Background
I recently went through the motions of setting up Active Directory Federation Services (ADFS v2) for Kreisler to allow us to begin using Office 365 with federated authentication. We have some other potential uses for federation coming later on as well. This post is not meant to dive into how we set everything up because for the most part it was relatively simple. The Office 365 documentation is very helpful and if you follow it step by step you can accomplish what you want. However, a few parts in particular were confusing for me and took a couple of tries to get right. They are:
-
SSL Requirements
-
Domain Name Forwarding and Requirements
For those not familiar ADFS does require SSL certificates and in a production environment you need to purchase at least 1 certificate and possibly 2 depending on how security conscious you are. In addition if your network is similar to ours you need to work some DNS trickery to get the desired end-user behavior.
Our ADFS Design
We don't have a large user base so having a large server farm is not required and even for small businesses (400 or less employees) this farm will support the load just fine! Our farm is composed of the following:
-
One ADFS Server
-
One ADFS Proxy
It should be noted that we decided to utilize our existing MSSQL infrastructure to host the ADFS databases and not the Windows Internal Database.
SSL for ADFS
So the documentation in Office 365 in regards to the SSL setup is somewhat confusing. Here is what it boils down to. You MUST generate the initial certificate request from your ADFS Server, even if this server is not going to be publicly facing! In addition for each certificate you generate make sure the Common Name is identical for each certificate you request. In our design we requested a single certificate. Once you get the certificate loaded life should be good, but then you have to install the Proxy. You have two options here:
-
Export the certificate from the ADFS Server, or
-
Request a new certificate
Security Experts will say to use number two because if the public facing certificate is compromised so is your internal certificate. Then again if you don't have hundreds to throw at SSL certificates number one becomes very appetizing. You can follow standard IIS help and instructions for exporting and importing a certificate from one server to another. Once we got passed the certificate problems we were able to get the system up and running properly.
DNS for ADFS
The idea with ADFS in a Server and Proxy configuration is that internal clients will utilize Windows Integrated Authentication to login to the federation server while external clients will be redirected to a form to attempt to login. Here's the problem with this:
-
The Common Name from your SSL certificate should match the publicly accessible DNS A/AAAA record for your Federation Service.
-
The proxy by default receives all public requests, which is normal.
-
Internal users will still make a call to "fs.mydomain.com" which points them to the Proxy as opposed to the Server, this causes internal users to have to login.
The documentation again is somewhat light in this area. There is lots of talk about setting up HOST file definitions, which if you ask me is somewhat archaic. We took a different approach, DNS. We setup a new forward lookup zone in our Active Directory enabled DNS servers for "fs.mydomain.com" which meant that the server now becomes authoritative for our Federation Services sub-domain, so any internal requests will now get processes by our internal DNS servers and not get forwarded to external servers. The last step was to simply create an A/AAAA record for ".fs.mydomain.com" to point to the Federation Server. Now any request for "fs.mydomain.com" gets sent to our Federation Server.
Ta-Da
Again, these are just some of the larger problems we had getting things up and running but it appears to be working like a champ at this point. I'll have another post in the future to help customize your Federation Forms Login page to brand it and customize the behavior.
-Brent
