About ADFS service :
Active Directory Federation Services (AD FS) is a part of the Windows 2016 server and developed by Microsoft, that allows the secure sharing of identification between trusted business vendors across the locations (internet).
When a user needs to access a Web application from one of its business vendors, the user’s organization is responsible for authenticating the user and providing identification information in the form of “claims” to the partner that hosts the web application.
ADFS installed on Windows Server, authenticate and provide the users with single sign-on access to client machines and the access applications located across the locations or vendors locations.
Earlier we are used 2.0, 2.1 and 3.0 in windows 2012Rs server, for windows 2016 server we can get version 4.0 with advance features.
Please refer below version details.
ADFS 1.0 – Windows 2003R2
ADFS 1.1 – Windows 2008 and Windows 2008R2
ADFS 2.0 – Windows 2008 and Windows 2008R2
ADFS 2.1 – Windows 2012
ADFS 3.0 – Windows 2012R2
ADFS 4.0 – Windows 2016
Windows 2016 ADFS offers new and improved features included:
Eliminate Passwords from the Extranet
Sign in with Azure Multi-factor Authentication
Password-less Access from Compliant Devices
Sign in with Microsoft Passport
Secure Access to Applications
Better Sign in experienced
Manageability and Operational Enhancements
Windows 2016 AD FS Requirements
Below mentioned are required to deploy ADFS:
Certificate requirements:
Microsoft recommends to use the ADFS by default, internally generated, self-signed token decrypting certificates.
Hardware requirements:
Minimum RAM requirement is 2GB, recommended 4GB and Minimum Disk space requirement is 32GB and recommended is 100GB.
Proxy requirements:
AD FS 2016 requires Web Application Proxy servers on Windows Server 2016
AD DS requirements:
AD FS servers must be a joined to an AD DS domain. All AD FS servers within a farm must be deployed in the same domain.
Browser requirements:
JavaScript must be enabled, client browser must be configured to allow cookies, Server Name Indication (SNI) must be supported, browser must support SSL client certificate authentication, and the federation service name must be configured in local intranet zone or trusted sites zone.
Network requirements:
AD FS 2016 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy.
Permissions requirements:
The administrator must have the administrator permission for initial configuration of ADFS.
For this setup, we have created Vembu.in Domain controller and server details provided below.
Computer Name: ADFSDomain
Domain Name is: Vembu.in
For AD FS basic installation shown below pictures. Go to Server Manager and click Add Roles and features. Then follow below steps to install initial ADFS setup.
Once ADFS initial installation is completed, server will reboot. After that we can configure ADFS. For ADFS configuration screen shots, please refer below. Go to Server Manager and right side top, showing pending task and click ADFS configuration. Then below screen appears….
Once you have configured AD CS then AD FS automatically taken System SSL Certificate. Here we have provided
Federation Service Name: ADFSDomain.vembu.in
Federation Service Display Name: Vembu AdfsCorporation
Click apply and press ok button then start installation, after completing the installation, Check the Federation details with browser.
https://ADFSDomain.vembu.in/adfs/ls/IdPInitiatedSignon
As of now ADFS is working fine in user login and now we can connect on premises AD with Azure Active Directory.
Azure AD Connect
Azure AD Connect is a tool and used to connecting on premises Active Directory infrastructure to Microsoft Azure AD.
Azure AD wizard deploys and configures prerequisites and component required to enable the connection including AD sync and Signon. Installation shown below.
Click here to Download Azure Ad Connect:
Once synchronization is completed, you can check the On Premises Active Directory users details with Azure Active Directory in Azure portal.
AD FS provides authentication and eliminate the single sign on password over the internet based application access(Extranet). Once user created on On premises Active Directory the user details sync with Azure Active Directory (Azure Cloud). For Office 365 access users have to provide the single sign on password.
In this scenario once user login to the local machine they will able to access Office 365 with local login credentials and not provide any separate password to access Office 365.
Now we can install Office 365 from Domain to Client machines using Microsoft Office deployment tool.
Click here to Download Office Deployment tool.
Office 365 Source file Download:
To download the Office 365 source file, first you can create the share folder and given everyone read permission. Here created Office365 folder and given read permission to everyone.
Share folder path: || \\ADFSDOMAIN\Office365
Office Deployment tool download and stored in below path in shared folder.
\\ADFSDOMAIN\Office365\O365
Download and run the Office deployment tool, after installing the Office deployment tool, this program give you two files once is Setup.exe and another one is configuration.xml, save this file. One file is download the Office 365 from internet and second file install Office 365 silently.
Need to modify the xml file based on share folder path…
< Configuration >
< Add SourcePath="\\ADFSDOMAIN\Office365\O365\OFF365DC"
OfficeClientEdition="32"
Channel="Deferred" >
< Product ID="O365ProPlusRetail" >
< Language ID="en-us" />
< ExcludeApp ID="Publisher" />
< /Product >
< /Add >
< Updates Enabled="TRUE"
UpdatePath=""
Channel="Deferred" />
< Display Level="None"
AcceptEULA="TRUE" />
< /Configuration >
\\ADFSDOMAIN\Office365\O365 || Stores the Office deployment tool and xml files
\\ADFSDOMAIN\Office365\O365\OFF365DC || Stores Office365 Proplus installation
Once xml file modified, need to download the Office365 source file from internet. Go to Run on domain controller and run the below ODT (Office Deployment Tool) command to download the source file from Internet.
\\ADFSDOMAIN\Office365\O365\setup.exe /download \\ADFSDOMAIN\Office365\O365\configuration1.xml
Once run the command, Office source file starts download immediately, you can verify the details in mentioned shared folder.
\\ADFSDOMAIN\Office365\O365\OFF365DC
After Source file download completed and now install Office 365 on Client machines.
Office 365 Installation on Client machines:
To install Office 365 on client machines, need to run on the below command on client machines run prompt. But users must have local admin privileges to run this command or who don’t have access we have to provide admin credentials.
\\ADFSDOMAIN\Office365\O365\setup.exe /configure \\ADFSDOMAIN\Office365\O365\configuration1.xml
We already created users in domain controller and see below screenshot.
Domain controller user’s details.
Here we used windows 10 as client machine.
Login client machine and go to run prompt type mentioned command and enter.
If user having local admin access it will directly install Office 365, otherwise have to give administrator credentials manually .
Its take few mins to complete the installation, once completed you can verify open Office word, excel files and check.
Note: If you want to automated deployment you need to create batch file or script for this commands. And you can deploy the from Domain itself, and users will not require admin privilege.
Conclusion:
Windows 2016 Active Directory Federation Services provides access control and Single Sign on across wide variety of applications including Office 365 and Cloud based applications. Azure AD connect tool helps to sync with On premises Active Directory with Azure Cloud. Once we create the users in Local Domain it will sync with Azure Active Directory and this will facilitate SSO for your Office 365 applications.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
