ADFS with Office 365

Hi,

I have 2 x load balanced ADFS Servers and 2 x load balanced web proxy servers located in Azure ready to deploy Federated Services.

When I go to the URL - https://adfs.company.com/adfs/ls/IdpInitiatedSignon.aspx everything works fine and there are no errors in event logs on any of the servers

When I federate the domain, it all works OK. When I login onto Office 365 with a user I get redirected to the correct login page however all Outlook clients in the on premise LAN hang on "Loading Profile"

On running the Single Sign On test on the Remote Connectivity Analyser it all passes all tests apart from the last section that advises

No SAML token was found in the response from the Security Token service.

I then "unfederate" the domain and everything goes back to normal.

I did find this article that mentions something about firewall ports - https://community.office365.com/en-us/f/156/t/247867

With the ADFS servers in Azure I don't think that this is relevant though

Any ideas?

Gerald
gezzam25Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
If only Outlook/Exchange is not working, make sure to check you claims rules. Make sure all ADFS endpoints are properly allowed through the firewall (in the case of EO, you need the 'basic' one, /adfs/services/trust/2005/usernamemixed/). And make sure you are not blocking *any* of the IPs/ranges in the list below, as in the case of EO it's actually the Microsoft server that is 'talking' to your AD FS, and not the Outlook client.

Here's some reading material:
https://support.microsoft.com/en-us/kb/2466333
https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US
0
btanExec ConsultantCommented:
looks like your STS (or IDP) has not consider the below -
•Office 365 SAML 2.0 Federation Implementers Guide is handy on overall required steps (at http://go.microsoft.com/?linkid=9844221)

The guide shares how to configure your SAML 2.0 Identity Provider (own ADFS as the  (STS/IDP)) to federate with Windows Azure AD  (this case is the relying party) to enable SSO single sign-on access to one or more Microsoft cloud services (such as Office 365 in your case) using the SAML 2.0 protocol. https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx
0
gezzam25Author Commented:
Thank you guys, much appreciated

I will try these on the weekend when I can work in peace and keep you updated..
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

gezzam25Author Commented:
Just one question, I assume that certificate I use to configure my Office 365 domain to use with SAML 2.0 is the SSL certificate I purchased to use on the ADFS and Proxy Servers
0
btanExec ConsultantCommented:
Yes, note that ADFS as IDP has  a couple of cert e.g. SSL cert, Token signing cert and Token "Decryption" cert.

SSL cert - As name applies, it is a publically trusted SSL certificate for use on all the ADFS servers. It is used to establish secure channel to send over the SAML token..the apps will references that
ADFS Server SSL Certificate Guidelines

All of the back-end ADFS servers must use the same SSL certificate. The ADFS configuration contains the thumbprint of the SSL certificate in its database so the ADFS service across all servers will try to find the same certificate based on this thumbprint. If you need to confirm what SSL certificate needs to be installed on all the ADFS servers, compare the thumbprints on the certificates. All you have to do is install the same SSL certificate into the machine certificate store on all back-end ADFS servers and this includes a wildcard SSL certificate if you plan to use one.
Token signing cert - SAML token signing cert that need to be exported to Azure AD for creating the federated trust. The token signing certificate may have one or more parent certificates in its chain. If it does, every certificate in that chain has to be added to the SharePoint 2013 list of trusted root authorities.

Token "decryption" cert - it is more from the relying party pub cert that ADFS needed to encrypt so that relying party (Azure) can securely decrypt and receive it.
It’s OK to use the Self-Signed Token Decryption Certificate

Out of the box, ADFS generates some self-signed certificates for the token decryption certificate. These self-signed certificates, by default, are good for one year. Unless you have partner Identity Providers (IDP) sending you tokens that require encryption, this certificate will rarely be used.

Don’t use the SSL certificate as your Token Decryption Certificate

I’ve seen customers actually do this to simply their deployment but I don’t recommend this.
The name is not wrong per, the article below explains more...

A good article on the cert below, do catch this
Get a Publically Trusted SSL Certificate

Once again, I recommend you get a publically trusted SSL certificate for your ADS Proxy/WAP servers.

Be Aware of Internally Issued SSL Certificate Caveats

If you installed an internally issued SSL certificate on your backend-ADFS servers, your ADFS Proxy/WAP servers, by default, won’t trust them. Consequently, you’ll have to either install the issuing CA certificate or the non-trusted SSL certificate into the Trusted Root certificate store on the Proxy/WAP servers so you can complete the installation wizard. The way to confirm whether the certificate is trusted is to open Internet Explorer on your Proxy/WAP server and navigate to the backend ADFS server and see whether you get any untrusted SSL prompts:

https://<sts.domain.com>/federationmetadata/2007-06/federationmetadata.xml

Get a Separate SSL certificate for your ADFS Proxy/WAP Servers

Due to security concerns with the ADFS Proxy/WAP server, I typically recommend that customers install a separate SSL certificate on their ADFS Proxy/WAP servers. The only thing you must ensure is that the Common Name (CN) or Subject Alternative Name (SAN) contain the same ADFS service name. You can install the same SSL certificate on all your ADFS Proxy/WAP servers though.
http://blogs.technet.com/b/askpfeplat/archive/2015/01/26/adfs-deep-dive-certificate-planning.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gezzam25Author Commented:
All good, thanks for the advice, worked like a dream once I followed these instructions
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.