I want to use Office 365 and take advantage of the single sign on capabilities with AD FS 2.0. We have a Windows Server 2008 R2 server that is the primary domain controller.
I do not want to setup an active directory farm, nor do I want to use a network load balancer. My one single server will absolutely be able to handle the load, it does almost nothing. I do not want to establish any type of AD FS proxy, I have no remote clients. All clients are internal, those that are external will connect over VPN and remote desktop to internal hardware. I have absolutely no need for a AD FS proxy unless the proxy itself is how O365 will communicate to my firewalled server internally and that it is actually required because of that purpose.
From everything I've been trying to read through the help there doesn't even seem to be a mention of going the single server route (If I want this, thousands of others clearly want this, if not 10,000s or 100,000s of organizations).
I am extremely frustrated after spending over half a day trying to figure any of this out. I have tried searching through forums and google to not readily find any information that really helps. I have to resound the statement that others have made on posts that it seems like Microsoft really just doesn't comprehend small business to medium business at all. I want Office 365 to simplify IT! Having to setup AD FS farms, load balancing and god knows what else (I'm on step 2 of what 10 and can't even finish this one?) is the 100% total opposite of simplifying IT!
I seemed to have gotten as far as installing Microsoft Online Services Sign-In Assistant (IDCRL7) [this was a total nightmare to find! It took 45 minutes of reading and giving up to eventually find it through google search pointing to a expertsexchange post] on my server. I have the Microsoft Online Services Module for powershell installed x64, [which required the aforementioned software, why wasn't this a web installer that would automatically install the assistant?!?!].
At this point I have no idea what to do next, because I have no idea what is actually required by O365 vs what Microsoft feels is "best practice" and is actually completely unrelated to accessing O365.
I feel your pain. If the only reason you want single sign-on is to have password syncing (which is why I'm interested in it), then consider just using www.messageops.com tool to do pw syncing. The reason MS wants to have multiple servers and load balancers is that once you enable sso, if your server isn't up no one can get access to any of the O365 services, which is a pretty big deal.
I feel your pain. If the only reason you want single sign-on is to have password syncing (which is why I'm interested in it), then consider just using www.messageops.com tool to do pw syncing. The reason MS wants to have multiple servers and load balancers is that once you enable sso, if your server isn't up no one can get access to any of the O365 services, which is a pretty big deal.I've found the BPOS password requirements to be complete insanity for myself even as a software architect and by need, the lead system administrator. There's no way I could expect lusers to be able to comply with the password policy enforced by BPOS. At that point I might as well just tell everyone put a sticky note under your keyboard with your password, to not have to deal with password resets every single day. Has the password policy been made less brutal that using that tool you pointed out from messageops is even viable? That password syncing tool sounds almost exactly like what the integration support should be for O365. Install a program on your server and you're done.
You have to understand the perspective Microsoft comes from is always the most robust and fault tolerant because most organizations demand it. I used to work in the SB market so I understand where cost concerns and consolidation come into play. You can consolidate down to a few servers, but you risk a lot by keeping all your eggs in one basket.
- To run the Directory Sync tool you have to have a 32 bit machine and it can not be a domain controller (can be a simple VM sitting on your existing Box)
- AD FS can run on your DC and be a single server solution
Now, if you don't do a proxy then your external users will not have Single Sing-on. Mostly acceptable as long as your client understands. However, doing this is a really bad idea, think about it, your AD FS controls all access to O365, so if that server goes down so does all of your O365 functionality. This is why Microsoft recommends robust configurations, to make sure your systems are up as close to 100% as possible.
As for the Sign In Assistant, I agree it is frustrating and many of us on the Beta have voiced our concern about this. However, if you go into your O365 tenant and read through the documents provided for configuring O365 or run through the Exchange Deployment Assistant guide you will see all the steps you need. Again, you can run it all on one box (outside of your DirSync box which can be a VM on your box due to the 32 bit issue) but you risk a lot. I would say as long as you bring all the risks to the table and your client accepts them then you will be fine...until your box crashed of course :)
Jorge R. Diaz, PMP, CCNA, MCSA, MCSE, MCTS
Senior Microsoft ConsultantMy Blog!
- Als Antwort vorgeschlagen Jorge R. Diaz - Microsoft Freitag, 15. Juli 2011 01:10