If you would like to read the other parts of this article series please go to:
- Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 10)
- Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 11)
Introduction
In part 2 of this multi-part articles series revolving around Exchange hybrid deployment based migrations to Office 365 or more precisely Exchange Online, we configured the two ADFS servers in a Windows Network Load Balancing (WNLB) cluster in order to load balance incoming authentication sessions.
In this part 3, we will continue where we left off in part 2. That is we will install and configure Active Directory Federation Service (ADFS) 2.0 on the two ADFS servers on the internal network. After we have configured the servers, we will verify they work as expected.
Let’s get going…
Importing the Server Authentication Certificate into IIS
Since all client authentication against ADFS occurs via SSL, we need to import a server authentication certificate on each ADFS server. Because all clients should trust this certificate, it’s recommended to import a certificate from a 3rd party certificate provider. Although we use a wildcard certificate in this article series, a single name SSL certificate is sufficient. If you use a single name certificate, the FQDN included should match the FQDN we configured in the previous article (in this example sts.office365labs.dk).
To import the certificate, open the IIS Manager and select the web server object and then open “Server Certificates” in the middle pane.
Figure 1: Selecting Server Certificates in IIS Manager
Under Server Certificates, click ”Import” in the action pane as shown in Figure 2.
Figure 2: Clicking “Import” under Server certificates in the IIS Manager
Point to the certificate you wish to import and then specify the password, then click ”OK”.
Figure 3: Pointing to the certificate we wish to import
As can be seen in Figure 4, the certificate has now been imported to IIS.
Figure 4: Certificate has been imported
Next step is to bind the certificate to the “Default Web Site”. To do so, expand ”Sites” then select the ”Default Web Site” and click on the ”Bindings” link in the ”Action Pane”.
Figure 5: Clicking “Bindings” under Sites in IIS Manager
Under ”Site Bindings” click ”Add”. In ”Add Site Bindings”, select ”HTTPS” in the ”Type” drop-down box and then point at the imported certificate under ”SSL certificate”.
Figure 6: Adding a new site binding for HTTPS
Click ”OK” twice.
Repeat the above steps on the second ADFS server.
Installing & Configuring the ADFS Farm
With the two ADFS servers configured in a WNLB cluster and the required certificate imported, it’s time to get the ADFS 2.0 RTW component installed and configured on both servers.
Important:
It’s not the ADFS component included with Windows Server 2008 R2 that we need to install. We need to download a separate package from the Internet. ADFS 2.0 RTW can be downloaded here. And while we’re at it, we also need to download the latest update for ADFS 2.0 RTW, which currently is Update 2.
Ok, launch “AdfsSetup.exe” and then accept the license agreement.
Figure 7: ADFS 2.0 License Agreement
On the “Server Role” page, we need to specify which to configure. Since these are the two internal ADFS servers, we wish to configure a “Federation server” so select that and click “Next”.
Figure 8: Selecting “Federation Server” in the ADFS Setup wizard
On the “Welcome to the AD FS 2.0 Setup Wizard” page, click “Next”.
Figure 9: ADFS 2.0 Setup Wizard Welcome page
As you can see on the next page, the wizard will now install a couple of prerequisites on the server. Click “Next”.
Figure 10: AD FS 2.0 Prequisites that will be installed
After a minute or so the wizard will complete successfully and we can now click “Finish”. Make sure to untick “Start AD FS 2.0 Management snap-in when this wizard closes” as we want to install Update 2 for AD FS 2.0 before we continue.
Figure 11: Finishing the AD FS 2.0 setup wizard.
When the update has been applied, launch the AD FS 2.0 management console by going to “Start” > “Administrative tools” and in here selecting “AD FS 2.0 Management”. In the AD FS 2.0 Management console, click “AD FS 2.0 Federation Server Configuration Wizard”.
Figure 12: Launcing the AD FS 2.0 Federation server Configuration Wizard
On the “Welcome to the AD FS 2.0 Federation Server Configuration Wizard”, select “Create a new Federation service” and click “Next”.
Figure 13: Choosing to create a federation service
On the “Select Stand-Alone or Farm Deployment”, select “New federation server farm” and click “Next”.
Figure 14: Choosing to create a new federation server farm
Now we need to specify the federation service name which in this case is “sts.office365lab.dk”. Well, actually based on the common name in the certificate the wizard will do this automatically, but since we use a wildcard certificate in this article series, the wizard cannot determine the name meaning we need to specify it manually.
Figure 15: Wizard cannot determine the federation service name as a wildcard certificate is used
Replace the “*” with “sts” in the federation service name and click “Next”.
Figure 16: Replacing “*” with “sts” in the federation service name
On the next page, we need to specify the service account that should be used for the federation server farm. This account must be the one that is used on all federation servers in the respective farm.
The service account specified should just be an Active Directory user account with “domain user” permissions.
Important:
Make sure the account is created with the following set: “User cannot change password” and “Password never expires”.
Figure 17: Creating a service account for the federation server farm
When the account has been created enter the username and password and click “Next”.
Figure 18: Specifying the username and password for the federation server farm service account
On the appearing page, we can see a list of the settings that will be configured for AD FS 2.0 (Figure 19).
Click “Next”.
Figure 19: Settings that will be configured for ADFS 2.0
When the wizard has configured each component with success, click “Close” to exit the wizard.
Figure 20: Each component has been configured with success
As we can see in the AD FS 2.0 console, we need to add a trusted relying party in order to manage SSO for our Office 365 users. We will actually do this using PowerShell, but first we want to add the other ADFS server to the federation server farm.
Figure 21: AD FS 2.0 Console
So switch to the other ADFS server and install ADFS 2.0 RTW plus Update 2 and then launch the ADFS 2.0 setup wizard.
Select the same options through the wizard as you did with the primary ADFS server and then open AD FS 2.0 Management”. In the AD FS 2.0 Management console, click “AD FS 2.0 Federation Server Configuration Wizard”.
On the “Welcome to the AD FS 2.0 Federation Server Configuration Wizard”, select “Add a federation server to an existing Federation Service” and click “Next”.
Figure 22: Adding the server to an existing federation service
On the “Specify the Primary Federation Server and Service Account” page, enter the “adfs01.office365lab.dk” (or whatever the server FQDN name is for the primary ADFS server in your environment) and then enter the credentials for the federation server farm service account followed by clicking “Next”.
Figure 23: Specifying the FQDN of the federation server farm as well the service account credentials
Make sure the server certificate is selected and the correct federation service FQDN is configured and then click “Next”.
Figure 24: Server certificate and federation service name
Once again we’re now ready to apply the settings, so click “Next”.
Figure 25: Ready to apply settings
On the configuration results page, click “Close” when all components have been configured successfully.
Figure 26: Configuration results
You will now see in the AD FS 2.0 management console that this server is not the primary federation server in the farm and that you must perform configuration changes on the primary ADFS server.
Figure 27: AD FS 2.0 Management console on the second federation server
We have now configured the federation server farm.
Verifying the Federation Server farm is working properly
With the federation server farm configured, let’s check that it behaves as expected. First let’s try to see if we can reach the XML with the service description document. To do so, open a browser on a client located in the same AD forest as the ADFS server and enter (replace the ADFS server FQDN with the one in your environment):
https://ADFS01.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml
If things work as expected, you should see something similar to Figure 28.
Figure 28: Accessing the XML service description document via a browser from an internal client using ADFS server FQDN
Repeat this step but point to the other ADFS server.
Lastly, try to access the XML service description document using the federation service FQDN (in this case sts.office365lab.dk).
Figure 29: Accessing the XML service description document via a browser from an internal client using federation service FQDN
Also open the AD FS 2.0 Admin log and look for event 100. If you see event 100, it means that the federation service were able to communicate with the federation service.
Figure 30: Event 100 in the ADFS 2.0 Admin log
This concludes part 3 of this multi-part article in which I explain how you configure Exchange hybrid deployment followed by migrating to Office 365 (Exchange Online).
If you would like to read the other parts of this article series please go to:
