+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 26
Cloud Services Thread, SSO with Office 365 in Technical; I'm having a major issue with setting up Office 365, we are trying to set up SSO but when I ...
  1. #1
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30

    SSO with Office 365

    I'm having a major issue with setting up Office 365, we are trying to set up SSO but when I try and login from a doman pc I ge asked for credentials 3 times then get a 401.1 error. Everything I have found through google points to adding my AD FS server to my local intranet zone in IE, and also addin it as an exception in proxy settings, but that doesn't seem to change anything.

    I I try to access Office 365 from home then i have to enter my username and password once, and it lets me in with no problems.

    I think it has something to do with the AD FS FQDN, because when I do a nslookup for the domain name I get an external IP address as the result.

    Has anyone had this problem? Does anyone have any ideas how I could sort this out?

  2. #2
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    553
    Thank Post
    27
    Thanked 239 Times in 166 Posts
    Rep Power
    88
    How have you deployed AD FS? With proxy servers?

  3. #3

    Join Date
    Jun 2009
    Location
    Poole
    Posts
    148
    Thank Post
    4
    Thanked 40 Times in 30 Posts
    Rep Power
    20
    I'm going to go out on a limb and say probably not like the documentation because not many schools have the spare hardware or the time for 4+ servers just to run high availability for SSO.

  4. #4
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    I've not used proxies, i have followed this link here AD FS with Office 365 Step by Step Install GuideMessageOps | MessageOps, but it doesn't work, keep getting asked for credentials.

    What i'm looking at doing now, is removing my AD link, removing the SSO link, then removing the users that will be left behind. I then intend to install AD FS on a domain controller as i've read somewhere, and install AD FS proxy on my web server. I'll let you know how that goes, it's been 3 days of banging my head against the wall.

    Is this normal behaviour for Office 365 with a .local domain? Our AD FS external FQDN is https://extranet.norden.lancs.sch.uk Our UPN Suffix that we are using is the same as our email address and the domain has been verified.
    I did read somewhere that I have to create a split DNS, is this true? If so, how do I do this?

  5. #5
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    553
    Thank Post
    27
    Thanked 239 Times in 166 Posts
    Rep Power
    88
    OK - everything you need to know is here: Single sign-on roadmap - Office 365 for enterprises. You should always try the official guidance first.

    I strongly recommend against installing ADFS on your domain controller if you have more than 1000 users.

  6. Thanks to jamesbmarshall from:

    dezt (15th November 2012)

  7. #6
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    Cheers for that link, i did try looking at another Microsoft document first, but it gave me headache. Plan for and deploy AD FS 2.0 for use with single sign-on - Office 365 for enterprises

    We only have about 750 users here, but from what I remember about the dirsync logs it syncs about 1100 AD users and groups.

    I'll build a new 2008 r2 VM and use that.

    Will it matter if i'm using an existing webserver for my AD FS proxy or should I have a dedicated server for that, I only ask because our LA takes ages to assign a FQDN to one of our IP's, so if I have to use a dedicated server I'd rather know sooner rather than later.

    Thanks for your advice so far.

  8. #7
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    553
    Thank Post
    27
    Thanked 239 Times in 166 Posts
    Rep Power
    88
    Your AD FS proxy needs to sit in your DMZ as it shouldn't be directly connected to your network (i.e. not domain joined) and you really need a DNS configuration that will allow your internal clients to distinguish between your internal AD FS server and your proxies.

    From the sounds of it you seem to be deploying 1 server and 1 proxy, which is fine but if either/both go down your users will not be able to authenticate. Although there is more overhead in building out AD FS for HA it is worth it to avoid any issues if a server fails.

  9. #8
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    You're right, i'm building it with one AD FS Proxy and one AD FS Server, but if I manage to get it working I'm assuming I can add an extra Proxy and Server to the Farm at a later time. I may have to ask your advice on DNS as it's not one of my strong points, I don't understand what a split DNS is or how to configure one, but i'm sure Google will have the answer somewhere.

  10. #9
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    I'm going through the instructions now, i've started building my cluster, when i'm asked for a ssl certificate, do i have to buy one for my AD FS servers (not proxies)? or can i use a self signed cert?

    I'm guessing that the AD FS sservers will only be connected to the internal network so my ssl cert needs to be pointing to .local rather than the proxies which would be .sch.uk

    Oh, i have decided to build 2 AD FS servers in a cluster, and 2 AD FS Proxies in a cluster as the documentation recommends.
    Last edited by dezt; 16th November 2012 at 12:06 PM.

  11. #10
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    Just a quick question, for my proxies, will they need to have an external domain name for my ad fs proxy cluster? For example adfsp.norden.lancs.sch.uk or whatever we choose. I'm guessing we do need to have this but would just rather have someone clarify this.

  12. #11
    jamesbmarshall's Avatar
    Join Date
    Feb 2010
    Location
    Reading, UK
    Posts
    553
    Thank Post
    27
    Thanked 239 Times in 166 Posts
    Rep Power
    88
    Yes, your AD FS proxies will need a publicly accessible address in order to provide access from outside of your network. Usually this is something like sts.contoso.edu or fs.contoso.edu but anything will do as long as it makes sense to you and your users; this is the place they'll be re-directed to when trying to sign in.

  13. Thanks to jamesbmarshall from:

    dezt (20th November 2012)

  14. #12
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    Cheers for clearing that up, I've got my 2 AD FS servers up and running, and got my 2 AD FS Proxies up and running, both sets of servers are in their own NLB cluster, now I just need to get the external domain name sorted for us and point that to the AD FS Proxy cluster ip address and we're away..... well, getting there anyway.

  15. #13
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    Just thought I'd update you with how things have got on here, I've finally managed to get SSO implemented for Office 365, I just need to find a holiday period to start migrating mailboxes across. Also. A quick couple of questions, firstly, we have usernames in AD that have a space in them, for example mr smith, I get an error report sent to me about directory sync not working for these users due to a username error, should I be changing them to something like jsmith.

    Secondly, as I'm testing it for my mailbox, I've setup a staggered migration, so emails go to my internal exchange 2003 box, then get forwarded to the cloud mailbox, do I have to wait until I've setup my dns records for exchange before I can connect my iPad to the domain I wish to use?

  16. #14

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Quote Originally Posted by dezt View Post
    Just thought I'd update you with how things have got on here, I've finally managed to get SSO implemented for Office 365, I just need to find a holiday period to start migrating mailboxes across. Also. A quick couple of questions, firstly, we have usernames in AD that have a space in them, for example mr smith, I get an error report sent to me about directory sync not working for these users due to a username error, should I be changing them to something like jsmith.

    Secondly, as I'm testing it for my mailbox, I've setup a staggered migration, so emails go to my internal exchange 2003 box, then get forwarded to the cloud mailbox, do I have to wait until I've setup my dns records for exchange before I can connect my iPad to the domain I wish to use?
    Yes, If you have spaces in the username field for the UPN then it will throw up an error and so you need to move this, you can either change the username completely meaning that the person logon username needs to change or you could just update the UPN to match the primary SMTP Address. If you do the later than the person won't really know any different as no one really users the UPN to login with i.e. username@domain.co.uk

    -

    If you are using the latest IOS on your iPad then there is a problem where by it won't automatically configure if your UPN does not match the Primary SMTP address something seems to have changed as the previous version of IOS didn't require this it just failed, and asked you for the Server Address where by you then put in your Hybrid Server DNS Record i.e. exch2010.domain.sch.uk

    If you have autodiscover setup, and the SAN Cert has all the relevant entries etc. and your UPN matches the Primary SMTP then the iPad will automatically configure.

    I hope that helps,
    James.

  17. Thanks to EduTech from:

    dezt (30th November 2012)

  18. #15
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,030
    Thank Post
    157
    Thanked 60 Times in 48 Posts
    Rep Power
    30
    @EduTech cheers for that, I'm changing the upn's for the staff that haven't gone across, and then I'll migrate the mailboxes, once all that's done, ill be asking the lea to sort out the dns records and then I'll tackle the ipad email issue.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Office 365 and SSO
    By Simcfc73 in forum Cloud Services
    Replies: 1
    Last Post: 10th November 2012, 12:31 AM
  2. Microsoft Office 365 - Getting up to speed with the cloud
    By Office365 in forum Cloud Services
    Replies: 16
    Last Post: 4th October 2012, 12:28 PM
  3. Office 365 - @students sub domain and SSO Question
    By Fruity in forum Cloud Services
    Replies: 2
    Last Post: 9th August 2012, 03:45 PM
  4. Replies: 8
    Last Post: 20th November 2007, 09:16 AM
  5. Mail Merge with Office 2003
    By luke213 in forum Windows
    Replies: 1
    Last Post: 19th January 2006, 10:33 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •