Solved

ADFS 2.0 (for office365) configuration questions

Posted on 2014-03-17
11
943 Views
Last Modified: 2014-03-20
Hi all,
Ok - so I apologize in advance - this is a few questions rolled up into one - but here goes...

We have an Office365 E subscription. Its been setup for a while now, and working well. We have DirSync and ADFS setup for "SSO", which works. However, I am not sure if it works in the best possible manner.

We have ADFS deployed on our local LAN here. One ADFS server and one ADFS Proxy server (in a DMZ). However, for the domain that we have federations setup for, we do not have internal DNS, only external. This domain is configured in AD as a UPN suffix, and all users use it. For example, our AD domain is:
NetBIOS Name: Internal
AD FQDN Domain: Internal.Corporation.com

The UPN we are using is just @corp.com.
We do not have internal DNS for the CORP.COM domain.

So, when ADFS was setup, and we created the external DNS record for sts.corp.com, we ended up implementing DNS doctoring on our Cisco firewall to deal with it. So, it has always been that I have a consistent experience whether on site or remote; When I open a browser and navigate to Outlook.Office35.com:
1. Land at the Office365 Login Page; I put in my username user@corp.com
2. Get redirected to sts.corp.com, and enter my credentials
3. Get redirected back to the Office365 resource.

As I said, this works just fine. However, I am "learning" that if I am on the local LAN, I should not have to go through all of that. I should be authenticated more seamlessly (i.e. not have to see both the Office365 login screen and the STS login screen)? Is this true?
0
Comment
Question by:nacAdmin
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:footech
Comment Utility
It can be true.

For users on the local LAN and for the ADFS proxy in your DMZ, "sts.corp.com" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "sts.corp.com" should resolve to the public IP that gets directed to your ADFS proxy.

The process that you're seeing above is forms-based authentication, which is what the ADFS proxy uses.  If you use Windows Integrated authentication, then it is possible to skip entering credentials on the forms page.  The ADFS proxy cannot use Windows Integrated authentication, but the ADFS can.  Furthermore, your browser has to be configured to trust the FQDN "sts.corp.com" to pass on the credentials automatically, otherwise you will still get a prompt for credentials (just not the forms page).
0
 

Author Comment

by:nacAdmin
Comment Utility
Thanks for the response @footech

So, the first part of your response:
For users on the local LAN and for the ADFS proxy in your DMZ, "sts.corp.com" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "sts.corp.com" should resolve to the public IP that gets directed to your ADFS proxy.
... We do achieve this with the DNS doctoring I mentioned - so external clients resolve sts.corp.com to the public IP, and internal LAN clients to the internal IP.

The second part of your response - I am not sure if I understand completely (what the experience could be...

So, if I am on the local LAN, and I navigate to Outlook.Office365.com:
1. One the portal sign in page, I enter my user name "user@corp.com"
2. I am redirected to the sts.corp.com page, but - with the proper config - integrated auth happens, and I am directed back to the Office365 resource.

If everything is setup properly, is this an achievable end result? Or did I misunderstand?

Thanks!
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
So when you enter a user at Outlook.Office365.com, and then go to enter the password it says "Redirecting".  If you actually get redirected to another page in the browser to enter credentials, that is forms-based auth.  But if you get a pop-up to enter credentials, that is Windows Integrated auth.  I'm not clear on which one you are currently experiencing (particularly with internal clients).

If you're not getting the second one, then some adjustments need to be made.

When you have Windows Integrated auth. allowed, and the browser properly configured, then the process is:
1. On the portal sign in page, I enter my user name "user@corp.com".  After it says "Redirecting"
2. the browser automatically passes the credentials of the logged on user and you arrive at the OWA page.
0
 

Author Comment

by:nacAdmin
Comment Utility
@footech -

Sorry if I wasn't clear...

I am not getting any pop-ups for integrated auth at any point; I only get the forms auth based page from ADFS Proxy (when internal and external).

So, aside from configuring my browser, would there be anything I have to do on ADFS Proxy?

Thanks!
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Odd that you're not getting a pop-up, as that would be the default configuration.  There will be no need to change anything on the ADFS proxy.  On the ADFS, in IIS Manager, go to site>adfs>ls, and go to Authentication.  You should have settings as in the screenshot.
Auth settings
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:nacAdmin
Comment Utility
Thanks @footech; Yes, this is exactly the same config on my ADFS server.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
Then the only reason I can think of right now that you aren't getting the pop-up for Windows Integrated auth is DNS.  I would try adding an entry to your HOSTS file as a test, for "sts.corp.com" pointing to the internal IP of the ADFS.  Then run ipconfig /flushdns, and then observe the logon process again.
0
 

Author Comment

by:nacAdmin
Comment Utility
Thanks again for the response... Finally getting back to this :)

I think I tried this, but I might have added a hosts file entry and pointed it to the internal IP address of the ADFS Proxy instead... You suggestion was to do the same for the internal IP address of our ADFS (not the proxy)? I will give that a shot...
0
 

Author Comment

by:nacAdmin
Comment Utility
@footech -

Thanks much... I added a hosts record to point at the internal IP address for our ADFS server and that did the trick... thanks so much!

As an aside - I am realizing that there is no real difference between an ADFS Proxy and the ADFS Server itself, except for maybe the config database? Interesting.

Know of any really good books on ADFS? :)

Thanks!!
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Since the host file worked, I would take that to mean that the DNS doctoring isn't doing what you want it to.

There are a couple caveats with using Windows Integrated authentication.  If you have Extended Protection for Authentication enabled on the ADFS, you can't use Chrome to authenticate to O365.  If you really want to use Chrome, then you either need to set Extended Protection for Authentication to disabled on the ADFS in IIS Manager (go to site/adfs/ls > authentication > windows authentication > advanced settings > set to "off"), or you can run the following on a client.
reg add HKLM\System\CurrentControlSet\Control\Lsa /v SuppressExtendedProtection /t REG_DWORD /d 1 /f

Open in new window

Firefox works with it set to "Allowed" (in IIS).  I haven't tried what works when it is set to "Required".

Here's the settings that need to be configured for IE and Firefox.
a.      IE – add site “https://sts.domain.com” to Local Intranet zone.  Make sure “Enable Integrated Windows Authentication” is checked under Advanced Options.
b.      Firefox – go to “about:config”, type in “auth” to narrow the list, double-click the entry “network.automatic-ntlm-auth.trusted-uris” to edit and enter “sts.domain.com”

Sorry, I'm not familiar with any books on ADFS.  The ADFS and ADFS proxy are pretty alike.  Just a little difference in the IIS config, and the config of ADFS software itself.
0
 

Author Comment

by:nacAdmin
Comment Utility
@footech -

Thanks. Actually, the DNS doctoring is doing exactly what it was configured to do, but what it was configured to do it seems is  not entirely correct :)

The DNS doctoring deals with the fact that I do not have an internal DNS zone for this particular domain, so when I query public DNS for sts.domain.com, the DNS doctoring sees that request (which is pointed to the public IP address of the ADFS proxy), and gives me the internal IP address of that same server - the ADFS Proxy server.

Anyway, I still likely have some config issues to work out in both ADFS and with our Cisco ASA, but alas.

I keep thinking that I should change it all to just have DirSync sync passwords as well, removing the requirement for ADFS, but something tells me keeping ADFS around can be useful for future SSO opportunities - SFDC... Taleo... etc. :)

Thanks so much!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now