Welcome to part two of a four-part series on configuring single sign-on for a hybrid Office 365 deployment. In part one we prepared the Active Directory forest for Active Directory Federation Services. Now we're going to look at the steps required to configure an Active Directory federation farm on two domain controllers.
Configure DNS requirements
When deploying an Active Directory federation farm, the domain name system (DNS) cluster name of the network load balancing (NLB) service must match the name of the Active Directory Federation Service (AD FS). In a single-server deployment, either the hostname or an additional Host A record must exist that matches the name of the Federation Service.
Important: The Federation Service name on the internal corporate network must match the DNS cluster name of the federation proxy servers (configured in the next article). Because the federation proxy servers are Internet-facing, the cluster name assigned to the internal federation farm must also be public. The internal DNS namespace for the Kbomb domain was set up as Kbomb.lan; this is not a public DNS namespace.
Instead of setting up split-horizon DNS -- which is accomplished by creating the Kbomb.com.au DNS zone on your internal DNS servers -- you should avoid recreating all the DNS records internally.
Instead of creating a new Active Directory integrated zone called Kbomb.com.au, create an Active Directory integrated zone and name it fs.Kbomb.com.au. Next, create a Host A record with a blank name; this forces the record to references the DNS zone name.
Now we can configure fs.Kbomb.com.au to point to an internal server on the corporate network without making the internal DNS servers authoritative for the entire Kbomb.com.au DNS zone (Figure 1).
Internet information Services (IIS) 7.5 must be installed on both domain controllers that we're going to install the AD FS role in. Add the role through Server Manager and select the default IIS 7.5 feature set as prompted by the wizard.
Create a digital certificate request
AD FS requires a server certificate for data encryption. This certificate must match the Federation Service name fs.Kbomb.com.au. Create the digital certificate using the Internet IIS Manager. The certificate must be trusted by AD FS 2.0 clients. To ensure that all clients trust the certificate, create the certificate using a public certificate authority (CA).
Note: In this lab setup I've decided to use a 30-day free trial certificate provided from Rapid SSL.In a production environment, I suggest using a DigiCert SSL Plus or Unified Communications certificate.
- Open Internet Information Services (IIS) Manager and navigate to the server node under the View pane. Under Feature View, select Server Certificates.
- In the Actions pane select Create Certificate Request.
- On the Distinguished Name Properties page, look under Common name and make certain that it matches the DNS name you want to use for the Federation Service. Fill out the remainder of the details and click Next.
- Select the Cryptographic service provider your CA uses as well as the Bit Length. Rapid SSL uses the Microsoft RSA SChannel Cryptographic Provider.
- Select where to save the Certificate Signing Request.
- Copy the content of the Certificate Signing Request into your public CA's Web interface.
- After downloading the certificate file from the CA, complete the certificate request in IIS Manager.
- Select the location of the RapidSSL certificate and provide the certificate with a friendly name.
Now that you've finished the certificate request process and have a valid SSL certificate with a private key, perform the following steps:
- Install any intermediate certificates your public CA provides.
- Export the certificate chain in .pfx format,then import the certificate onto any additional AD federation servers in your farm following the instructions from DigiCert.
Assign the digital certificate to the Default Web Site
You must now assign your digital certificate to the Default Web Site on all servers in the AD FS farm. This is required prior to using the AD FS 2.0 Federation Server Configuration Wizard.
Perform the following procedure on all servers in your AD FS farm:
- Right-click the Default Web Site, then click Edit Bindings.
- Click Add. Then, in the Add Site Bindings window, select the certificate we created earlier and click OK.
Create a service account
All servers in your AD FS farm must be configured to run under the same service account. That said, you cannot create the new managed service accounts that comes with Windows Server 2008 R2 using the New-ADServiceAccount cmdlet.
You must do this because managed service accounts cannot be shared between multiple computers and cannot be used in server clusters where a service is replicated on multiple cluster nodes.
Next, create an old-fashioned user account in Active Directory users and computers. Make sure the Password never expires checkbox is selected. Also, make certain the service account uses a public UPN suffix (as described in part one of this series).
Download Active Directory Federation Services
Now you must download AD FS. In this series I'm using the following build: "RTW\W2K8R2\amd64\AD FSSetup.exe."
Note: Ensure that .NET Framework 3.5 is installed on all servers that will be configured under your AD FS farm.
Install Active Directory Federation Services
Now you must install AD FS on all servers in your AD FS farm using the following steps:
- Locate the AD FSSetup.exe setup file that you downloaded and double-click it.
- Click Next on the Welcome screen.
- Select the I accept the terms in the License Agreement check box, then click Next.
- Select Federation Server, then click Next (Figure 2).
- Deselect Start the AD FS 2.0 Management snap-in when this wizard closes and click Finish.
- Now you must install any Rollup Updates for AD FS on all members of the AD FS farm. You must have at least Rollup Update 1 installed; it is required for single sign-on in a hybrid Office 365 deployment.
Configure the first federation server in the federation server farm
As mentioned in part one of this series, the first federation server in a farm is called the primary federation server. This server maintains a read/write copy of the configuration database that is stored in Windows Internal Database (WID). To configure the primary federation server, use the following steps:
- After the AD FS 2.0 software installation is complete, click Start, then Administrative Tools, then AD FS 2.0 Management. This will open the AD FS 2.0 Management snap-in.
- On the Overview page, click the AD FS 2.0 Federation Server Configuration Wizard.
- On the Welcome page, verify that Create a new Federation Service is selected, then click Next.
- On the Select Stand-Alone or Farm Deployment page, click New federation server farm, then click Next (Figure 3).
- On the Specify the Federation Service Name page, verify that the SSL certificate that displays matches the name of the certificate that was previously imported into the Default Web Site in IIS (Figure 4).
- On the Specify a Service Account page, click Browse. In the Browse dialog box, locate the domain account you will usefor the service account in the new federation server farm and click OK. Type the password for this account, confirm it, then click Next.
- On the Ready to Apply Settings page, review the details. If the settings appear correct, click Next to begin configuring AD FS 2.0 using these settings (Figure 5).
- On the Configuration Results page, review the results. When all the configuration steps are complete, click Close.
Add federation servers to the farm
Repeat the following process for all the servers you'd like to add to your federation server farm.
- After the AD FS 2.0 software installation is complete, click Start, then Administrative Tools, and then AD FS 2.0 Management to open the AD FS 2.0 Management snap-in.
- On the Overview page -- or in the Actions pane -- click AD FS 2.0 Federation Server Configuration Wizard.
- On the Welcome page, verify that Add a federation server to an existing Federation Service is selected, then click Next.
- On the Specify the Primary Federation Server and Service Account page, under Primary federation server name, type the computer name of the primary federation server in the farm, then click Browse.
In the Browse dialog box, locate the domain account that the other federation servers use as the service account, then click OK. Type the password and confirm it, then click Next.
- On the Specify the Federation Service Name page, click Next.
- On the Ready to Apply Settings page, review the details. If the settings appear correct, click Next to begin configuring AD FS 2.0 with these settings.
- Review the results on the Configuration Results page. When all the configuration steps are finished, click Close to exit the wizard.
Configure network load balancing
Now that we've configured two servers in our AD FS farm, we need to load balance incoming conections to fs.Kbomb.com.au between all servers in the federation farm. For production deployments, I recommend a dedicated load balancer such as an F5's BIG-IP.
For the sake of this tip, in my lab deployment I'm using Microsoft Network Load Balancing (NLB); it's free and is built into Windows Server. That said, it does not have intelligent health monitors to identify issues with individual nodes within your farm.
- Go to Server Manager, then add Network Load Balancing to all servers within your farm.
- On the first server in your federation farm, open the Network Load Balancing manager and select New from the Cluster menu.
- In the Host field, enter "localhost" then click Connect. Next, select the network interface that is connected to your corporate network.
- On the Host Parameters page, make the Priority "1." Under Initiate host state, set the default state to Started. Under IP addresses, enter the IP address of the servers' network adapter (Figure 6).
- Now click Add and enter the Cluster IP address. This IP address must resolve to the name that matches the Federation Service fs.Kbomb.com.au. Click Next.
- Microsoft NLB has two primary operation options: multicast and unicast. Multicast requires a single network interface on each server that using load balancing. Unicast requires two network interfaces on each server using load balancing and is generally the perfered method for implementing NLB.
Under Cluster Parameters, select the cluster IP address we created earlier, then enter the Full Internet name of the cluster to match the Federation Service name. Now set the Cluster Operation mode to Multicast.
- Next configure Microsoft NLB to check on port TCP443 for incoming requests. Under Filtering mode, select Multiple Hosts, then set the Affinity to Single. Active Directory Federation Services must maintain persistent connections from the same IP address (Figure 7).
- Once it's configured, add the second host to the cluster by right-clicking the cluster and selecting Add Host to Cluster.
- Enter the Host as the next server in your AD FS farm and click Connect. Now select the network interface and click Next.
- Under the Host Parameters section, leave all options as their default settings, then click Next.
- Under Port Rules, leave all options as their default settings, then click Next.
- Both hosts will not participate in the Network Load Balancing cluster and will accept requests sent to 10.4.2.16.
- Connections can now be made to hosts by their IP address or the cluster IP address (Figure 8).
Note: I experienced an issue where I was unable to route to my NLB multicast address over layer 3 through my Cisco router. If you experience a similar result, I've documented the resolution.
When installing NLB on a Windows DNS server -- such as a domain controller -- it will automatically register the NLB Virtual IP as an A record for the server's hostname. This will causes major problems with directory lookups against domain controllers. In my lab, I performed a registry hack to prevent the NLB virtual IP address from being registered
Enable Windows Remote Management 2.0
Figure 9. You can remotely control all federation servers using WinRM with a quick PowerShell command.
Finally, we must enable the ability to remotely control all federation servers in the farm using Windows Remote Management v2.0 by running the Enable-PSRemoting –force PowerShell command, as seen in Figure 9.
AD FS 2.0 Windows Service startup problems
When rebooting the AD FS 2.0 servers, I noticed that the AD FS 2.0 Windows Service did not boot up. The result was that single sign-on did not work for external users. Interestingly I noticed that the AD FS 2.0 Windows Service was configured by default with Delayed Start. Additionally, on the service recovery tab, First Failure and Second Failure is preconfigured to restart the service by default.
This hints to me that the product team is aware of this service attempting to start early and as a result has attempted to put measures in place to prevent such behavior. Fortunately, I discovered a workaround that ensures the service starts in my lab environment.
This is part two of a series to configure single sign-on for a hybrid Office 365 deployments. Click here for part three, which breaks down the setup of federation proxy servers.