AAD Connect, AD-FS and you By Malcolm Jeffrey
Session outline AAD Connect and IdFix What is AD-FS? How it works for a business AD-FS and how it works with Azure AD All going well, you’ll see me finalise my ADFS WAP and achieve SSO So this is what we are aiming to get through today. Now, it’s really putting me out on a limb of hope and chance here, but by the end of this session I should have my WAP server finished off, the domain ‘stretched’ to be Federated, and then demonstrate single sign-on from a client computer.
AAD Connect and IdFix AAD Connect is the current tool for On-Premise to Cloud syncing It can be installed on a DC A very smooth piece of software and a HUGE improvement on DirSync Before you use it, use IdFix to sort out your domain. Can filter based on OU, and Custom Attributes Available here Time for a look at the installation and use of it Prerequisites and info here So AAD Connect, what a massive massive step forward it is, over the predecessor software of DirSync, and AADSync. Now, with AAD Connect, there is a smooth, easy to use tool. Whilst today we won’t have a HUGE amount of time to get through a lot about it, there are a heap of things to do. Before you run it though, it is REALLY advised that you head to the Domains page on portal.office.com and download and run the IdFix tool. It’s there to make your progression a WHOLE lot smoother. Let’s face it, many of us look at AD and that OU there that’s a bit wonky, and that PowerShell query you ran didn’t quite cut it. And don’t forget the UPNs need a bit of a tidy up. Look, I know that he’s a little shy on these things, and I know that he’s aware I mention this, but look, jump to the 43rd minute of this link and see a great IdFix demo! (sorry Daniel, but it’s still the best explanation anywhere I’ve looked!)
How does it work? Let’s install it Now let’s have a quick look at the install and how it works It’s hard not to drop a c! start-adsyncsynccycle How does Password Synchronization work? I ALWAYS trip up over the start-adsyncsynccycle Now all at once, let’s try and say start-adsyncsynccycle 3 x fast! :-D Just as an idea, have a look at this for password thoughts. Not rules, not tips, thoughts. http://girl-germs.com/?p=472 Note, that a user changing their password should replicate within minutes or so.
What is AD-FS Secure Claims based authentication identity federation A method of linking organisations to each others web resources An alternate to AD Trusts From the web: “Active Directory Federation Services (AD Federation Services) is a feature of the Windows Server operating system that extends end users' single sign-on access to applications and systems outside the corporate firewall.” If you aren’t too sure what claims based authentication is, then have a look at the link in the slide there.
What it isn’t (I know, I was surprised too!)
What’s new in ADFS 3.0 (highlights package) Windows 10 Device registration No more IIS dependency (though it’s sorta kinda still there) And for a more comprehensive look https://blogs.technet.microsoft.com/amitd/2014/04/18/adfs-new-features-and- prerequisites-in-windows-2012-r2/ There is plenty of information out there
A case study While at TechEd 2014, about to give an Exam Cram session, I was fortunate enough to talk to a guy who just happened to work for the Warehouse. I’d said to him that I often use the Warehouse/Noel Leemings as an example of how an organisation might use ADFS to allow a parent and child company to share HR info via web pages. Oddly enough, I was on the money as he comfirmed that it was exactly how they do it.
So how do we get it working? You need at least two servers ADFS Server ADFS Web Application Proxy Server (in your DMZ) Obtain an SSL certificate for your domain Create a service account that will act on behalf of ADFS Create a DNS record to point at your Federation server
Time to get AD-FS WAP working I hope that the Demo Deities are on my side tonight!
Two hugely handy PowerShell commands What if my ADFS farm is unavailable? What happens to my users? Simply put, they can’t log in. So what to do? Set-MsolDomainAuthentication -DomainName yourdomain.local –Authentication Managed And what do you do to get it back up and running after you fix ADFS? Convert-MsolDomainToFederated –DomainName yourdomain.local
Thank you so much for coming tonight To contact me with any questions, or feedback please feel free to contact me at Malcolm@malcyjmct.nz As always, keep an eye on the MeetUp website for any files and all new upcoming session https://www.meetup.com/Wellington-Windows-Infrastructure-User-Group
Additional Resources From the session there were a lot of question fired about and there was a common theme around load balancing. I have here a number of links that I found useful in researching this. http://office365support.ca/setting-up-the-second-web-application-proxy-servers-ad-fs- proxy-in-windows-azure-for-office365-single-sign-on/ https://social.technet.microsoft.com/Forums/office/en-US/9f32a4dc-8aee-478b-9a1a- df0f09fe624f/port-between-web-application-proxy-and-adfs-30?forum=ADFS http://www.devinonearth.com/2014/07/load-balancing-adfs-on-windows-2012-r2/ https://www.vioreliftode.com/index.php/adfs-3-0-wap-sni-and-network-load-balancing/ http://www.iis.net/downloads/microsoft/application-request-routing