SSO with Office 365
I'm having a major issue with setting up Office 365, we are trying to set up SSO but when I try and login from a doman pc I ge asked for credentials 3 times then get a 401.1 error. Everything I have found through google points to adding my AD FS server to my local intranet zone in IE, and also addin it as an exception in proxy settings, but that doesn't seem to change anything.
I I try to access Office 365 from home then i have to enter my username and password once, and it lets me in with no problems.
I think it has something to do with the AD FS FQDN, because when I do a nslookup for the domain name I get an external IP address as the result.
Has anyone had this problem? Does anyone have any ideas how I could sort this out?
How have you deployed AD FS? With proxy servers?
I'm going to go out on a limb and say probably not like the documentation because not many schools have the spare hardware or the time for 4+ servers just to run high availability for SSO.
I've not used proxies, i have followed this link here AD FS with Office 365 Step by Step Install GuideMessageOps | MessageOps, but it doesn't work, keep getting asked for credentials.
What i'm looking at doing now, is removing my AD link, removing the SSO link, then removing the users that will be left behind. I then intend to install AD FS on a domain controller as i've read somewhere, and install AD FS proxy on my web server. I'll let you know how that goes, it's been 3 days of banging my head against the wall.
Is this normal behaviour for Office 365 with a .local domain? Our AD FS external FQDN is https://extranet.norden.lancs.sch.uk Our UPN Suffix that we are using is the same as our email address and the domain has been verified.
I did read somewhere that I have to create a split DNS, is this true? If so, how do I do this?
OK - everything you need to know is here: Single sign-on roadmap - Office 365 for enterprises. You should always try the official guidance first. :)
I strongly recommend against installing ADFS on your domain controller if you have more than 1000 users.
Cheers for that link, i did try looking at another Microsoft document first, but it gave me headache. Plan for and deploy AD FS 2.0 for use with single sign-on - Office 365 for enterprises
We only have about 750 users here, but from what I remember about the dirsync logs it syncs about 1100 AD users and groups.
I'll build a new 2008 r2 VM and use that.
Will it matter if i'm using an existing webserver for my AD FS proxy or should I have a dedicated server for that, I only ask because our LA takes ages to assign a FQDN to one of our IP's, so if I have to use a dedicated server I'd rather know sooner rather than later.
Thanks for your advice so far.
Your AD FS proxy needs to sit in your DMZ as it shouldn't be directly connected to your network (i.e. not domain joined) and you really need a DNS configuration that will allow your internal clients to distinguish between your internal AD FS server and your proxies.
From the sounds of it you seem to be deploying 1 server and 1 proxy, which is fine but if either/both go down your users will not be able to authenticate. Although there is more overhead in building out AD FS for HA it is worth it to avoid any issues if a server fails.
You're right, i'm building it with one AD FS Proxy and one AD FS Server, but if I manage to get it working I'm assuming I can add an extra Proxy and Server to the Farm at a later time. I may have to ask your advice on DNS as it's not one of my strong points, I don't understand what a split DNS is or how to configure one, but i'm sure Google will have the answer somewhere.
I'm going through the instructions now, i've started building my cluster, when i'm asked for a ssl certificate, do i have to buy one for my AD FS servers (not proxies)? or can i use a self signed cert?
I'm guessing that the AD FS sservers will only be connected to the internal network so my ssl cert needs to be pointing to .local rather than the proxies which would be .sch.uk
Oh, i have decided to build 2 AD FS servers in a cluster, and 2 AD FS Proxies in a cluster as the documentation recommends.
Just a quick question, for my proxies, will they need to have an external domain name for my ad fs proxy cluster? For example adfsp.norden.lancs.sch.uk or whatever we choose. I'm guessing we do need to have this but would just rather have someone clarify this.
Yes, your AD FS proxies will need a publicly accessible address in order to provide access from outside of your network. Usually this is something like sts.contoso.edu or fs.contoso.edu but anything will do as long as it makes sense to you and your users; this is the place they'll be re-directed to when trying to sign in.
Cheers for clearing that up, I've got my 2 AD FS servers up and running, and got my 2 AD FS Proxies up and running, both sets of servers are in their own NLB cluster, now I just need to get the external domain name sorted for us and point that to the AD FS Proxy cluster ip address and we're away..... well, getting there anyway.
Just thought I'd update you with how things have got on here, I've finally managed to get SSO implemented for Office 365, I just need to find a holiday period to start migrating mailboxes across. Also. A quick couple of questions, firstly, we have usernames in AD that have a space in them, for example mr smith, I get an error report sent to me about directory sync not working for these users due to a username error, should I be changing them to something like jsmith.
Secondly, as I'm testing it for my mailbox, I've setup a staggered migration, so emails go to my internal exchange 2003 box, then get forwarded to the cloud mailbox, do I have to wait until I've setup my dns records for exchange before I can connect my iPad to the domain I wish to use?
Yes, If you have spaces in the username field for the UPN then it will throw up an error and so you need to move this, you can either change the username completely meaning that the person logon username needs to change or you could just update the UPN to match the primary SMTP Address. If you do the later than the person won't really know any different as no one really users the UPN to login with i.e. email@example.com
Originally Posted by dezt
If you are using the latest IOS on your iPad then there is a problem where by it won't automatically configure if your UPN does not match the Primary SMTP address something seems to have changed as the previous version of IOS didn't require this it just failed, and asked you for the Server Address where by you then put in your Hybrid Server DNS Record i.e. exch2010.domain.sch.uk
If you have autodiscover setup, and the SAN Cert has all the relevant entries etc. and your UPN matches the Primary SMTP then the iPad will automatically configure.
I hope that helps,
@EduTech cheers for that, I'm changing the upn's for the staff that haven't gone across, and then I'll migrate the mailboxes, once all that's done, ill be asking the lea to sort out the dns records and then I'll tackle the ipad email issue.