locked
Office365, ADFS 2.0 and ADFS Proxy RRS feed

  • Question

  • Hello,

    I have a Win2008R2 server in my domain which is my ADFS (v2.0) server. I have installed ADFS Proxy at AWS (also a Win2008R2) and SSO is working fine, both for internal and external users. I already have Office365 SSO working through a different ADFS setup, but now would like to move it (or start fresh) as I have an ADFS Proxy installed. Going through my readings again on setting Office365 SSO (dirSync, AzureAD etc), I'm getting a little confused as to what gets installed where. My ADFS server cannot talk to the Internet, so there's no way it can communicate to Office365, and the ADFS Proxy is not a domain member, so DirSync wouldn't work on it right? I tried to run some ADFS commands related to Office365 on my ADFS Proxy server and it complained that it couldn't find the ADFS server. Can someone please assist me with this?

    Any help, advice, comments are appreciated!

    Thank you,
    Sau

    Thursday, June 2, 2016 6:15 PM

Answers

  • You don't configure this from your AD FS proxy.. 

    On a machine which can connect to O365 you'll need to install Azure AD Connect (formerly DirSync) in order to hook up your on-premise AD with your O365 tenant... 

    In addition, on either an AD FS farm node or a machine connected to the Internet that also has visibility with your AD FS server(s), install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version). This allows communication, configuration of the AD FS server and the federation trust with your O365 tenant.

    Just out of curiousity, is there a S2S VPN between AWS and your on-premise AD farm?



    http://blog.auth360.net

    Sunday, June 5, 2016 3:37 PM
  • Hi Mylo,

    No worries, but thanks for responding. I was able to install ADConnect, and Azure AD PS on a member server (Win2012R2) that is connected to the Internet and have been successful. I did however manually create the claim rules on my new ADFS server (copied it from my old ADFS box) and that has worked.

    Thanks,

    Sau

    • Marked as answer by Sau Pat Tuesday, June 14, 2016 4:25 PM
    Tuesday, June 14, 2016 4:24 PM

All replies

  • You don't configure this from your AD FS proxy.. 

    On a machine which can connect to O365 you'll need to install Azure AD Connect (formerly DirSync) in order to hook up your on-premise AD with your O365 tenant... 

    In addition, on either an AD FS farm node or a machine connected to the Internet that also has visibility with your AD FS server(s), install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version). This allows communication, configuration of the AD FS server and the federation trust with your O365 tenant.

    Just out of curiousity, is there a S2S VPN between AWS and your on-premise AD farm?



    http://blog.auth360.net

    Sunday, June 5, 2016 3:37 PM
  • Hi Mylo,

    Thanks for your reply. So from what I understand, it seems I need to use a Domain member, that is connected to the Internet and install Azure AD Connect, MOSS and Azure AD module for PS on it and nothing on the actual ADFS server or the proxy server. The only thing pertaining to Office365 would be the Claim Rules that would go on the ADFS server. Correct?

    Yes, we do have S2S VPN to AWS and on-premise AD, however, currently there are no machines connected to our domain at AWS.

    Thanks again!

    Sau

    Tuesday, June 7, 2016 4:45 PM
  • Hi Sau,

    Sorry for the late response.. you can put the Azure AD Connect, MOSS and Azure AD PS module on the AD FS server or on the DC or on a dedicated member server. I'd normally opt for the latter if the kit is available to support that, just for role separation. The machine concerned needs to be domain-joined, can connect to the Internet and see ADFS, as the Azure AD Connect component also provides support for auto-configuring the RP claims rules. Just so you're aware, I've also seen the latter screw up config of the RP, so the Azure AD PS module is useful to have to hand to correct should that scenario arise.. mind you, that could have been (a) me (b) my impatience ... :) .. post back if we can help further..


    http://blog.auth360.net

    Monday, June 13, 2016 9:49 PM
  • Hi Mylo,

    No worries, but thanks for responding. I was able to install ADConnect, and Azure AD PS on a member server (Win2012R2) that is connected to the Internet and have been successful. I did however manually create the claim rules on my new ADFS server (copied it from my old ADFS box) and that has worked.

    Thanks,

    Sau

    • Marked as answer by Sau Pat Tuesday, June 14, 2016 4:25 PM
    Tuesday, June 14, 2016 4:24 PM