Office 365 and Azure with ADFS setup or AD Pass-through authentication ?

Hi People,

Is there any other alternative method that is easier to setup & configures rather than deploying ADFS server?

I heard about Azure AD Pass-through authentication, but not sure if it is ready for production implementation yet or not.

What's the minimal amount of server deployed in my VMware environment (OnPremise) to make it redundant?

Any help would be greatly appreciated.

Thanks.
LVL 13
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
What is your goal? ADFS has never been a requirement for office 365.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
I want to do SSO and client authentication for some service that has been deployed by the developers in Azure.
So that the existing AD account can be used to access it as well as the same AD account for Office 365.
Cliff GaliherCommented:
True SSO requires ADFS. Pass -through is still in preview (last I checked), but operates more similarly to password syncing anyways, which is "same" sign-on, but not true SSO.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, so in this case, there is no other way than to use ADFS servers deployed in both Azure and the OnPremise VMware server ?
what server that I need to deploy or separate?

OnPrem:
1x Windows Server 2012 R2 - Domain Joined - Federation Server
1x Windows Server 2012 R2 - Non-Domain Joined (DMZ) - WebApplication Server & SQL Server Express Edition

Azure:
1x Windows Server 2012 R2 - Domain Joined - Federation Server
1x Windows Server 2012 R2 - Non-Domain Joined (DMZ) - WebApplication Server & SQL Server Express Edition

Is that correct minimum 4x servers ?
Cliff GaliherCommented:
Ii can't speak to how many or where. That is entirely dependent on your app needs and architecture. You may not need any in Azure, or you may need more than one. These are significant architectural planning assessments and requires more than an EE question.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, so for the basic redundancy I will need to deploy:

OnPrem:
2x Windows Server 2012 R2 - Domain Joined - Federation Server
2x Windows Server 2012 R2 - Non-Domain Joined (DMZ) - WebApplication Server & SQL Server Express Edition

is that correct?
Cliff GaliherCommented:
I can't speak to why you are installing a web application server or SQL server in the DMZ. That seems out of scope to the question. But for redundancy, you'd want two ADFS servers and two proxy servers.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Chris,

Yes, you are right:

OnPrem:
2x Windows Server 2012 R2 - Domain Joined - AD Federation Server & SQL Server Express Edition on each server.
2x Windows Server 2012 R2 - Non-Domain Joined (DMZ) - WebApplication Server.

is that correct?
Cliff GaliherCommented:
I assume by web application server, you actually mean web application proxy. If so, then yes.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Yes, that's what I mean:

OnPrem:
2x Windows Server 2012 R2 - Domain Joined - AD Federation Server & SQL Server Express Edition on each server.
2x Windows Server 2012 R2 - Non-Domain Joined (DMZ) - WebApplication Proxy Server.

so the server is just standalone (not clustered) and the DMZ server is not joined to the AD domain.
Cliff GaliherCommented:
Correct.
compdigit44Commented:
I see you have listed using the Windows Internal DB for ADFS which is fine but just make sure you understand the pros and cons of does WID over SQL before you setup your environment. Also have you planned out your certificate needs which is huge which ADFS and needs to be planned out carefully.

http://www.be-com.eu/?p=873
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Hi Compdigit44,

So in this case, shall I use single SQL express for my two ADFS server or two SQL express database rubbing in each ADFS server ?

My understanding is that when the SQL DB is down the whole company cannot authenticate to azure or office 365.

As for the SSL Certs it will be installed on both WebApplication Proxy server.
Do I need a load balancer for this Setup or can I use DNS round robin ?
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.