Yes, I done ADFS 3.0 using Windows Azure VM with Office 365
I thought of doing this for sometime now. eventually with Windows Azure VM, it bit easier to do the test ADFS,
there is a great post I am referring to
http://office365support.ca/setting-up-the-primary-ad-fs-3-0-server-in-windows-azure-for-office365-single-sign-on/
I basically followed the steps listed above ...
here is my implementation ....
0/ a windows azure AD is setup like datasys.biz like DSLPDC
1/ I setup another server like DSLRDS, installed dirsync
2 / verify in azure portal that you own the domain, put ms=xxxx in the dns record. there is a caveat in doing this as I have to create datasys.biz as standalone rather than federated
3/ then convert the datasys.biz to federated domain
4/ plan ADFS structure , in my case, I use Windows Azure only domain, ie no link to on-premise AD. I would say this method will work as hybrid as well.
5/ plan the farm, a ADFS farm with two servers, a webproxy farm with two servers, ADFS servers are domain-joined; web proxies are not domain joined.
6/ in this test, another network created under the azure network as DMZ network...
172.16.16.x as primary ---- DC, ADFS on this
then 10.118.118.x as DMZ -- 2 webproxy servers on this one
it is routable between this two sub networks
7/ I used internal load-balancing for ADFS, so I dont need modify the host file approach in the above mentioned link
8/ plan your ADFS name, I would use one name fs.datasys.biz ; this is the name for all adfs-related servers --- 2 ADFS + 2 Webproxy
8.8/ create a service like dataADFS, install VM - ADFS01 inside ( then adfs02)
9/ get a trial cert from comodo (3 month) or geotrust (1 month) ; with the name fs.datasys.biz ; do this on adfs01 ; export the cert with the private key plus password. this will be imported to 3 other servers
10/ install adfs02 , import cert, install adfs role etc
11/ install internal LB with windows azure powershell cmd, the load balancer name is fs.datasys.biz ; this balancer , is not available to internet; you can do internal test by going to
https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
in my case , its https://fs.datasys.biz/adfs/ls/ldpInitiatedSignon.aspx
this URL is very important for me for testing
12 / now create a WAP service, put datawap01 in it, install the webproxy role under remoteaccess (assuming you use all server 2012 r2) , import cert, then start the configuration wizard ... follow the wizard the federation name is fs.datasys.biz ; I used domain credentails , as local credentials keeps getting error.
13/ install 2nd dawap02, do the same as above, I kept getting error like something like glabal config ; then I viewed the cert, import the cert again, after a long think , ADFS success what a relief.
14/ configure WAP URL load balance, in azure portal, datawap01, enable https end points, create load balance set
15/ for datawap02, add it to the https balance set
16/ note the wap service public IP
17/ in public dns, put the IP to fs.datasys.biz
(note dattasys.biz is an example domain)
18/ test by browsing to portal.office.com
19/ this will re-direct to the fs.datasys.biz
20/ enter a valid username/password in your windows azure VM AD
21/ then it will re-direct you back to portal.office.com as a logged-on user.
22/ yeah, I have finally done ADFS after thinking-of doing this for years
many thank to Kelsey Epps Office365 MVP
I thought of doing this for sometime now. eventually with Windows Azure VM, it bit easier to do the test ADFS,
there is a great post I am referring to
http://office365support.ca/setting-up-the-primary-ad-fs-3-0-server-in-windows-azure-for-office365-single-sign-on/
I basically followed the steps listed above ...
here is my implementation ....
0/ a windows azure AD is setup like datasys.biz like DSLPDC
1/ I setup another server like DSLRDS, installed dirsync
2 / verify in azure portal that you own the domain, put ms=xxxx in the dns record. there is a caveat in doing this as I have to create datasys.biz as standalone rather than federated
3/ then convert the datasys.biz to federated domain
4/ plan ADFS structure , in my case, I use Windows Azure only domain, ie no link to on-premise AD. I would say this method will work as hybrid as well.
5/ plan the farm, a ADFS farm with two servers, a webproxy farm with two servers, ADFS servers are domain-joined; web proxies are not domain joined.
6/ in this test, another network created under the azure network as DMZ network...
172.16.16.x as primary ---- DC, ADFS on this
then 10.118.118.x as DMZ -- 2 webproxy servers on this one
it is routable between this two sub networks
7/ I used internal load-balancing for ADFS, so I dont need modify the host file approach in the above mentioned link
8/ plan your ADFS name, I would use one name fs.datasys.biz ; this is the name for all adfs-related servers --- 2 ADFS + 2 Webproxy
8.8/ create a service like dataADFS, install VM - ADFS01 inside ( then adfs02)
9/ get a trial cert from comodo (3 month) or geotrust (1 month) ; with the name fs.datasys.biz ; do this on adfs01 ; export the cert with the private key plus password. this will be imported to 3 other servers
10/ install adfs02 , import cert, install adfs role etc
11/ install internal LB with windows azure powershell cmd, the load balancer name is fs.datasys.biz ; this balancer , is not available to internet; you can do internal test by going to
https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
in my case , its https://fs.datasys.biz/adfs/ls/ldpInitiatedSignon.aspx
this URL is very important for me for testing
12 / now create a WAP service, put datawap01 in it, install the webproxy role under remoteaccess (assuming you use all server 2012 r2) , import cert, then start the configuration wizard ... follow the wizard the federation name is fs.datasys.biz ; I used domain credentails , as local credentials keeps getting error.
13/ install 2nd dawap02, do the same as above, I kept getting error like something like glabal config ; then I viewed the cert, import the cert again, after a long think , ADFS success what a relief.
14/ configure WAP URL load balance, in azure portal, datawap01, enable https end points, create load balance set
15/ for datawap02, add it to the https balance set
16/ note the wap service public IP
17/ in public dns, put the IP to fs.datasys.biz
(note dattasys.biz is an example domain)
18/ test by browsing to portal.office.com
19/ this will re-direct to the fs.datasys.biz
20/ enter a valid username/password in your windows azure VM AD
21/ then it will re-direct you back to portal.office.com as a logged-on user.
22/ yeah, I have finally done ADFS after thinking-of doing this for years
many thank to Kelsey Epps Office365 MVP
No comments:
Post a Comment