Solved

ADFS 2.0 (for office365) configuration questions

Posted on 2014-03-17
11
950 Views
Last Modified: 2014-03-20
Hi all,
Ok - so I apologize in advance - this is a few questions rolled up into one - but here goes...

We have an Office365 E subscription. Its been setup for a while now, and working well. We have DirSync and ADFS setup for "SSO", which works. However, I am not sure if it works in the best possible manner.

We have ADFS deployed on our local LAN here. One ADFS server and one ADFS Proxy server (in a DMZ). However, for the domain that we have federations setup for, we do not have internal DNS, only external. This domain is configured in AD as a UPN suffix, and all users use it. For example, our AD domain is:
NetBIOS Name: Internal
AD FQDN Domain: Internal.Corporation.com

The UPN we are using is just @corp.com.
We do not have internal DNS for the CORP.COM domain.

So, when ADFS was setup, and we created the external DNS record for sts.corp.com, we ended up implementing DNS doctoring on our Cisco firewall to deal with it. So, it has always been that I have a consistent experience whether on site or remote; When I open a browser and navigate to Outlook.Office35.com:
1. Land at the Office365 Login Page; I put in my username user@corp.com
2. Get redirected to sts.corp.com, and enter my credentials
3. Get redirected back to the Office365 resource.

As I said, this works just fine. However, I am "learning" that if I am on the local LAN, I should not have to go through all of that. I should be authenticated more seamlessly (i.e. not have to see both the Office365 login screen and the STS login screen)? Is this true?
0
Comment
Question by:nacAdmin
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39935127
It can be true.

For users on the local LAN and for the ADFS proxy in your DMZ, "sts.corp.com" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "sts.corp.com" should resolve to the public IP that gets directed to your ADFS proxy.

The process that you're seeing above is forms-based authentication, which is what the ADFS proxy uses.  If you use Windows Integrated authentication, then it is possible to skip entering credentials on the forms page.  The ADFS proxy cannot use Windows Integrated authentication, but the ADFS can.  Furthermore, your browser has to be configured to trust the FQDN "sts.corp.com" to pass on the credentials automatically, otherwise you will still get a prompt for credentials (just not the forms page).
0
 

Author Comment

by:nacAdmin
ID: 39935228
Thanks for the response @footech

So, the first part of your response:
For users on the local LAN and for the ADFS proxy in your DMZ, "sts.corp.com" should resolve to the internal IP of the ADFS.  For everyone else (i.e. the internet), "sts.corp.com" should resolve to the public IP that gets directed to your ADFS proxy.
... We do achieve this with the DNS doctoring I mentioned - so external clients resolve sts.corp.com to the public IP, and internal LAN clients to the internal IP.

The second part of your response - I am not sure if I understand completely (what the experience could be...

So, if I am on the local LAN, and I navigate to Outlook.Office365.com:
1. One the portal sign in page, I enter my user name "user@corp.com"
2. I am redirected to the sts.corp.com page, but - with the proper config - integrated auth happens, and I am directed back to the Office365 resource.

If everything is setup properly, is this an achievable end result? Or did I misunderstand?

Thanks!
0
 
LVL 39

Expert Comment

by:footech
ID: 39935496
So when you enter a user at Outlook.Office365.com, and then go to enter the password it says "Redirecting".  If you actually get redirected to another page in the browser to enter credentials, that is forms-based auth.  But if you get a pop-up to enter credentials, that is Windows Integrated auth.  I'm not clear on which one you are currently experiencing (particularly with internal clients).

If you're not getting the second one, then some adjustments need to be made.

When you have Windows Integrated auth. allowed, and the browser properly configured, then the process is:
1. On the portal sign in page, I enter my user name "user@corp.com".  After it says "Redirecting"
2. the browser automatically passes the credentials of the logged on user and you arrive at the OWA page.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:nacAdmin
ID: 39935531
@footech -

Sorry if I wasn't clear...

I am not getting any pop-ups for integrated auth at any point; I only get the forms auth based page from ADFS Proxy (when internal and external).

So, aside from configuring my browser, would there be anything I have to do on ADFS Proxy?

Thanks!
0
 
LVL 39

Expert Comment

by:footech
ID: 39935598
Odd that you're not getting a pop-up, as that would be the default configuration.  There will be no need to change anything on the ADFS proxy.  On the ADFS, in IIS Manager, go to site>adfs>ls, and go to Authentication.  You should have settings as in the screenshot.
Auth settings
0
 

Author Comment

by:nacAdmin
ID: 39937342
Thanks @footech; Yes, this is exactly the same config on my ADFS server.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39937962
Then the only reason I can think of right now that you aren't getting the pop-up for Windows Integrated auth is DNS.  I would try adding an entry to your HOSTS file as a test, for "sts.corp.com" pointing to the internal IP of the ADFS.  Then run ipconfig /flushdns, and then observe the logon process again.
0
 

Author Comment

by:nacAdmin
ID: 39943787
Thanks again for the response... Finally getting back to this :)

I think I tried this, but I might have added a hosts file entry and pointed it to the internal IP address of the ADFS Proxy instead... You suggestion was to do the same for the internal IP address of our ADFS (not the proxy)? I will give that a shot...
0
 

Author Comment

by:nacAdmin
ID: 39943964
@footech -

Thanks much... I added a hosts record to point at the internal IP address for our ADFS server and that did the trick... thanks so much!

As an aside - I am realizing that there is no real difference between an ADFS Proxy and the ADFS Server itself, except for maybe the config database? Interesting.

Know of any really good books on ADFS? :)

Thanks!!
0
 
LVL 39

Expert Comment

by:footech
ID: 39944037
Since the host file worked, I would take that to mean that the DNS doctoring isn't doing what you want it to.

There are a couple caveats with using Windows Integrated authentication.  If you have Extended Protection for Authentication enabled on the ADFS, you can't use Chrome to authenticate to O365.  If you really want to use Chrome, then you either need to set Extended Protection for Authentication to disabled on the ADFS in IIS Manager (go to site/adfs/ls > authentication > windows authentication > advanced settings > set to "off"), or you can run the following on a client.
reg add HKLM\System\CurrentControlSet\Control\Lsa /v SuppressExtendedProtection /t REG_DWORD /d 1 /f

Open in new window

Firefox works with it set to "Allowed" (in IIS).  I haven't tried what works when it is set to "Required".

Here's the settings that need to be configured for IE and Firefox.
a.      IE – add site “https://sts.domain.com” to Local Intranet zone.  Make sure “Enable Integrated Windows Authentication” is checked under Advanced Options.
b.      Firefox – go to “about:config”, type in “auth” to narrow the list, double-click the entry “network.automatic-ntlm-auth.trusted-uris” to edit and enter “sts.domain.com”

Sorry, I'm not familiar with any books on ADFS.  The ADFS and ADFS proxy are pretty alike.  Just a little difference in the IIS config, and the config of ADFS software itself.
0
 

Author Comment

by:nacAdmin
ID: 39944060
@footech -

Thanks. Actually, the DNS doctoring is doing exactly what it was configured to do, but what it was configured to do it seems is  not entirely correct :)

The DNS doctoring deals with the fact that I do not have an internal DNS zone for this particular domain, so when I query public DNS for sts.domain.com, the DNS doctoring sees that request (which is pointed to the public IP address of the ADFS proxy), and gives me the internal IP address of that same server - the ADFS Proxy server.

Anyway, I still likely have some config issues to work out in both ADFS and with our Cisco ASA, but alas.

I keep thinking that I should change it all to just have DirSync sync passwords as well, removing the requirement for ADFS, but something tells me keeping ADFS around can be useful for future SSO opportunities - SFDC... Taleo... etc. :)

Thanks so much!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question