Recently I upgraded our Dirsync server to Windows server 2012.
ADFS could not stay behind.
In this blog I will be explaining how to get ADFS 2012 to work wit Office 365, as it is not yet supported and there are issues with the Online module. In our scenario we already have a federation in place with Office 365 with an ADFS 2.0 farm running on Windows Server 2008 R2.
Follow the below steps at your own risk!
Installing Windows Server 2012 and prereqs
The first step is to prepare a new server installed with Windows Server 2012.
( I used Standard )
I am replacing my ADFS farm with Windows Server 2012 servers, so I am using the same name for the machines and ADFS farm. ( The old servers have to be shutdown , don’t forget this )
I exported the certificate from the “ old” ADFS and imported it on the new machine, this certificate will be needed later in the ADFS configuration.
Download and install the following, these are needed to federate with Office 365:
Microsoft Online services assistant
Microsoft Online Services 64 bit module
Install ADFS feature
In Windows Server 2012, ADFS 2.0 can be installed as a feature.
No need to download the installers from Microsoft.
To install ADFS, run the following command from an elevated powershell prompt.
Once completed there will be a message saying you still need to configure ADFS, so that’s what we will do in the next step.
After the installation of the feature you will be able to start the configuration wizard.
Open ADFS management from administrative tools and start the configuration wizard.
In my case I am replacing my old farm so I will create a new federation service.
For the second ADFS server I run the wizard with the “ Add a federation server to an existing federation service” option.
I create a new federation server farm, if you only have one server, choose the standalone federation server option.
Choose the certificate you imported in the first step ( the certificate used for federation service ) and choose the federation service name. Use the same name as your old federation service if you are replacing your old ADFS server.
The last step is to specify a dedicated ADFS service account. use a domain account here and finish the wizard. ADFS is nog configured!
But, if you try to federate with Office 365, you will end up getting an error when using the Online Service Module.
You need to register the following keys to get the Microsoft Online services module to work.
Copy the below information and save this to “ adfsregistrytweak.reg” and run this on the new Server 2012 ADFS.
“Windows Registry Editor Version 5.00
"AssemblyName"="Microsoft.IdentityServer.PowerShell, Version=220.127.116.11, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
"Description"="This powershell snap-in contains cmdlets used to manage Microsoft Identity Server resources."
Update domain federation
We allready setup a federation with our old ADFS farm. Therefore we need to update our federation information on the ADFS server and on the Office 365 side.
If you are creating a new federation, refer to the following article :
If you already had ADFS setup, follow the below steps
Open the Microsoft Online Services Module for Windows PowerShell from the start menu.
Run $cred=Get-Credential. When this cmdlet prompts you for credentials, type your Office 365 administration account credentials.
Run Connect-MsolService -Credential $cred. This cmdlet connects you to Office 365.
Creating a context that connects you to Office 365 is required before running any of the additional cmdlets installed by the tool.
Run Set-MSOLAdfscontext -Computer <AD FS 2.0 primary server>, where <AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0 server. This cmdlet creates a context that connects you to AD FS 2.0.
Run Update-MSOLFederatedDomain -DomainName <domain>. This cmdlet updates the settings from AD FS 2.0 into Office 365 and configures the trust relationship between the two.
Now your new Windows Server 2012 federation server is ready to use!
After updating the federated domain setting it took about 5 minutes tilll it worked.
Setting service to auto start
After all the above is done, the ADFS service is set to “ automatic delayed start “.
In my case the ADFS service was not started correctly when rebooted.
I set the startup type to “ automatic”, this starts the ADFS service directly.
To do this, run the following command from an elevated command prompt.
set-service -name adfssrv -startuptype automatic
Well, you now have a working Windows Server 2012 ADFs server to federate with Office 365.