ADFS and Single Sign On Preliminaries

Posted: August 5, 2012 in ADFS, Office 365, proxy server, SSO, third party trusted certificate

First  you are going to need two servers in your domain.  One needs to be a Domain Controller and the other one must NOT be one.

The next thing you are going to need is a trusted certificate from a third party issuer.  Because of subsequent requirements, the one you use for SBS – remote.<domain>.com – won’t do.  The reason is that it is used for port 443 and 987 traffic to the SBS server.  For ADFS and SSO, you will need port 443 traffic to be directed to the ADFS proxy server, the one you will install on the non-DC server.

Here is a quick run though on preparatory steps:

  1. On your public DNS, set up an A record that will be the first part of your third party certificate name.  It must also be the name of the ADFS farm and proxy.  I will use adfs.<domain>.com in my example here.
  2. Now you will need to generate a third party certificate request.  On the DC server, open IIS.  Click on the server name, and in the middle pane under IIS, click on Server Certificates
  3. In the Action Pane on the right, click on Create Certificate Request.  You can use these value:

    * Common Name – adfs.<domain<.com
    * Organization – <company name>
    * Organizational Unit – IT (whatever)
    * City/locality – use your city name
    * State/Province – use your state abbreviation
    * Country/region – use drop down box

  4. On the next page, use defaults.
  5. On the next page, provide a file name to store the certificate request.  Click on the … button to browse.
  6. On the next page finish and you will have created the cert request.  Now go to a third party issuer and get the certificate.  Download it and back in IIS, just below create certificate request, add the downloaded certificate.
  7. Create a new account soley for use with ADFS facilities.  I have chosen fsaccount for my examples.

The next step is to download ADFS 2.0 from Microsoft click here to do so.  Don’t try and add ADFS as a server role as it won’t work with Office 365.
The next step will be to install ADFS on the domain controller as a single member farm and on the non-domain controller as a proxy.

 

 

Advertisements
Comments
  1. Charles says:

    Have you done any more work on this? I am running SBS2008 Prem. in house and we are about to run out of users (up to 72) so I am tossing around the idea of using Office 365 to supplement SBS. Maybe do a full migration to O365 in 2014. I am not running into very much luck on Google with this got really excited to find your blog but disappointed when I didn’t see any interest when you ask.. 😦

    Like

  2. Charles says:

    Sorry, my last post was actually supposed to be on the ADFS 2.0 and Single Sign On post. After I read this it kinda goes hand in hand with it though. What if you use a wildcard certificate? Would that work?

    Like

  3. I’ll reply to both comments in this single entry. No, unfortunately I have not finished the work I need to do on ADFS 2.0 and SSO. Mea cupla. I have had too many work and personal distractions, but am just now moving back into posting mode, so I hope to complete this in a week or so.

    As to the wildcard certificate, I truely don’t know. Somehow my gut says no, but in actual practice it might. My gut feeling comes from the logic it needs an exact match. Exactly how the matching proceeds is not something I profess to know.

    I would add a comment about Office 365. I have become a HUGE fan. I have encourgage all of my SBS clients to migrate to Office 365 from an on-premise Exchange Server in SBS 2003/0008/2011. Overall, I have proven to them and myself that it is cvheaper by far than the continual tweaking, updating and restarting issues I was paid to resolve with their on-premise, not to mention the intangible beneift of never having business email interruption. I have taken the same course with my own SBS Exchange and SharePoint. No doubt, in the near future, when time permits, I am migrating to Windows Server 2012 Standard and leaving SBS altogether. It is sad after all these years, but the course has been charted for me I’m afraid.

    Like

  4. Charles says:

    Thank you for the reply, for some reason I didn’t get a notification of your post so I am just now reading it. I sure hope you have time to complete this project. I wear multiple hats here and the IT is just one of them. So I am not an expert by any means. Some of the articles I have read are a little over my head and you have to jump from one article to another and its very confusing and are not directed to SBS2008.

    Like

  5. It’s on my list but am suffering from the same situations you describe! Soon I hope.

    Like

  6. Steve says:

    Revisiting and old thread for you Larry,

    I am looking at doing this with SBS 2011 Essentials. In this instance is the 2nd Server and 2nd public IP really required as IIS and ADFS can be installed on the SBS2011 server.

    Looking to integrate with Salesforce, not Office 365

    Like

  7. Sorry I didn’t quite keep up with your comment. Do what?

    Like

  8. Steve says:

    Sorry –

    I have 1 x SBS2011 Essentials Server and want to integrate SSO via ADFS to Salesforce for INTERNAL users only (ie inside the network).

    In your initial post you stated that you needed 2 x Servers (one non-DC) and the other being the SBS Server. You also mentioned that there is a need for another external IP address.

    I am struggling to see why the 2nd external IP is required for the Proxy if its just for internal users.

    They currently use the Remote Workplace feature to get into the network from the outside world and wouldnt require AD Credentials outside of this network.

    I am scouring the internet to try and get confirmation on this – thank you so much for the prompt reply.

    Do you have any reference material which might help get this going? I have your site and a bunch of other blogs to piece through but nothing concrete.

    Like

  9. I guess I don’t fully understand what you are trying to do. Why would you want to use SSO for internal (assuming you mean local LAN) clients? Why would they not just use their Windows credentials for authorization for everything?

    SSO is used for federation and at least in my understanding, it is to allow trusted credentials to authenticate a foreign trust with a local one. I just don’t get the foreign trust entity in what you described.

    Sorry I am not of more help.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s