zaterdag 24 november 2012

Installing and configuring ADFS on Server 2012 for Office 365

Recently I upgraded our Dirsync server to Windows server 2012.
ADFS could not stay behind.

In this blog I will be explaining how to get ADFS 2012 to work wit Office 365, as it is not yet supported and there are issues with the Online module. In our scenario we already have a federation in place with Office 365 with an ADFS 2.0 farm running on Windows Server 2008 R2.

Follow the below steps at your own risk!

Installing Windows Server 2012 and prereqs
The first step is to prepare a new server installed with Windows Server 2012.
( I used Standard )
I am replacing my ADFS farm with Windows Server 2012 servers, so I am using the same name for the machines and ADFS farm. ( The old servers have to be shutdown , don’t forget this Glimlach )
I exported the certificate from the “ old”  ADFS and imported it on the new machine, this certificate will be needed later in the ADFS configuration.

Download and install the following, these are needed to federate with Office 365:

Microsoft Online services assistant
http://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_64bit.msi

Microsoft Online Services 64 bit module
http://go.microsoft.com/fwlink/p/?linkid=236293

Install ADFS feature
In Windows Server 2012, ADFS 2.0 can be installed as a feature.
No need to download the installers from Microsoft.
To install ADFS, run the following command from an elevated powershell prompt.

“add-windowsfeature ad-federation-services”

Once completed there will be a message saying  you still need to configure ADFS, so that’s what we will do in the next step.

Configure ADFS
After the installation of the feature you will be able to start the configuration wizard.
Open ADFS management from administrative tools and start the configuration wizard.

7178_wizard_thumb_3F2A9EDB

In my case I am replacing my old farm so I will create a new federation service.
For the second ADFS server I run the wizard with the “ Add a federation server to an existing federation service” option.

Wortell - visionapp Remote Desktop 2009_2

I create a new federation server farm, if you only have one server, choose the standalone federation server option.

Wortell - visionapp Remote Desktop 2009_3

Choose the certificate you imported in the first step ( the certificate used for federation service ) and choose the federation service name. Use the same name as your old federation service if you are replacing your old ADFS server.

Wortell - visionapp Remote Desktop 2009_4

The last step is to specify a dedicated ADFS service account. use a domain account here and finish the wizard. ADFS is nog configured!

But, if you try to federate with Office 365, you will end up getting an error when using the Online Service Module.

Registry tweak
You need to register the following keys  to get the Microsoft Online services module to work.

Copy the below information and save this to “ adfsregistrytweak.reg”  and run this on the new Server 2012 ADFS.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Microsoft.Adfs.PowerShell]
"ApplicationBase"="C:\\Windows\\ADFS"
"Version"="6.2.0.0"
"AssemblyName"="Microsoft.IdentityServer.PowerShell, Version=6.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
"Description"="This powershell snap-in contains cmdlets used to manage Microsoft Identity Server resources."
"PowerShellVersion"="1.0"
"ModuleName"="C:\\Windows\\ADFS\\Microsoft.IdentityServer.PowerShell.dll"
"Vendor"="Microsoft" “

Update domain federation
We allready setup a federation with our old ADFS farm. Therefore we need to update our federation information on the ADFS server and on the Office 365 side.

If you are creating a new federation, refer to the following article :
http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx#bk_deployfsfarm

If you already had ADFS setup, follow the below steps
Open the Microsoft Online Services Module for Windows PowerShell from the start menu.

Run $cred=Get-Credential. When this cmdlet prompts you for credentials, type your Office 365 administration account credentials.

Run Connect-MsolService -Credential $cred. This cmdlet connects you to Office 365.
Creating a context that connects you to Office 365 is required before running any of the additional cmdlets installed by the tool.

Run Set-MSOLAdfscontext -Computer <AD FS 2.0 primary server>, where <AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0 server. This cmdlet creates a context that connects you to AD FS 2.0.

Run Update-MSOLFederatedDomain -DomainName <domain>. This cmdlet updates the settings from AD FS 2.0 into Office 365 and configures the trust relationship between the two.

Now your new Windows Server 2012 federation server is ready to use!
After updating the federated domain setting it took about 5 minutes tilll it worked.

Setting service to auto start
After all the above is done, the ADFS service is set to “ automatic delayed start “.
In my case the ADFS service was not started correctly when rebooted.
I set the startup type to “ automatic”, this starts the ADFS service directly.

To do this, run the following command from an elevated command prompt.
set-service -name adfssrv -startuptype automatic

Well, you now have a working Windows Server 2012 ADFs server to federate with Office 365.

9 opmerkingen:

  1. Hi

    Hoe gaat het ??

    Can i install a windows 2012 ADFS server farm in a Windows 2003 SP1 active directory forest ????

    thanks

    BeantwoordenVerwijderen
    Reacties
    1. Hi,
      As far as i know there are no AD functional level requirements for ADFS. For server 2012 you need 2003 functional level or higher, which you have.
      Good luck!

      Verwijderen
  2. yeah now i see Installing and configuring ADFS on Server 2012 for Office 365

    BeantwoordenVerwijderen
  3. Thanks! The registry tweak got me up and running.

    BeantwoordenVerwijderen
  4. As per now, do not use the registry tweak anymore on newly installed Windows Server 2012R2 since it will cause the set-MSOLADFSContext cmd to render errors. It should now work all without the tweak!

    BeantwoordenVerwijderen

  5. افضل شركة نقل اثاث بالمدينة المنورة تساعدك على نقل اثاثك بامان فلا داعى للقلق مع افضل شركة نقل اثاث بجدة

    عزيزى العميل انت من محبى التنقل باستمرار بالتالى انت بحاجة ماسة وضروية الى الاستعانة بالمختصين في نقل العفش خاصة ارخص شركة نقل اثاث بالرياض لان الاستعانة باى من عمالة الشوارع الغير مدربة والتي لا تمتلك خبرة كافية في نقل العفش او الحفاظ علية وليس هذا فقط فقد يؤدى الاستعانة بعمالة الشوارع الى حدوث حالة فقدان وتكسير للاثاث بالتالى التاثير الضار عليك عزيزى العميل

    لا تقلق مطلقاً الان بشأن نقل اي منقولات خاصة بك طالما استعنت بشركة الاول لـ نقل الأثاث في الرياض وخارج الرياض فنحن ليس الوحيدون ولكننا متميزون عن اى مؤسسة أخرى داخل وخارج الدمام وشهرتنا كافضل شركة نقل عفش بينبع
    نقل اثاث بجدة

    BeantwoordenVerwijderen