Install Active Directory Federation Services on Windows Server 2012 for Office 365

Author by Michael Epping

Active Directory Federation Services provides Single Sign-on capabilities to Office 365 customers, as well as forms based authentication for external users on non-domain joined computers and other devices.  AD FS with Office 365 requires version 2.0 or higher, meaning the version packaged with Windows Server 2008 R2 does not work.  Previously AD FS 2.0 was available as a download for Server 2008 R2, but with Windows Server 2012 the version built into Windows is now viable for use with Office 365.  Here are the steps to follow when configuring AD FS for Office 365 on Windows Server 2012.
  • Verify that Directory Synchronization is functioning properly and that your synced users are activated.  To do so log into Office 365 as an administrator (login.microsoftonline.com), go to the Users menu and check when the directory was last synced.  If Directory Synchronization is not working you may need to verify the functionality of your directory synchronization server.  Microsoft does not support installing AD FS and Dirsync on the same server.  As of right now Dirsync does not officially support Windows Server 2012, but there are workarounds.
[caption id="attachment_10853" align="aligncenter" width="627"]A functioning Dirsync in Office 365. In this example the Dirsync tool ran 2 hours ago. By default the tool will run every 3 hours.[/caption]
  • Log into the server you will be using for your first AD FS server.  This server should generally have at least 4 GB of RAM and 4 CPU cores.  This example will use Server 2012, but Server 2008 R2 is also supported.  If you use Server 2008 R2 you cannot use the method outlined in this article.  The version of AD FS installed by Server Manager on Server 2008 R2 is too old to work with Office 365.  You must download the newer version from here: http://www.microsoft.com/en-us/download/details.aspx?id=10909.  The AD FS server role can be virtualized, but do not thin provision the memory resources.  Microsoft does not support collocating the AD FS role and the Directory Synchronization role on a single server, but in small environments I have not had any problems doing this.  However, if you are implementing high availability for an entire AD FS Farm using Hardware Load Balancing or Network Load Balancing then I would recommend a separate server for Directory Synchronization.  Additionally, the AD FS role uses the Default Web Site in IIS, so it cannot be collocated with other applications that also use the Default Web Site.
  • Open Server Manager and click Add roles and features.  Choose Role-based or feature-based installation and click Next.  Check Active Directory Federation Services, choose Add Features, and click Next.
[caption id="attachment_10857" align="aligncenter" width="560"]In Server 2012 the AD FS role is added through Server Manager. In Server 2012 the AD FS role is added through Server Manager.[/caption]
  • On the features menu select .NET Framework 3.5 Features.
  • Click Next until you get to the Role Services menu.  Leave everything but Federation Service unchecked and click Next.
[caption id="attachment_10858" align="aligncenter" width="560"]Don't install any AD FS 1.x components or the Federation Service Proxy. Don't install any AD FS 1.x components or the Federation Service Proxy.[/caption]
  • Click Next until you get to the confirmation screen and click Install.  Click Close when the installation is done.
  • At this point we need an SSL certificate for the AD FS service.  If the AD FS service will only be used by domain-joined machines then you can simply issue an SSL certificate from your internal certificate authority.  However, this will prevent many types of clients, including mobile clients, from logging into Office 365 resources.  Unless you are running in a test environment you should always get a certificate from a publicly trusted certificate provider (Digicert, GoDaddy, Network Solutions, etc.)
  • Open IIS Manager, click on the name of the server and then double click on Server Certificates in the middle pane:
[caption id="attachment_10859" align="aligncenter" width="614"]We won't need to change any other settings in IIS Manager. The only thing we need to do in IIS Manager is configure the certificate for the Default Web Site. The AD FS configuration wizard is going to take care of the rest.[/caption]
  • Choose Create Certificate Request from the right column.  In the common name field choose what your certificate will be named.  I would recommend adfs.contoso.com, fs.contoso.com, or sso.contoso.com.  Put an A record in internal DNS for whichever name you choose and point that A record at the IP of the AD FS server.  Fill out the rest of the information on the first menu with your Company’s details and click Next.
[caption id="attachment_10861" align="aligncenter" width="549"]The Common Name field is the only one that is really important. The Common Name field is the only one that is really important.[/caption]
  • Change the Bit length to 2048 and click Next.  Choose a location to save your certificate request and click Finish.  Submit the certificate request to your internal CA (if only domain joined clients will use SSO) or to a public certificate provider.
  • When you have your certificate response go back to IIS and choose Complete Certificate Request from the right pane.  Choose the certificate authority’s response, choose a Friendly Name and click OK.  Close IIS Manager.
[caption id="attachment_10862" align="aligncenter" width="549"]The Friendly Name field can be useful if you have more than one certificate on the AD FS server. Make sure to save the certificate in the Personal store.[/caption]
  • Open Server Manage again and click on the flag with the yield sign near the top of the window and choose Run the AD FS Management snap-in
You can also run this wizard by opening the AD FS Management Console from the Administrative Tools menu.
  • In the new menu click AD FS Federation Server Configuration Wizard in the middle pane
  • Choose Create a new Federation Service and click Next.  On the next menu you need to decide what type topology you will use for AD FS.  If you are going to use Hardware Load Balancing or Network Load Balancing to make your AD FS farm highly available then you must choose New federation server farm at this point.  We aren't going to use high availability here, so we will choose Stand-alone federation server.  If you choose the second option you cannot add additional AD FS servers in the future.  You will have to create an entirely new AD FS farm.
[caption id="attachment_10864" align="aligncenter" width="586"]The process is largely similar if you are creating additional servers in an AD FS farm. If you think you might want highly available AD FS servers later you can choose New federation server farm and set up additional servers at a later date.[/caption]
  • The next menu will ask you to choose an SSL certificate for the AD FS service.  If the certificate we installed through IIS Manager is the only certificate on the server then it will be automatically selected.  Click Next.
[caption id="attachment_10865" align="aligncenter" width="460"]If you have multiple certificates make sure you choose the correct one. If you have multiple certificates make sure you choose the correct one.[/caption]
  • Click Next again to begin the configuration process.  Click Close when the wizard completes.
  • Go to http://www.microsoft.com/en-us/download/details.aspx?id=28177 on your AD FS server and install the 64-bit Online Services Sign-in Assistant
  • On your AD FS server log into the Office 365 control panel as an administrator (login.microsoftonline.com) and go to the Users menu.  At the top select Set up next to Single Sign-on
[caption id="attachment_10866" align="aligncenter" width="598"]Make sure not to deactivate Dirsync. Select Set up at the top of the Users menu in the Office 365 portal.[/caption]
  • Under Step 3 select the Windows 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell and click Download:
[caption id="attachment_10868" align="aligncenter" width="611"]You can use this tool on other machines, but it requires extra PowerShell steps to set up Single Sign-on if you do. You can use this tool on other machines, but it requires extra PowerShell steps to set up Single Sign-on if you do.[/caption]
  • Click Next on the Welcome screen and accept the License terms.  Click through the prompts until the tool is installed.
  • From the Desktop icon or the Start Screen run the Microsoft Online Services Module for Windows PowerShell.  Enter the following commands:
    • $cred = Get-Credential
    • Enter your Office 365 global administrator credentials
    • Connect-MsolService –Credential $cred
    • Convert-MsolDomainToFederated –DomainName contoso.com
[caption id="attachment_10869" align="aligncenter" width="677"]If you don't run these commands from the AD FS server then additional steps are needed. If you don't run these commands from the AD FS server then additional steps are needed.[/caption]
  • At this point Single Sign-on should be working.  Test by logging into login.microsoftonline.com from your domain-joined workstation.  When you try to log in with a user account from a federated domain you will be prompted to sign in at your domain:
[caption id="attachment_10870" align="aligncenter" width="415"]Make sure your users' UPNs are the same as their email addresses to avoid confusion. Make sure your users' UPNs are the same as their email addresses to avoid confusion.[/caption]
  • Click on Sign in at contoso.com and you will be signed directly into the site.  If you are prompted for credentials then add sso.contoso.com to your Intranet Zone in Internet Explorer.  You can apply this domain-wide using Group Policy if necessary.
These steps should get you started on Office 365, but there is still configuration to be done to allow remote users to sign in.  The next steps are installing the AD FS Proxy role on a Windows Server 2012 box in the DMZ, configuring a public IP for sso.contoso.com, installing the certificate on the Proxy, and configuring NAT rules to allow traffic on port 443 to hit the Proxy from the Internet.  Firewall rules also need to be configured to allow communication on port 443 from the Proxy to the domain-joined AD FS server we just configured.
Author

Michael Epping

Systems Engineer