This post will walk you through a typical highly available setup into Office 365. Ideally this server will be installed as virtual servers on multiple Hyper-V hosts. Think about redundancy, not only in the virtual servers, but in the Hyper-V servers as well. Install one AD FS and one AD FS Proxy on one Hyper-V host and the other AD FS and AD FS Proxy on another Hyper-V host. This prevents loss of service from a hardware failure. Keep in mind that once you are using Single Sign-on with Office 365, you rely on your local Active Directory for authentication. Both video and printed steps have provided to ease your implementation of AD FS and SSO.
NOTE: This step-by-step walk you through this scenario via Windows Server 2012 R2. This solution will also work with 2016 and 2019 with slight modifications. An update to this post will be shared in the coming months.
Prepare the Base Servers AD FS Server
AD FS Proxy Server
Directory Sync Server
Setting up AD FS requires the use of a third party SSL certificate. In a production situation, I would recommend that a single name SSL certificate. Wildcard and multi-name certificates will work, but I like to keep things simple and use a standard SSL certificate in a production situation. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name, STS (secure token service). In the example below, I have used the value sts.domain.com.
Create the SSL Certificate Request (CSR)
Fill out the certificate request properties. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name STS (secure token service). In the example below, I have used the value sts.domain.com.
Fulfill the Certificate Signing Request (CSR)
We need to take the CSR generated in the last step to a third party SSL certificate provider. I choose to use GoDaddy. Here are GoDaddy’s instructions to fulfill the CSR at their site – Requesting a Standard or Wildcard SSL Certificate. Once the certificate is issued, download the completed CSR to the AD FS server.
Complete the Certificate Request (CSR)
Assign the Completed SSL Certificate
Now that we have the third party certificate completed on the server, we need to assign and bind it to the default website (HTTPS port 443).
Close IIS Manager
Now that we have the required software installed and the certificate in place, we can finally configure the AD FS role and federate with Microsoft.
Configure Local AD FS Federation Server
Configure Federation Trust with Office 365
Now that we have our side of the federation setup, we can complete the federation with Office 365
This completes the setup for federation to Office 365. Keep in mind that before you can successfully use single sign-on with Office 365, you will need to setup and configure Directory Synchronization. After Directory Synchronization is setup, you will have to license the synchronized user in Office 365. This will provision the services for the user. If they want to access Office 365 from outside the internal network, the AD FS Proxy server needs to be setup and configured.
(NOTE: This post was originally published on CANITPRO.NET and was co-authored by MVP Kelsey Epps)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.