Wednesday, July 29, 2015

Exploring Azure AD Connect - Part 2: Configuring SSO with AD FS

Other posts in this series:



Configuring Azure AD Connect with AD FS for Single Sign-On (SSO)


In the last post of this series I went over the basic, and fairly pain-free, process of syncing users and passwords from an On-Prem Active Directory environment to an Azure AD instance using the Express Configuration of Azure AD Connect. However, in some organizations, a requirement for single sign-on (SSO) may exist. After all, who wants to log into their laptop at the office, and then proceed to have to login to their O365-based OWA and SharePoint sites with the same credentials?! Not this guy.

Thus, a need for SSO exists, and Azure AD Connect can help meet this need by connecting to our Azure AD from our on-prem environment, setting up synchronization, AND installing and configuring AD FS. All this is done from the Azure AD Connect wizard, which is even more amazing. The wizard installs the needed pre-requisite software on the AD-joined server that you have set aside for Azure AD synchronization, and then proceeds to walk you through connecting to Microsoft Services Online (MSOL), following up with installing and configuring AD FS on the servers that you set up ahead of time. 

Let's take a look at what this process looks like.

Office 365 Environment

I am using the same Office 365 tenant that I used in my first post, using only Skype for Business Online Plan 2 licensing. To clean things up, though, I uninstalled Azure AD Connect completely from the on-prem server, deactivated synchronization in the Office 365 portal (this can take up to 72 hours to take effect), and then deleted all users that had synced from the on-prem Active Directory from the last post. Per the last post, the custom domain "s4blab.org" is already setup in the portal, with all necessary DNS records having been created. Lastly, before getting stared, I navigated to the Active Directory synchronization line at the top of the Active Users page in the Office 365 admin portal, and clicked the Manage link button. From there, I activated AD synchronization by click the Activate button, as seen below:



On-Prem Lab Environment

My "On-Prem" environment is actually a virtual environment in Rackspace's Public Cloud. All servers in this environment are running Windows Server 2012 R2, and have been fully patched, and all are domain-joined (in a typical production environment, you would have your AD FS Web Access Proxy in a DMZ, not in the AD domain). The environment consists of:
  • 1 Active Directory Domain Controller
  • 1 small server for installing Azure AD Connect
  • 1 AD FS server
  • 1 AD FS Web Access Proxy server
Please note, for Azure AD Connect to be able to install the necessary AD FS roles on both the AD FS and AD FS WAP servers, you must enable Remote Management on these servers. You must also do this on the DC, if you plan to have the wizard automatically create a Managed Service Account in Active Directory.

Configure Synchronization with SSO in Azure AD Connect

  • First, you must download the Azure AD Connect tool onto the server that you have joined to the domain for establishing your hybrid synchronization scenario: https://www.microsoft.com/en-us/download/details.aspx?id=47594
  • After you double-click the Azure AD Connect installer, the first screen you will see will prompt you to agree to the terms. The next screen prompts you to either choose Express Configuration or Custom Configuration. We do not want Express, as we need to set up ADFS. So choose the Custom option.
  • The next screen asks what type of Synchronization we want. The first option will only allow for synchronization, but not SSO. Select the second option, Federation with AD FS, and then click Next. 

  • Next, you need to input your Azure AD credentials. This should be an account within Azure AD that has the Global Admin role, and it should be the an account with a domain of "@domain.onmicrosoft.com"; DO NOT use an account with the same domain name as the AD domain that you are trying to set up synchronization for. 
  • Next, input an account with Domain Admin privileges to connect to your on-prem AD. Once you have entered the credentials for the domain that is listed in the Forest box, click on Add Directory, and the domain will be added at the bottom. 
  • On the Uniquely identify your users screen, leave the defaults, and click Next 
  • On the Filter users and devices screen, you can either choose to Synchronize all users and devices, or you can specify a specific group in your AD that has the users that you want to synchronize. The second option is good for pilot environments, but to be perfectly honest, I was not able to get my environment to sync until I reconfigured the Azure AD Connect tool to Synchronize all users and devices. This is very likely a config problem on my part, but still, with no errors at all indicating a problem, either in the application or in the logging, I was not able to get to far on the troubleshooting. 
  • For the Optional Features, simply leave the Password Sync radio button checked. In the below example, I also checked Password Writeback, but that does not need to be done for SSO purposes.  
  • Now it is time to set up the AD FS farm. At the top of the AD FS Farm screen, you can choose to either Configure a new Windows Server 2012 R2 AD FS farm, or you can choose to Use an existing Windows Server 2012 R2 AD FS farm. Leave the default, which is Configure a new Windows Server 2012 R2 AD FS farm (Remember, we have a server ready for AD FS, but have not yet set up AD FS itself). Click the Browse button next to the CERTIFICATE FILE field, browse to your certificate with private key (.pfx file), enter the password for it, and click OK. You will now see the certificate's Subject Name below, and the new AD FS Service Name. Click Next.
  • Next, enter the server name in the Server field and click Add. You will now see a progress bar at the bottom of the screen as connectivity to the AD FS server is verified. If you have not ensure that Remote Management is enabled on this server, as mentioned above, this step will not work until you do so.
  • You can now see that the AD FS server was connected to and verified. Click Next
  • Repeat the above step for the AD FS Proxy server, and then click Next. 
  • Now you need to enter credentials that the Proxy server will use to request a certificate from the AD FS server. Once you do, click Next
  • On the AD FS Service Account screen, leave the first option selected, Create a group Managed Service Account. Again, this will not work if you have not enabled Remote Management on the DC that you are attempting to connect to. Click Next.
  • Almost through the wizard! Now you are at the Azure AD Domain. Select the domain that you want to federate with from the drop-down. If you only have one custom domain added in Azure AD, then you will only have the one domain available in the drop-down. Notice the warning at the bottom, that current logons will get disrupted during this operation. Click Next
  • Finally, the Ready to configure screen will give you a nice little summary of the actions that are about to be performed. Leave the box checked for Start the synchronization process as soon as the configuration completes
  • A progress bar displays the Configuring progress. Here we can see where AD FS is being setup remotely via the wizard. SO cool! 
  • After the AD FS portion is completed, we see that the synchronization is kicked off: 
  • The last screen, the Verify one, prompts you to set up the necessary AD FS DNS records in both your internal and external DNS zones. I had already set up the records for the AD FS service URL, and thus I clicked Verify, successfully resolving the records. Once we close the wizard, we should be able to go into our Active Users page in the Office 365 portal and view all of our newly synced users: 















At this point, we want to test our SSO capabilities. I temporarily set up one of the newly synced users, josh@s4blab.org, as a Global Admin, within the Office 365 Admin portal. When I browsed to https://portal.office.com, I get the typical Office 365 login page. After typing in the username and tabbing to the password field, however, I get redirected to my on-prem AD FS forms-based login page. Office 365 detected that the domain I was logging into was setup for SSO, and knew where to forward my users to. Very cool, and it also confirmed that AD FS was setup, functional, and reachable publicly.

After entering my password, though, and hitting Enter, I received a fairly generic error about not being able to be logged in: "Sorry, but we're having trouble signing you in. Please try again in a few minutes. If this doesn't work, you might want to contact your admin and report the following error: 80041034".


Well, I knew that the user had synced, cause I could see him in the portal. I knew that the AD FS sign-on page was reachable. I knew that AD synchronization with SSO showed as Activated in the portal. SO what was the problem?

Well, after digging into event logs (without finding anything helpful) and doing much research online, I finally discovered that there were some certificate issues within the AD FS Management console. The publicly-issued certificate that I provided during the AADC wizard was fine, but both the Token-decrypting and Token-signing certificates showed up as not Trusted when I viewed them within the console. To correct this, I performed the below actions:
  • On the AD FS server, navigate to AD FS Management console -> AD FS -> Service -> Certificates.
  • Highlight either the Token-decrypting or Token-signing certificate by clicking on it, and then click on View Certificate... in the Actions pane. 
  • Once the Certificate window pops up, we see the ugly message below telling us that the certificate is not trusted. Click on the Install Certificate button.
  • On the Certificate Import Wizard, make sure to select the radio button next to Local Machine, and click Next
  • On the Certificate Store screen, check the box for Place all certificates in the following store, and then click Browse... 
  • In the Select Certificate Store popup window, select Trusted Root Certification Authorities, and then click OK. Click Next on the Certificate Store screen, and finish up the wizard. 
  • You should then see the below popup telling you that the import was successful. Click OK, and then click OK on the Certificate window. 
  • Now, you should be able to open the Certificate properties window again, and this time you should not see any unsavory message about the certificate not being trusted. 
























And that did it! I was now able to log in to the portal, while being redirected through my AD FS sign-on page, and was successfully authenticated. I am not sure if I just initially missed something when it came to the above issue with AD FS certificates, as I am sure the intended experience is for the Azure AD Connect wizard to handle the entire setup from one place, in a simple manner. However, for those of you that run into similar issues with trying to get SSO working with your directory synchronization, I hope the above helps you. Feel free to leave comments letting me know if this helped, or if you came across another piece of the puzzle!

The next and final post in this series will be going over some of the special features that can be achieved with Azure AD Connect if you have implemented the Azure AD Premium licensing for your users.

Stay techy, my friends!

5 comments:

  1. Hi,

    in your example login (the failed one before installing certificates) you say you entered the username as if that was expected behavior.

    Does this method for SSO not enable automatic logon when within you network?
    ie Single Sign On rather than Same Sign On?

    ReplyDelete
  2. Hello Jordan!

    Good eye, and thanks for posting! While SSO works for various internal sites that may be set up for it, or other applications (SSO signed me right into Skype for Business client without any prompting), the portal and various Microsoft services are a bit different. I actually had to look into this a bit myself when you asked, cause I simply didn't think about it at the time.

    Apparently, there are these nifty things called Smart Links: https://community.office365.com/en-us/w/sso/using-smart-links-or-idp-initiated-authentication-with-office-365. Check it out. This is apparently expected behavior for the portal, and you can work around it with these Smart Links.

    Again, thanks for pointing this out. This was new to me!

    Josh

    ReplyDelete
  3. Hi Josh, Thanks for your post, quick questions...When you first installed the Skype for Business Client did you have to enter your password or did it automatically sign in?

    ReplyDelete
  4. Add adfs.contoso.com to your Intranet sites and SSO is achieved. Use http redirect on the ad fs server with o365.contoso.com and have it point to https://login.microsoftonline.com/?whr=.com and users will automatically be redirected and signed in if adfs.contoso.com is added to the intranet sites. Also don't forget to publish the WAP server application with pass-through authentication to secure your environment further. -Microsoft Employee

    ReplyDelete
  5. Just bringing this back up as Microsoft is telling me SSO and S4B Online do not work together (always need to enter your password on a reboot)
    Is this correct or have you guys got this to work with ADFS?

    ReplyDelete