Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment with Federation (SSO)

Microsoft Corporation

Published: January 2014

Author: Bill Mathers

AcknowledgementsSpecial thanks to the following people for reviewing and providing invaluable feedback for this document:

AbstractThis document will assist IT professionals, administrators, architects, and developers with in creating a test lab that uses Windows Azure Active Directory and Windows Server AD.

CopyrightThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.

© 2014 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows Azure, Forefront, MSDN, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ContentsTest Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment with

Federation (SSO)........................................................................................................................ 4Section Heading.......................................................................................................................... 4

Subsection Heading................................................................................................................. 4

Step 1: Set Up the Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud Technologies..................................................................................................................... 4

Step 2: Set up the Creating a Windows Azure AD and Windows Server AD Environment using DirSync with Password Sync TLG...............................................................................................4Section Heading.......................................................................................................................... 4

Subsection Heading................................................................................................................. 4

Step 3: Install and Configure AD FS..............................................................................................5Create a certificate for AD FS......................................................................................................5Create a DNS Host(A or AAAA) record for use with AD FS.........................................................6Install Active Directory Federation Service on DC1.....................................................................8Configure AD FS on DC1............................................................................................................9

Step 4: Configure Windows Azure AD..........................................................................................16Add Host record for your Custom Domain.................................................................................16Create an Admin Account in Windows Azure.............................................................................17Install Windows Azure Active Directory Module for Windows PowerShell.................................24Establish a trust between AD FS and Windows Azure AD.........................................................27Re-run the DirSync Configuration Wizard..................................................................................29

Step 5: Verify Results...................................................................................................................34Verify user is performing single sign-on.....................................................................................34

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment with Federation (SSO)Insert introduction here.

Section HeadingInsert section body here.

Subsection HeadingInsert subsection body here.

Step 1: Set Up the Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud TechnologiesSet up the Base Configuration test lab based on the instructions in Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud Technologies.

Step 2: Set up the Creating a Windows Azure AD and Windows Server AD Environment using DirSync with Password Sync TLGInsert introduction here.

Section HeadingInsert section body here.

Subsection HeadingInsert subsection body here.

4

Step 3: Install and Configure AD FSNow that we have DirSync in-place we need to install and configure Active Directory Federation Services. This step consists of the following:

Create a certificate for AD FS Create a DNS Host(A or AAAA) record for use with AD FS Install Active Directory Federation Service on DC1 Configure AD FS on DC1

Create a certificate for AD FSAD FS requires a certificate when installing the role. Because we do not have a certificate server in our test environment to issue a certificate, we will need to create one for use with our AD FS implementation. This can be accomplished in different ways. I choose to use to create the certificate by using the makecert.exe utility. This utility generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. This utility also associates the key pair with a specified publisher's name and creates an X.509 certificate that binds a user-specified name to the public part of the key pair. This tool is available with Visual Studio (multiple versions 2010/2012/2013) or the Windows SDK. You can download the Windows SDK from here and install it on DC1. You only need to install the Windows Software Development Kit portion. Likewise, if you have another machine with either of these installed you can simply copy the utility over to DC1.

1. On DC1, open a command prompt and navigate to the C:\Program Files(x86)\Windows Kits\8.1\bin\x64 directory.

2. Type the following and press enter:

makecert -r -pe -n "CN=adfs.bmcontoso.com" -b 01/01/2010 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

3. It should respond with succeeded. You can close the command prompt.

To create a certificate for AD FS with makecert.exe

5

Create a DNS Host(A or AAAA) record for use with AD FSNow we need to create a DNS Host record so that we know how to resolve adfs.bmcontoso.com. The primary reason we are creating a host record and not just using the dc1.bmcontoso.com is that when we install AD FS, a HOST Service Principal Name is applied to the account we use. SPNs are used to support mutual authentication between a client application and a service. SPNs must be unique in an environment. Host/dc1.bmcontoso.com is already set on the domain controller itself, so we will get en error if we try and use dc1.bmcontoso.com as our federation service name. This DNS record must be a Host(A or AAAA) record and not an Alias(CNAME) record. Use the following procedure to create a host record.

1. On DC1, click the Start button, use the down arrow and select DNS from the list of Apps. This will bring up the DNS Manager.

2. In the DNS Manager, on the left, expand DC1, expand Forward Lookup Zones, right-click bmcontoso.com and select New Host (A or AAAA). This will bring up a New Host

To create a DNS Host(A or AAAA) record for use with AD FS

6

dialog.

3. In the Name box, enter adfs.4. In the IP address box enter the IP address of DC1 – in this case 10.0.0.100. Click Add

Host.

7

5. You will receive a message box saying it was successfully created. Click Ok. Click Done.

6. Close DNS Manager.

Install Active Directory Federation Service on DC1At this point we are ready to install the AD FS server role on DC1.

1. On DC1, in Server Manager, click Add roles and features. This will start the Add Roles and Features Wizard.

2. On the Before you begin screen, click Next.3. On the Select installation type screen, make sure Role-based or feature based-

installation is selected and click Next.4. On the Server Selection screen, click Next.5. On the Server Roles screen, place a check in Active Directory Federation Service and

click Next.6. On the Server Features screen, click Next.

To install Active Directory Federation Service on DC1

8

7. On the AD FS screen, click Next.8. On the Confirmation screen, click Install.9. Once that has completed, click Close. Leave Server Manager open for the next steps.

Configure AD FS on DC1Now that we have installed the AD FS server role, it is time to configure AD FS for our test environment.

1. In Server Manager, at the top, click the yellow triangle next to Notifications. This will bring up a drop-down box.

2. In the drop-down box, click Configure the federation service on this server. This will bring up the AD FS Configuration Wizard.

3. On the Welcome screen, click Next.4. On the Connect to AD DS screen, click Next.

To Configure AD FS on DC1

9

5. On the Specify Service Properties screen, from the drop-down box next to SSL Certificate, select adfs.bmcontoso.com. In the box next to Federation Service Display Name: enter Contoso. Click Next.

10

6. On the Specify Service Account screen, select Use an existing domain user account or group Managed Service Account and click Select. This will bring up a Select User or Service Account box. Enter CORP\Administrator and click OK.

11

7. Enter the Administrators password in the box that appears and click Next.8. On the Specify Database screen, click Next.

12

9. On the Review Options screen, click Next.

13

10. On the Pre-requisite Checks screen, click Configure. This will start the configuration.

14

11. Once this completes click Close.

15

Step 4: Configure Windows Azure ADNow that we have AD FS installed and configured, we need to configure Windows Azure AD so that it is aware of AD FS and knows that it should send authentication requests to our instance of AD FS. This step consists of the following:

Add Host record for your Custom Domain Create an Admin Account in Windows Azure Install Windows Azure Active Directory Module for Windows PowerShell Establish a trust between AD FS and Windows Azure AD Re-run the DirSync Configuration Wizard

Add Host record for your Custom DomainThe first thing we need to do is to add a Host record to our domain with our domain registrar. Windows Azure will use this to locate our instance of AD FS. In this case, this lab was created on

16

my home office network sitting behind a router that connects to my ISP. I simply added a Host record for adfs.bmcontoso.com to my domain registrar with the public IP address that I am assigned from my ISP. Then on my router, I used port forwarding to pass all 443 traffic to DC1 which has an internal IP address. This was done for testing purposes and it is not recommended to directly open 443 and stick your AD FS server on the internet. Using a web proxy is the recommend approach for production environments.

Create an Admin Account in Windows AzureNow that we have added a domain registrar, we need to create a new global administrator account. There are a couple of reasons for this. First, when we setup our trust between AD FS and Windows Azure AD, the account used to set this up cannot be a member of the domain we are federating. Also, this new account will be used to run the Azure AD connector in DirSync once it has been created. Use the following procedure to create a global administrator account.

1. If you are not already signed in to the Windows Azure Portal, do this first with your Microsoft account .

2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal.

3. On the right, click on Contoso. This will bring up Contoso directory screen.

To Create a Windows Azure AD global administrator

17

4. At the top, click on Users, this will bring up the users screen. There should be only one account in here, the Microsoft account you used to sign-up for your Azure subscription.

5. At the bottom, click Add User. This will bring up the add user wizard.6. Enter a user name for the user. Make sure that @bmcontoso.onmicrosoft.com is

selected from the drop-down and click the arrow.

7. Enter the first name, last name, display name, and select global administrator from the drop-down. Click the right arrow.

18

8. Click the create button to create the user and get a temporary password.

19

9. This will create the account and assign it a temporary password. Use the icon next to the temporary password to copy it to the clipboard.

20

10. This will bring up a pop-up asking whether or not to allow Internet Explorer access to the clipboard. Click allow access. Click the check mark.

11. Now, in the portal, at the top, click the user account you are logged in as and select sign out from the drop-down.

21

12. This will sign you out and you will see a screen that says you have been signed out. Click Sign In Using Your Organizational Account.

22

13. Now sign-in to the portal with the newly created administrator account using the password we copied to the clipboard. The Organizational Account consists of your user name, the @ symbol, and the primary domain name for your tenant. Example: Admin@bmcontoso.onmicrosoft.com.

14. Once signed in, you will be prompted to change your password. Go ahead and set the password to one of your choosing. This password will be required again when we setup the DirSync tool. Click submit.

15. Windows Azure will now attempt to log you on. You will see a screen that says you do not have a Windows Azure subscription associated with this account. This is correct as our subscription is associated with our Microsoft account. At this point, just close Internet Explorer because the password has been changed.

23

Install Windows Azure Active Directory Module for Windows PowerShellNow that we have created a new global Administrator account we are going to download and install the Windows Azure Active Directory Module for Windows PowerShell. You can download the 64-bit version here. Use the following procedure to install the Windows Azure Active Directory Module for Windows PowerShell.

1. Navigate to the AdministrationConfig-EN.msi file that you downloaded and double-click on it. This will start the installation wizard.

2. On the Welcome screen, click Next.

To Install Windows Azure Active Directory Module for Windows PowerShell

24

3. On the Install Location screen, click Next.

4. On the Ready to Install screen, click Install.

25

5. On the Completion screen, click Finish.

26

Establish a trust between AD FS and Windows Azure ADNow that we have installed the Windows Azure AD Module for PowerShell we are going to establish a trust between Windows Azure AD and AD FS. This is done by converting our bmcontoso.com domain to a federated domain. To do this we will run a series of PowerShell cmdlets. Use the following procedure below to establish the trust.

1. On DC1, click the start button, the down arrow and then select Windows Azure Active Directory Module for Windows PowerShell from the list of Apps.

2. In the command window, enter: $cred=Get-Credential. This will bring up a dialog box that prompts you for credentials.

3. In the dialog box, enter the username and password of the Adminstrator account that was created in this step. Example: Admin@bmcontoso.onmicrosoft.com. Click Ok.

To Establish a trust between AD FS and Windows Azure AD

27

4. In the command window, enter: Connect-MsolService –Credential $cred. This will connect us to our instance of Windows Azure AD.

5. In the command window, enter: Convert-MsolDomaintoFederated –DomainName bmcontoso.com. This will convert our domain to a federated domain. Replace bmcontoso.com with your domain name. Once this is done it should say successfully updated bmcontoso.com domain.

6. Close the Windows Azure Active Directory Module for Windows Powershell window.

28

Re-run the DirSync Configuration WizardNow we need to re-run the DirSync Configuration Wizard to update the Windows Azure AD connector to use our new Administrator and to make sure that we do not have Enable Password Sync selected. Use the following procedure to re-run the configuration wizard.

1. On DC1, click the Windows Icon in the lower left corner, this will take you to the Start screen.

2. On the Start Screen, use the down arrow at the bottom to show all of the Apps on DC13. Scroll over to Directory Sync Configuration under Windows Azure Active Directory and

click on it, this will start the configuration wizard.

4. On the Welcome screen, click Next.5. On the Windows Azure Active Directory Credentials screen, enter the username and

password of the global administrator account we created in this step. Click Next.

To configure the Windows Azure Active Directory Sync Tool

29

6. On the Active Directory Credentials screen, enter the username and password for Administrator. Click Next.

30

7. On the Hybrid Deployment screen, place a check in Enable Hybrid Deployment and click Next.

31

8. On the Password Synchronization screen, remove the check mark from Enable Password Sync click Next.

32

9. This will begin the Configuration. Once the configuration is complete, click Next.

33

10. On the Finished screen, take the check mark out of Synchronize your directories now and click Finish.

Step 5: Verify ResultsNow it is time to verify the results. This will be done by logging on to CLIENT 1 and going to the http://myapps.microsoft.com page with one of our users. You can perform additional verification such as creating and synching new users as well. This section consists of the following:

Verify user is performing single sign-on.

Verify user is performing single sign-on.Now, we will verify that the user is performing single sign-on and being authenticated using AD FS.

To verify user is performing single sign-on.

34

1. Log on to CLIENT1 and open Internet Explorer and navigate to http://myapps.microsoft.com. It should say redirecting to your organization’s site.

2. You should see a screen saying there is a problem with the certificate. Click Continue to this website (not recommended).

WarningYou can remove this issue by exporting the adfs.bmcontoso.com certificate that we made earlier and installing it in the Local Computer’s Trusted Root Certificate Authorities.

3. You should now see the Windows Security box prompting you for your username and password. Enter Lola Jacobson’s username and password then hit OK. You should now see a screen similar to the one below.

35

4. Now, at the top, click profile. You should see the attributes and have the ability to change your password.

WarningThe attributes actually will say N/A since we did not configure any of these.

36

5. You can now close Internet Explorer.

37