform.  Add-KdsRootKey

In this case a standard service account was used.

ADFS 2012 R2 Install Specify Service Account

Select the database configuration as per the design.

The Tailspintoys corporation will use WID.

ADFS 2012 R2 Install Specify Database

Review the options, and when happy pull the trigger!

ADFS 2012 R2 Install Review Options

For reference the PowerShell script is shown here:

#
# Windows PowerShell script for AD FS Deployment
#

Import-Module ADFS

# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message “Enter the credential for the Federation Service Account.”

Install-AdfsFarm `
-CertificateThumbprint:”5804746A7980C8682FBF408D48EF6C3B02A5ZORG” `
-FederationServiceDisplayName:”Tailspintoys STS” `
-FederationServiceName:”adfs.Tailspintoys.ca” `
-ServiceAccountCredential:$serviceAccountCredential

The ADFS pre-requisite checks are done, and we can proceed to the configuration:

ADFS 2012 R2 Install Pre-Requisite Checks Completed

One coffee later, we have a shiny new ADFS server – whoo!!

ADFS 2012 R2 Installation Completed

We are not quite done yet, and there a couple of additional things to do!

Next Steps

ADFS Update(s)

Update 29-5-2014:  Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.

Update 11-12-2014:  The above update 2948086  is now bundled in this rollup: May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Update 16-7-2014:  Other updates you may want to review are at the bottom of this post.

When multiple clients (over 200 clients) try to sign in by using an Active Directory Federation Services (AD FS) proxy, the AD FS proxy consumes 100% usage of the CPU. In this situation, the AD FS proxy performance is slow, and causes a delay that exceeds 10seconds. This also causes STS to work under minimal load. Therefore, STS rejects the requests or serves only 5 to 10 requests per second.

DNS A Record

We must create the DNS record  for the ADFS instance.  This maps to the ADFS namespace that we previously planned.  Create this A record in your internal DNS infrastructure.

Once the DNS record has been created an propagated ensure that it resolves correctly.

One thing to mention here, if you create a CNAME and point that to the server hosting ADFS chances are that you will run into a never ending authentication prompt situation.

In the below example the ADFS namespace is called adfs.tailspintoys.ca and a CNAME was used to direct traffic to the ADFS server called tail-ca-sts.tailspintoys.ca.    This will likely cause the client to obtain a Kerberos ticket for the incorrect name.

ADFS Name Resolution Using DNS CNAME Record

The easiest way to stop this is to use  a regular A record, like so:

ADFS Name Resolution Using DNS A Record

There is also an option contained in KB 911149  that some folks have mentioned.

Additional Steps

This topic covers additional steps to configure AD FS after you install the first federation server, including:

For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.

 

Verify Federation Service Metadata

Open Internet Explorer and navigate to your ADFS server’s federation metadata URL.

This will be something like the below, just change the FQDN to match your environment.

https://adfs.tailspintoys.ca/federationmetadata/2007-06/federationmetadata.xml

https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml

The result should show this:

Testing ADFS Federation Metadata

Verify ADFS Sign-In Page

Browse to the ADFS sign-in page and test that you are able to authenticate.

The URL will be similar to the below, again change the FQDN to match your organisation’s.

https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm

https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm

You should see the below, and be prompted to sign in:

ADFS 2012 R2 Sign-In Page

Depending upon how IE is configured you will either be prompted to provide credentials or be automatically signed-in.

If you want to have users be automatically signed-in then configure your browser settings to trust the federation server role by adding your federation service name (for example, https://adfs.tailspintoys.ca) to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.

ADFS 2012 R2 Enabling Automatic Sign-in For Local Intranet Zone

Once we are happy that the ADFS instance is functioning appropriately we can then move onto installing the ADFS proxy role.

This will be covered in a separate post, to prevent this one getting too long!

Cheers,

Rhoderick

Comments (73)

  1. Anonymous says:

    In part one we installed the ADFS server on our corporate network, and tested that it was working. Now

  2. Anonymous says:

    Well then, here we are in part three already! Previously we: Installed ADFS 2012 R2 For Office 365 in

  3. Meagain says:

    Excellent
    Thanks

  4. Anonymous says:

    Security is an integral aspect of running modern IT operations. There is a clear understanding that we

  5. Daz says:

    Nice work

  6. Ron says:

    Excellent just what I was looking for.

  7. Anonymous says:

    The blog post on how to integrate Office 365 with Windows 2012 R2 ADFS raised an interesting question

  8. Jason says:

    My configuration fails every time during the WID install and gives an error that the service cannot be started. I’ve even tried granting the service accounts log on as rights. Still no go.

  9. Rob says:

    Excellent, worked a treat

  10. Adam says:

    Good write-up but the word "leverage" is overused.

  11. @Adam – it’s in there 4 times to annoy one of my ex-colleagues. Bit of a history :)

  12. Steven says:

    Rhoderick this is a great post. We just decided to to look into ADFS. A curious question… Does ADFS 3.0 in 2012R2 allow for a single server setup? Meaning we wouldn’t have to deploy a server in the DMZ? We only have 100 users and don’t require a very
    complicated setup. Thanks for you time! :)

  13. Hayden Greaves says:

    Hey Rhoderick, your post helped me to just confirm a few differences between the ADSF 2.0 I have done in the past and the 3.0 I need to do now; very succinct thanks! Was a bit surprised when I scrolled down and thought to myself "Hey, I know that guy!"
    You came in for a review of our environment while I was working in Toronto once.

  14. Hi Hayden – it’s a small world innit :) ?? Thanks for the shout out – much appreciated.

  15. Steven – not something I have ever done or thought of doing.

    On

    http://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_10

    The following AD FS requirements are for the server functionality that is built into the Windows Server® 2012 R2 operating system:
    • For extranet access, you must deploy the Web Application Proxy role service – part of the Windows Server® 2012 R2 Remote Access server role. Prior versions of a federation server proxy are not supported with AD FS in Windows Server® 2012 R2.

    • A federation server and the Web Application Proxy role service cannot be installed on the same computer.

    I’ll see if I can find some other references.

    Cheers
    Rhoderick

  16. Mark Gustafson says:

    Does O365 support ADFS 2.1 ?

  17. Brian F. says:

    Mark – Yes, we are using ADFS 2.0 on Windows 2008 R2 servers with o365 and are looking into upgrading to ADFS 3.0 in the near future. The way I understand it, all versions of ADFS are supported by O365. Someone else can correct me if I am wrong on this.

  18. Mindaugas says:

    Hi Rhoderick,
    do I understood right, that if we need implement Office365 (Exchange Online) with SSO, we need 2 additional servers on-premise for ADFS Server and ADFS Proxy roles?

    Thank You.

  19. randyjthomas says:

    This is really a great post and things went swimmingly for the installation. My only problem is verifying the ADFS using IE, I can’t get a web page to display. My question is, how can the server display a web page if IIS is not installed?

  20. Brian & Mark G. – Yes you can use that, but all of the shiny new features are in ADFS 2012 R2.

    Older ones are still listed in here, for example:
    http://technet.microsoft.com/en-gb/library/dn441213.aspx

    Cheers,
    Rhoderick

  21. Mindaugas – that would be the minimum recommended number of ADFS servers.

    If you wanted HA, then double that. If that is overkill for a small organisation, please look at the works with Office 365 programme as there are providers that will do this for you at a small fee per user per month.

    Cheers,
    Rhoderick

  22. Andy Dring says:

    Hi Rhoderick,

    Deploying for a customer currently, I get the error "Unable to configure the private key store", but am unable to find any clues on the internet. Do you have any idea what can cause this?

    thanks

  23. Andy Dring says:

    Sorted it, misconfigured firewall rule – LDAP wasn’t open from the network zone where the ADFS servers are located to the PDC Emulator. Added it to the rule and it’s installed.

  24. Mick says:

    Ok that was easy enough – when I followed your guide…
    Thanks!!!!

  25. Thanks for the comment Mick – glad it helped!

    Andy – good you are up and running. After seeing a customer today with a 2008 R2 DC called "PDC" and the other DC called "BDC" it reminded me of the importance of the PDC emulator role even nowadays!

    Cheers,
    Rhoderick

  26. Chadi says:

    Hi Rhoderick,

    Thanks for the write up. I currently have an on-premise ADFS 2.0 farm working with O365 and want to add an ADFS 3 server on Azure as a secondary server and then make it the primary. Besides setting up a VPN tunnel to Azure and the normal install and join ADFS
    farm steps are there any other configuration that I need to do or consider?

    Thanks

  27. Lucky Bhandari says:

    Thanks mate

  28. ck says:

    STILL NO DOCUMENTATION FROM MICROSOFT FOR HIGH AVAILABILITY ADFS 3.0 implementation ?????

  29. Tim says:

    Rhoderick,

    Can you tell me if it’s possible to setup O365 with ADFS to allow a hierarchical login option? Meaning, the default option is to use certificate based authentication but if the end user does not have a smart card they have the option to use their LDAP user
    name and password as a secondary option?

  30. Ricardo says:

    Perfect!!

  31. update not applicable says:

    Rhoderick, kb/2948086 states "not applicable to your computer" when launched from a 2012r2 farm server. Has this been superseded by another update? Maybe I’m not awake yet?

  32. Tim – let me see what I can find on this.

    Cheers,
    Rhoderick

  33. Mr Update (for lack of a better name, could be MRs but I’m guessing…. :) )

    That will probably be the case, I suspect you just built a 2012 R2 server, have it fully patched and went to install that update?

    Cheers,
    Rhoderick

  34. Looks like it is in here:

    May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

    http://support.microsoft.com/kb/2955164

    Cheers,
    Rhoderick

  35. Anonymous says:

    1 Úvod
    V tomto článku se budeme zabývat povýšením ADFS serverů

  36. Nuno says:

    SInce SSO is now supported without the ADFS, what are the advantages of keep using ADFS?

  37. Anonymous says:

    En la transición de una organización hacía Office 365, un escenario muy habitual

  38. Anonymous says:

    This is a link throw-down for the items that we discussed during a recent Office 365 workshop that I

  39. naveen says:

    can we use self-signed certificate

  40. Please see the Certificates section in this post.

    Cheers,
    Rhoderick

  41. Nuno – that is a good question. Have something in draft for you! Will publish it shortly.

    Cheers,
    Rhoderick

  42. Martin Meiringer says:

    Great Blog. This helped me so much planning and finding the necessary requirements, and then finally implementing this in 10 minutes or less. Very much appreciated.

  43. Dan Jones says:

    I can browse to the federation metadata OK –
    https://adfs.contoso.co.uk/federationmetadata/2007-06/federationmetadata.xml

    For both adfs and sts, I’m using an A record and have my spn registered "host /sts.contoso.co.uk" for service.adfs

    But https://sts.contoso.co.uk/adfs/ls/idpinitiatedsignon.htm displays a 404 every time!

    Please advise

  44. Dan Jones says:

    Never mind, with ADFS and Windows 2012 R2 the actual URL is
    https://sts.contoso.co.uk/adfs/ls/idpinitiatedsignon.aspx

  45. anon says:

    Challenges………..

    Additional Hardware
    ADFS: Two clustered servers in the DMZ; two clustered servers behind the firewall

    <Snip>

    Removing 3rd party advert.  If naming a vendor, please name 3 or none.

    </Snip>

  46. anon says:

    Not a 3rd party advert, simply stating facts about ADFS server vs another product. Quite happy for you to address each challenge presented. However I’ll amend without naming the vendor if you so wish

    Additional Hardware
    ADFS: Two clustered servers in the DMZ; two clustered servers behind the firewall
    Un named product: None

    Firewall Reconfiguration
    ADFS: Requires hole in firewall
    Un named product: None

    Third-party certs
    ADFS: Required
    Un named product: None

    Support for additional SaaS apps
    ADFS: Requires individual configuration and debugging
    Un named product: Choose from a rich catalogue of pre-integrated apps

    Time to implement
    ADFS: 1-2 weeks for Office 365; days to weeks for additional apps
    Un named product: Less than an hour for Office 365 or any other app

  47. Anonymous says:

    I’m on the my 3rd iteration of my EMS lab. Meaning, I had something up and running (twice) then tore

  48. Vijay B.Girija says:

    Excellent article !!!

  49. Meraj says:

    Very nice and helpful article, Thanks. I am stuck in configuration wizard, where ssl certificate and Federation Service name is required. I have self signed certificate, when give that certificate, it does not respond and next option becomes disabled.

  50. Meraj – you must have a valid 3rd party certificate. It will not function with a self signed cert for the service communication certificate.

    Please read the certificate section above

    Cheers,
    Rhoderick

  51. Confused says:

    Hi,

    the confusion is related to the amount of information that I’ve read. (Dirsyn, ADFS 2.0 and Active Directory)

    I have two scenarios to understand what options I use.

    1 – Active Directory site with users who use the CRM / Office 365. Of the 300 members, only 20 use CRM / Office 365. They access both internally and externally, when they are at home office.

    – Basically, I thought of installing a server to use the dirsync that will synchronize users and passwords that are in Active Directory Azure (Office 365 / CRM)

    – Question 1: When I enable synchronization, I understand that it will create new users in Active Directory Azure, but these users already exist in Active Directory Azure. The risk that I have is that after synchronization, users already using the login Active
    Directory Azure have problems with CRM / Office 365.

    – Question 2: I can choose which users will be synchronized? Or must all be?

    – Question 3: Should I use ADFS in this scenario?

    2 – I am planning to migrate users of Group Wise to Office 365.

    – I’ve read the migration will be performed using the tool QUEST and will use simple forwarding SMTP.

    – Basically, I will enable Office 365, add the domain, install a server with dirsync and activate the licenses for users who use Office 365. Right?

    – However, the dirsync has some negative risk, such as the replication time password. Is not immediate. So researching started reading about ADFS. It seems that the configuration is simple ADFS, but from what I understand, all users, whether internal or external,
    need to go through ADFS and if it is unavailable, becomes a point of failure.

    – If I use ADFS, the login method in Office 365 will be the same using (@ domain.com)? Or should be done (domain login)?

    – Another point is the fact of using a proxy ADFS. I did not understand his job exactly. I was not sure whether I need it or not really.

    – Other information I read was about the ADFS Federation Gateway. I married confusion further.

    – I also read that some experts use ADFS 2.0 (Windows 2008 R2), but there ADFS 3.0 (Windows 2012). I do not know which one to use? What changes between the two.

    – My goal is: To enable users migrated to Office 365 using the same username and password from the local Active Directory.

    Thank you.

  52. @Confused – you win the prize for the most questions ever in a blog comment :)

    Use the latest version of ADFS. Currently 2012 R2, it has the most features.

    There is no ADFS Federation gateway. There is MFG, but that is for Exchange really.

    If you already have user objects in a tenant, look at the soft match process.

    Cheers,
    Rhoderick

  53. Rocky says:

    Internal and external domain UPNs are different:

    Internal: hq.contoso.com
    External:contoso.com

    Do I need to setup split DNS for contoso.com? That domain only exists external and everything works just fine: www, OWA, Autodiscover, ActiveSync, etc….
    Its stated: "note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on the intranet and internet to locate ADFS. Thus split DNS will make life simple!", I’m a bit confused how this might affect
    name resolution for services: www, OWA,ActiveSync, etc….

  54. That’s because Exchange has the concept of internal and external URLs Rocky. ADFS does not, and only has a single namespace so you must have that same name available internal and externally .

    Cheers,
    Rhoderick

  55. Rocky says:

    Ok. Understand that namespace must made available internally and externally. But, how do I make that namespace available internally to our domain users without potentially disrupting our other services (i.e; http://www.contoso.com, autodiscover.contoso.com, vpn.contoso.com,
    owa.contoso.com, etc…)??????
    I’m assuming i create internal dns zone for contoso.com and create a record with internal IP of ADFS proxy.
    Thanks!

  56. Steve says:

    Is the Service Principal Name "fs.Company.com" possible as an principle Name (NLB an ADFS ist identical)? Our internal Outlook authentification ist actual Basic and not Kerberos? Whats going wrong? Must I configure anything else?

  57. Khutsho Lebelo says:

    Thanks Excellent

  58. Khutsho Lebelo says:

    Thanks Excellent

  59. varandian says:

    Great write-up! Just one comment…for the SSL cert, you want to mention that it needs to be a Legacy Key instead of a CNG Key.

  60. Dal says:

    If I use DirSync to provide single signon do I need AD FS server?

  61. JB says:

    Thank you great guide. So I actually try to connect smart card PIV to offie 365 with adfs 3.0 but not working. I have the open port 49443 and the following url
    https://fs.contoso.com/adfs/ls/IdpInitiatedSignOn.aspx offer the option x.509 WHEN I PUT THE SMART CARD AND SAYS THE ERROR not reading. I review in the event viewer and this the error:

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    wsfed

    Relying Party:
    urn:federation:MicrosoftOnline

    Exception details:
    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
    at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
    at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)
    at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName)
    at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)
    at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
    at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

    I would like to know the step to recognize our smart card to validate in office 365.

    Thank you

  62. Shalini says:

    Purchased Domain : frankloft.com

    ADFS Name space : sts.crest.local

    When we are trying to access https://portal.office.com in intranet it routes to sts.crest.local which is the ADFS Name space. Since it is intranet we are able to login and the SSO is working successfully.

    To access the same ADFS name space over internet we have purchased a public IP and we have NAT-ed the same with the NLB IP of ADFS Proxy server.

    we have added the DNS Host A record for sts.crest.local pointing to the public IP.

    However when we are trying to access https://portal.office com in internet it is unable to route to intenal ADFS Name space (sts.crest.local).

    Kindly assist us.

    Regards,
    Shalini

  63. Shalini says:

    Hi Rhoderick Milne,

    We have deployed Azure AD sync server, ADFS servers with HA using NLB and ADFS porxy servers with HA successfully. And the details are below

    Internal Domian : Crest.local

    Purchased Domain : frankloft.com

    ADFS Name space : sts.crest.local

    When we are trying to access https://portal.office.com in intranet it routes to sts.crest.local which is the ADFS Name space. Since it is intranet we are able to login and the SSO is working successfully.

    To access the same ADFS name space over internet we have purchased a public IP and we have NAT-ed the same with the NLB IP of ADFS Proxy server.

    we have added the DNS Host A record for sts.crest.local pointing to the public IP.

    However when we are trying to access https://portal.office com in internet it is unable to route to intenal ADFS Name space (sts.crest.local).

    Kindly assist us.

    Regards,
    Shalini

  64. .local domains will never work over the Internet. That’s the whole point behind them.

    Use a publically routable namespace.

    Cheers,
    Rhoderick

  65. Anonymous says:

    The year 2015 is almost done, and 2016 is upon us! As in previous years , I thought it would be interesting

  66. Damien G says:

    Good Afternoon, Please help me. I have set up ADFS 3.0 on our DC running Windows Server 2012 R2.

    I have Dirsynced all our accounts to Office 365 configured Single Sign On. I can Redirect to our ADFS logon page However when you redirect the ADFS Logon Page it is asking still for a password. I have AD synced to Azure also and according to both domains they
    are federated for Single Sign On. I have assigned a Wildcard Certificate and made sure the domain exists everywhere. I also have The Token Certificates configured as per what ADFS makes when it is set up. As far as I can see it should all work however I still
    can’t get it to just bypass the logon and go straight into office 365. It does login manually absolutely fine using the UPN Suffix. I have made sure all accounts have been updated to the UPN Suffix I wish to use. I have also got TMG 2010 Configured as our
    Web Application Proxy and when you do a test using the test connectivity page on Microsoft it all passes. I am just not sure what I could be missing to cause it not to logon automatically. Any help would be really appreciated.

    Thank you,

    Damien

  67. Damien,

    if you follow the series of these 3 articles it will walk through all of the steps required.

    What do you mean you are using TMG as WAP?

    Cheers,
    Rhoderick

    1. satya11 says:

      Hi I don’t have ADFS Proxy , while login to https://outlook.com/domainname.com
      getting error :
      Additional technical information:
      Correlation ID: 91383
      Timestamp: 20xx-0x-x8 21:49:48Z
      AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials