Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365
Published Dec 05 2018 10:03 PM 83.9K Views
Microsoft

This post will walk you through a typical highly available setup into Office 365. Ideally this server will be installed as virtual servers on multiple Hyper-V hosts. Think about redundancy, not only in the virtual servers, but in the Hyper-V servers as well. Install one AD FS and one AD FS Proxy on one Hyper-V host and the other AD FS and AD FS Proxy on another Hyper-V host. This prevents loss of service from a hardware failure. Keep in mind that once you are using Single Sign-on with Office 365, you rely on your local Active Directory for authentication. Both video and printed steps have provided to ease your implementation of AD FS and SSO.
 

  

Prerequisite

 

NOTE: This step-by-step walk you through this scenario via Windows Server 2012 R2. This solution will also work with 2016 and 2019 with slight modifications. An update to this post will be shared in the coming months.

 

  1. Download Windows Server 2012
  2. Download Hyper-V Server 2012
  3. Should you not have access to a lab, follow this Step-By-Step to setup your own lab

  Prepare the Base Servers AD FS Server
 

  1. Base build the AD FS server with Windows Server 2012
  2. Setup a connection to the internal network
  3. Add the server to the local domain
  4. Update the server with all Windows Updates

AD FS Proxy Server

  1. Base Build the AD FS Proxy server with Windows Server 2012
  2. Setup a connection to the DMZ network (verify connectivity to the AD FS server on port 443)
  3. DO NOT add the server to the local domain
  4. Update the server with all Windows Updates

Directory Sync Server

  1. Base build the Directory Synchronization server with Windows Server 2012
  2. Setup a connection to the internal network
  3. Add the server to the local domain
  4. Update the server with all Windows Updates 

  
Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_001.png  
Setting up AD FS requires the use of a third party SSL certificate. In a production situation, I would recommend that a single name SSL certificate. Wildcard and multi-name certificates will work, but I like to keep things simple and use a standard SSL certificate in a production situation. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name, STS (secure token service). In the example below, I have used the value sts.domain.com.  

 

Create the SSL Certificate Request (CSR)
 

  1. Open Server Manager
  2. Click Tools
  3. Click Internet Information Services (IIS) Manager
     Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_002.png
      
  4. Select the local server
  5. Select Server Certificates
  6. Click Open Feature (actions panel) 
      
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_003.png

       

  7. Click Create Certificate Request
           Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_004.png

       

  8. Fill out the certificate request properties. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name STS (secure token service). In the example below, I have used the value sts.domain.com. 

  9. Click Next 
       
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_005.png

        

  10. Leave the Cryptographic service provider at the default
  11. Change the Bit Length to 2048
  12. Click Next
      Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_006.png

          

  13. Select a location for the request file
  14. Click Finish
      
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_007.png

     


     

Fulfill the Certificate Signing Request (CSR)

 

We need to take the CSR generated in the last step to a third party SSL certificate provider. I choose to use GoDaddy. Here are GoDaddy’s instructions to fulfill the CSR at their site – Requesting a Standard or Wildcard SSL Certificate. Once the certificate is issued, download the completed CSR to the AD FS server.  

 

Complete the Certificate Request (CSR)  

 

  1. Open Server Manager
  2. Click Tools
  3. Click Internet Information Services (IIS) Manager
     
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_008.png

     

  4. Select the local server
  5. Select Server Certificates
  6. Click Open Feature (actions pane) 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_009.png

     

  7. Click Complete Certificate Request 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_010.png

      

  8. Select the path to the complete CSR file that you competed and downloaded from the third party certificate provider
  9. Enter the friendly name for the certificate
  10. Select Personal as the certificate store
  11. Click OK
      
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_011.png

      

  12. The certificate will be added
     
    NOTE: The certificate shown below is a multi-name SSL certificate for my lab environment. When your certificate is added, it should show sts.domain.com, which matches the request.
     
     

Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_012.png

   

Assign the Completed SSL Certificate

 

Now that we have the third party certificate completed on the server, we need to assign and bind it to the default website (HTTPS port 443).

  1. Expand the local server
  2. Expand Sites
  3. Select Default Web Site
  4. Click Bindings (actions pane) 
     
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_013.png

       

  5. Click Add 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_014.png

     

  6. Change the type to HTTPS
  7. Select your certificate from the drop down menu.
    NOTE: The certificate shown below is a multi-name SSL certificate for my lab environment. When you select your certificate, it should show sts.domain.com, which matches the competed certificate.
  8. Click OK 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_015.png

     

  9. Click Close
       Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_016.png

      

  10. Close IIS Manager

Now that we have the required software installed and the certificate in place, we can finally configure the AD FS role and federate with Microsoft.  

 

Configure Local AD FS Federation Server  

 

  1. Open Server Manager 
  2. Click Tools 
  3. Click AD FS Management  

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_017.png

       

  4. Click AD FS Federation Server Configuration Wizard  

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_018.png

       

  5. Create a new Federation Service 
      
    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_019.png

       

  6. New Federation Server FarmChoose this option all the time, even if you only plan on deploying one server. If you choose Stand-alone federation server, then you won’t be able to add more servers.
     
  7. Click Next 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_020.png

       

  8. SSL Certificate – This should be pre-populated. If it isn’t, go back and assign/bind the third party certificate to the default web site
     
  9. Federation Service Name – This should match the SSL certificate name
    NOTE:  Since a multi-name certificate is being utilized in this lab environment, the SSL certificate name and Federation Service name don’t match. This is not recommended for production environments. Best practice is to always use a single name certificate.
        Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_021.png

      

  10. Click Next 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_022.png

         

  11. Enter the AD FS service account name and password
     
  12. Click Next 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_023.png

        

  13. Click Next 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_024.png

       

  14. Click Close
    NOTE: 
    All green check marks mean everything is setup correctl
      Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_025.png

     

Configure Federation Trust with Office 365  

 

Now that we have our side of the federation setup, we can complete the federation with Office 365
  

  1. Open the Desktop on the AD FS server 
     
  2. Locate Windows Azure Active Directory Module for Windows PowerShell and Right Click and Run As Administrator 
     
  3. Set the credential variable
    • $cred=Get-Credential
     
  4. Enter a Global Administrator account from Office 365. I have a dedicated tenant (@domain.onmicrosoft.com) service account setup for AD FS and Directory Synchronization 

    Setting_up_AD_FS_and_Enabling_Single_Sign-On_to_Office_365_026.png

     

  5. Connect to Microsoft Online Services with the credential variable set previously
        
    Connect-MsolService –Credential $cred
     
  6. Set the MSOL ADFS Context server, to the ADFS server
        
    Set-MsolADFSContext –Computer adfs_servername.domain_name.com
     
  7. Convert the domain to a federated domain
        
    Convert-MsolDomainToFederated –DomainName domain_name.com
     
  8. Successful Federation
        
    Successfully updated ‘domain_name.com‘ domain.
     
  9. Verify federation
        
    Get-MsolFederationProperty –DomainName domain_name.com

This completes the setup for federation to Office 365. Keep in mind that before you can successfully use single sign-on with Office 365, you will need to setup and configure Directory Synchronization. After Directory Synchronization is setup, you will have to license the synchronized user in Office 365. This will provision the services for the user. If they want to access Office 365 from outside the internal network, the AD FS Proxy server needs to be setup and configured.
 
(NOTE: This post was originally published on CANITPRO.NET and was co-authored by MVP Kelsey Epps)

 

8 Comments
Co-Authors
Version history
Last update:
‎May 04 2021 07:25 AM
Updated by: