Solved

ADFS 2.0 (for office365) configuration questions

Posted on 2014-03-17
11
958 Views
Last Modified: 2014-03-20
Hi all,
Ok - so I apologize in advance - this is a few questions rolled up into one - but here goes...

We have an Office365 E subscription. Its been setup for a while now, and working well. We have DirSync and ADFS setup for "SSO", which works. However, I am not sure if it works in the best possible manner.

We have ADFS deployed on our local LAN here. One ADFS server and one ADFS Proxy server (in a DMZ). However, for the domain that we have federations setup for, we do not have internal DNS, only external. This domain is configured in AD as a UPN suffix, and all users use it. For example, our AD domain is:
NetBIOS Name: Internal
AD FQDN Domain: Internal.Corporation.com

The UPN we are using is just @corp.com.
We do not have internal DNS for the CORP.COM domain.

So, when ADFS was setup, and we created the external DNS record for sts.corp.com, we ended up implementing DNS doctoring on our Cisco firewall to deal with it. So, it has always been that I have a consistent experience whether on site or remote; When I open a browser and navigate to Outlook.Office35.com:
1. Land at the Office365 Login Page; I put in my username user@corp.com
2. Get redirected to sts.corp.com, and enter my credentials
3. Get redirected back to the Office365 resource.

As I said, this works just fine. However, I am "learning" that if I am on the local LAN, I should not have to go through all of that. I should be authenticated more seamlessly (i.e. not have to see both the Office365 login screen and the STS login screen)? Is this true?
0
Comment
Question by:nacAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39935127
It can be true.

For users on the local LAN and for the ADFS proxy in your DMZ, "sts.corp.com" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "sts.corp.com" should resolve to the public IP that gets directed to your ADFS proxy.

The process that you're seeing above is forms-based authentication, which is what the ADFS proxy uses.  If you use Windows Integrated authentication, then it is possible to skip entering credentials on the forms page.  The ADFS proxy cannot use Windows Integrated authentication, but the ADFS can.  Furthermore, your browser has to be configured to trust the FQDN "sts.corp.com" to pass on the credentials automatically, otherwise you will still get a prompt for credentials (just not the forms page).
0
 

Author Comment

by:nacAdmin
ID: 39935228
Thanks for the response @footech

So, the first part of your response:
For users on the local LAN and for the ADFS proxy in your DMZ, "sts.corp.com" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "sts.corp.com" should resolve to the public IP that gets directed to your ADFS proxy.
... We do achieve this with the DNS doctoring I mentioned - so external clients resolve sts.corp.com to the public IP, and internal LAN clients to the internal IP.

The second part of your response - I am not sure if I understand completely (what the experience could be...

So, if I am on the local LAN, and I navigate to Outlook.Office365.com:
1. One the portal sign in page, I enter my user name "user@corp.com"
2. I am redirected to the sts.corp.com page, but - with the proper config - integrated auth happens, and I am directed back to the Office365 resource.

If everything is setup properly, is this an achievable end result? Or did I misunderstand?

Thanks!
0
 
LVL 40

Expert Comment

by:footech
ID: 39935496
So when you enter a user at Outlook.Office365.com, and then go to enter the password it says "Redirecting".  If you actually get redirected to another page in the browser to enter credentials, that is forms-based auth.  But if you get a pop-up to enter credentials, that is Windows Integrated auth.  I'm not clear on which one you are currently experiencing (particularly with internal clients).

If you're not getting the second one, then some adjustments need to be made.

When you have Windows Integrated auth. allowed, and the browser properly configured, then the process is:
1. On the portal sign in page, I enter my user name "user@corp.com".  After it says "Redirecting"
2. the browser automatically passes the credentials of the logged on user and you arrive at the OWA page.
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:nacAdmin
ID: 39935531
@footech -

Sorry if I wasn't clear...

I am not getting any pop-ups for integrated auth at any point; I only get the forms auth based page from ADFS Proxy (when internal and external).

So, aside from configuring my browser, would there be anything I have to do on ADFS Proxy?

Thanks!
0
 
LVL 40

Expert Comment

by:footech
ID: 39935598
Odd that you're not getting a pop-up, as that would be the default configuration.  There will be no need to change anything on the ADFS proxy.  On the ADFS, in IIS Manager, go to site>adfs>ls, and go to Authentication.  You should have settings as in the screenshot.
Auth settings
0
 

Author Comment

by:nacAdmin
ID: 39937342
Thanks @footech; Yes, this is exactly the same config on my ADFS server.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39937962
Then the only reason I can think of right now that you aren't getting the pop-up for Windows Integrated auth is DNS.  I would try adding an entry to your HOSTS file as a test, for "sts.corp.com" pointing to the internal IP of the ADFS.  Then run ipconfig /flushdns, and then observe the logon process again.
0
 

Author Comment

by:nacAdmin
ID: 39943787
Thanks again for the response... Finally getting back to this :)

I think I tried this, but I might have added a hosts file entry and pointed it to the internal IP address of the ADFS Proxy instead... You suggestion was to do the same for the internal IP address of our ADFS (not the proxy)? I will give that a shot...
0
 

Author Comment

by:nacAdmin
ID: 39943964
@footech -

Thanks much... I added a hosts record to point at the internal IP address for our ADFS server and that did the trick... thanks so much!

As an aside - I am realizing that there is no real difference between an ADFS Proxy and the ADFS Server itself, except for maybe the config database? Interesting.

Know of any really good books on ADFS? :)

Thanks!!
0
 
LVL 40

Expert Comment

by:footech
ID: 39944037
Since the host file worked, I would take that to mean that the DNS doctoring isn't doing what you want it to.

There are a couple caveats with using Windows Integrated authentication.  If you have Extended Protection for Authentication enabled on the ADFS, you can't use Chrome to authenticate to O365.  If you really want to use Chrome, then you either need to set Extended Protection for Authentication to disabled on the ADFS in IIS Manager (go to site/adfs/ls > authentication > windows authentication > advanced settings > set to "off"), or you can run the following on a client.
reg add HKLM\System\CurrentControlSet\Control\Lsa /v SuppressExtendedProtection /t REG_DWORD /d 1 /f

Open in new window

Firefox works with it set to "Allowed" (in IIS).  I haven't tried what works when it is set to "Required".

Here's the settings that need to be configured for IE and Firefox.
a.      IE – add site “https://sts.domain.com” to Local Intranet zone.  Make sure “Enable Integrated Windows Authentication” is checked under Advanced Options.
b.      Firefox – go to “about:config”, type in “auth” to narrow the list, double-click the entry “network.automatic-ntlm-auth.trusted-uris” to edit and enter “sts.domain.com”

Sorry, I'm not familiar with any books on ADFS.  The ADFS and ADFS proxy are pretty alike.  Just a little difference in the IIS config, and the config of ADFS software itself.
0
 

Author Comment

by:nacAdmin
ID: 39944060
@footech -

Thanks. Actually, the DNS doctoring is doing exactly what it was configured to do, but what it was configured to do it seems is  not entirely correct :)

The DNS doctoring deals with the fact that I do not have an internal DNS zone for this particular domain, so when I query public DNS for sts.domain.com, the DNS doctoring sees that request (which is pointed to the public IP address of the ADFS proxy), and gives me the internal IP address of that same server - the ADFS Proxy server.

Anyway, I still likely have some config issues to work out in both ADFS and with our Cisco ASA, but alas.

I keep thinking that I should change it all to just have DirSync sync passwords as well, removing the requirement for ADFS, but something tells me keeping ADFS around can be useful for future SSO opportunities - SFDC... Taleo... etc. :)

Thanks so much!
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server Shares and Excel files 2 42
DNS Replication 12 80
Extending VM Disk to be larger than 2 TB ? 11 178
Windows Server Event Log DSM Error-1000 10 43
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question