Almost everyone is using Cloud services, there are a lot of them like Azure, Office 365, G-Suite, Dropbox, AWS.
Some of them we are using for private, but the most of it for our daily business.
There is a smooth way Microsoft offers us to be able to use single sign-on (SSO) on the most of the cloud services.
SSO means that the users can use their windows credentials once they log in to their workstation or notebook. After this login the user doesn’t need to enter his credentials for other services, as an example, if the company is running a RADIUS server, the user will be logged in to the WLAN automatically.
In our case I want to write about SSO with Office 365.
Why this is needed?
Well, if we want to use services from Office 365 like exchange online, One Drive, SharePoint, etc. we have to make a sign into the Office Portal.
To get here, the user needs simply to enter the URL https://portal.office.com in his browser and it will point him to the right place, thanks to the ADFS there are no further logins needed.
So how ADFS works?
The User can use his company workstation or any other private device. If he is using his company workstation he will have to log-in with his company domain credentials to the workstation. If he uses a private computer and he want access the company environment, he will have to make once an authentication to the company environment (across the ADFS) and after that he will be able, to use all features.
In this graphic I want to show how the authentication progress works:
Steve Plank has made a simple explanation video about how the progress with ADFS works. So if you need additional information about it, check out his video here:
How ADFS and the Microsoft Federation Gateway work together up in the Office 365 Cloud.
AD FS Requirements
I could list you here all requirements, you need to know for ADFS, but there is a good article in the Microsoft Pro Center. So simply follow this LINK.
Migrate ADFS
The most of you knew some information about ADFS even before this article, but how about migrating ADFS from a Windows server 2012 to a news windows server 2016?
Here the steps about it:
(The following chapter is an original Microsoft article! If you want to see the original article, simply follow the LINK for more)
NOTE: Before you can move to AD FS on Windows server 2016, you need to remove all Windows 2012 R2 nodes! An upgrade from a Windows server 2012 R2 to Windows server 2016 is not possible as a solution way to become a 2016 node.
Using Server Manager install the Active Directory Federation Services Role on the Windows Server 2016
Using the AD FS Configuration wizard, join the new Windows Server 2016 server to the existing AD FS farm.
On the Windows Server 2016 federation server, open AD FS management. Note that nothing is showing up as this federation server is not the primary server.
Once the join is complete, on the Windows Server 2016 server, open PowerShell and run the following cmdlt:
Set-AdfsSyncProperties -Role PrimaryComputer
On the original AD FS Windows Server 2012 R2 server, open PowerShell and run the following cmdlet:
Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN}
On your Web Application Proxy open PowerShell and run the followoing cmdlt:
Install-WebApplicationProxy -CertificateThumbprint {SSLCert} -fsname fsname -TrustCred $trustcred
Now on the Windows Server 2016 federation server open AD FS Management. Note that now all of the nodes appear because the primary role has been transferred to this server.
With the Windows Server 2016 installation media, open a command prompt and navigate to support\adprep directory. Run the following:
adprep /forestprep
Once that completes run:
adprep/domainprep
Now on the Windows Server 2016 Server open PowerShell and run the following cmdlet:
Invoke-AdfsFarmBehaviorLevelRaise
When prompted, type Y. This will begin raising the level. Once this completes you have successfully raised the FBL.
Now, if you go to AD FS Management, you will see the new nodes that have been added for AD FS in Windows Server 2016
Likewise, you can use the PowerShell cmdlt:
Get-AdfsFarmInformation
to show you the current FBL.
Personalization your ADFS
After setting up your ADFS environment, you also have the opportunity to make some customization on it.
If you keep it default, it will look like this example:
There is a bulk of things we can customize in a very easy way…
We are able to change the following things by an easy PowerShell command:
- Illustration Logo
- Company Logo
- Login Texts
- Company Name
- Help Desk Link
- Home Link
- Privacy Link
- Support Mail address
Before we can start to change all this thinks, there is a little preparation needed…
We need to define a path, where our Logo and Illustration is located. In my example for the following PowerShell commands, I will use this path: C:\DrPe\
As second point we need to prepare our Logo and Illustration. Here we need to know the following things:
Size for Illustration:
1420×1080 pixels @ 96 DPI with a file size of no greater than 200 KB
Size of the Company Logo:
260×35 @ 96 dpi with a file size of no greater than 10 KB
When all this is prepared, we can start customize our AFDS:
#Change Illustration
Set-AdfsWebTheme -TargetName default -Illustration @{path="C:\DrPe\illustration.png"}
#Change Company Logo
Set-AdfsWebTheme -TargetName default -Logo @{path="C:\DrPe\logo.png"}
# Change sign-in page description
Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>Keep it simple but significant.</p> <p>Click <A href='https://www.msb365.blog'>here</A> for more information.</p>"
# Change Company Name
Set-AdfsGlobalWebContent –CompanyName “MSB 365 | The Microsoft Blog”
# Add Help Desk Link
Set-AdfsGlobalWebContent -HelpDeskLink https://msb365.abstergo.ch/?page_id=54 -HelpDeskLinkText Help
# Add Home Link
Set-AdfsGlobalWebContent -HomeLink https://www.msb365.blog -HomeLinkText Home
# Add Privacy Link
Set-AdfsGlobalWebContent -PrivacyLink https://msb365.abstergo.ch/?page_id=47 -PrivacyLinkText Privacy
# Customize a support email error message
Set-AdfsGlobalWebContent –ErrorPageSupportEmail "[email protected]"
After we have done all configurations, your Screen could look like this one:
(Orginal Picture and more information about customization HERE)
In this place, you have all needed information’s about ADFS. I hope this article could help you by configuring your environment, if you are also interested in Multi ADFS Forrest’s, I can recommend my other article in my blog here: https://www.msb365.blog/?p=167
I also can highly recommend you the Microsoft Link HERE about extending ADFS to Azure.
Photo by Chang Duong on Unsplash