Tag Archives: Remote Connectivity Analyzer

Implementing Active Directory Federation Services step-by-step part II

In the previous blog (Implementing Active Directory Federation Services step-by-Step) I have showed you how to install and configure Active Directory Federation Services (ADFS) in your internal network and DMZ, capable of handling Office 365 authentication request. In this blog I’ll show you how to configure Office 365 and how to test it.

Federated Domains

In a typical managed domain, the user accounts and password hashes are synchronized to Azure Active Directory. Office 365 uses Domain Controllers in Azure AD to authenticate the users and grant them access to the resources in the cloud.

In a federated domain, the user accesses the Office 365, but access is denied, and the request is redirected to Azure Active Directory. There, the home realm (the user’s domain) is discovered and the request is redirected to the ADFS server based on the home realm. If my user account is j.wesselius@exchangelabs.nl, my home realm is exchangelabs.nl and the request is redirected to the federation server that was created earlier, and that was used to configure the domain in Azure Active Directory.

I did a session on this at IT Dev Connections in 2017 (in San Francisco), the following is one animated slide that can be downloaded which shows the flow between a client, Office 365, Azure AD and the on-premises ADFS and Domain Controller:

ADFS Federation Flow

To get this working, the domain in Azure Active Directory needs to be converted to a federated domain so that Azure AD knows any authentication request needs to be redirected to the on-premises ADFS environment.

When adding a domain to Azure Active Directory it is automatically created as a managed domain. As said before, authentication takes places against Domain Controllers in Azure AD. You can check a domain using the Get-MsolDomain -DomainName exchangelabs.nl PowerShell command as shown in the following screenshot:

Get-MsolDomain

To convert this to a federated domain, start a PowerShell command (with elevated privileges) and enter the following commands:

[PS] C:\> Connect-MsolService

[PS] C:\> Set-MsolADFSContext -Computer ams-adfs01.labs.local

[PS] C:\> Convert-MsolDomainToFederated -DomainName Exchangelabs.nl

Note. Use the FQDN of the local first ADFS server with the Set-MsolADFSContext command, not the federation URL

This will connect the existing on-premises infrastructure to Azure AD, and convert the domain to a federated domain. Now, when checking the domain in Azure AD using the same command as before you’ll see it now is a federated domain:

Set-MsolAdfsContext Exchangelabs

In in the ADFS Management Console you’ll a new Relying Party Trust (RPT) for use with Office 365:

ADFS Relying Party Trust

To get more into detail in Azure AD about the federation settings, you can use the Get-MsolDomainFederationSettings command which shows more information:

Get-MsolDomainFederationSettings

Clearly visible are the Logon, Issuer and LogOffUri, which point to our on-premises ADFS implementation. Even more information can be retrieved using the Get-MsolFederationProperty command as shown in the following screenshot:

Get-MsolFederationProperty

To test the new configuration, navigate to the Microsoft Online Portal and login using an account with the domain we just configured, i.e. j.wesselius@exchangelabs.nl:

Microsoft Online Portal

When selecting this account, Azure AD determines the home realm (exchangelabs.nl) and redirect to the on-premises URL as found in the federation settings in Azure AD. You’ll see this happen on the fly in your browser:

Taking you to your organizations sign-in page

And a few seconds later we are redirected to our on-premises ADFS environment:

ADFS Federation Sign-in page

Clearly visible is the Federation Service display Name which was configured with the first ADFS server in the previous blogpost.

Enter your password, and how wonder, MFA is still working as well (which was a pleasant surprise for me 😊):

ADFS Exchangelabs MFA

Another interesting test is using the Remote Connectivity Analzyer ( (https://aka.ms/exrca) which has a Single Sign-On test. Navigate to the Remote Connectivity Analyzer, click the Office 365 tab and select the Office 365 Single Sign-On test radio button.

Enter username and password, do the verification code test and await the results. You’ll see something similar as the following screenshot:

Remote Connectivity Analyzer Single Sign-On Test

The logon attempt was successful, but more interesting is that you can expand all test steps to see what’s going on under the hood and try to understand how ADFS works.

Summary

In the previous two blogposts I demonstrated how to install and configure ADFS in your on-premises infrastructure. I installed only one ADFS server and one WAP proxy, which is far from a high available environment. Why high available? Without the ADFS server it is no longer possible to logon to any Office 365 service, so a high available infrastructure is a requirement for any ADFS implementation.

But customers are moving to the cloud to decommission their on-premises solutions, and with ADFS we’re building an on-premises solution for authenticating cloud solutions. But for compliancy reasons it might be needed to authenticate against local domain controllers (no passwords in the cloud for example). On the other hand, you can use Pass Through Authentication (PTA, see my blogpost Azure AD Connect Pass-through authentication) for this as well. PTA doesn’t offer as much possibilities as ADFS yet, but it is improving.

Is ADFS future proof? Some people say it isn’t, but as long as I find articles like What’s new in Active Directory Federation Services for Windows Server 2019 on the Microsoft website I don’t see too many issues with that.

More information

Creating an Exchange 2013 Hybrid environment

Updated: November 11, 2015

In a series of blog posts we will create an Exchange hybrid environment, where the on-premises environment consists of Exchange 2013 multi-role servers. Creating such an environment consists of several steps:

  • Implementing Directory Synchronization.
  • Running the Hybrid Configuration Wizard.
  • Creating Migration Endpoints.
  • Moving Mailboxes to Exchange Online.

Current Infrastructure

The current infrastructure consists of two Exchange 2013 multi-role servers and two Exchange 2013 Edge Transport servers, all of which are fully patched and running the latest version of Exchange 2013 (i.e. Exchange 2013 CU8). An Office Web Apps 2013 servers is also involved for rendering attachments in Outlook Web App.

A Kemp LM3600 LoadMaster is used for distributing incoming client requests from the Internet across both servers. SMTP is directed to two Exchange 2013 Edge Transport servers, which are subscribed to the internal Exchange 2013 servers, as shown in Figure 1.

image

Figure 1. The starting point when creating a new Hybrid environment.

In Office 365 we have are using a tenant called ExchangeLabsNL, for Exchange Online the tenant name is not important, but for SharePoint Online it is important. The corresponding SharePoint Online environment is accessible via Exchangelabs.nl.sharepoint.com, so the tenant name is important after all.

Note. The tenant name cannot be changed later on, so don’t choose any silly names for your tenant. One day you will regret this.

Directory Synchronization Server

In our on-premises environment we are going to install a dedicated Directory Synchronization server. This is not really a hard requirement since DirSync can be installed on a Domain Controller as well. Personally I prefer to use a dedicated DirSync server and keep all Domain Controllers identical.

Exchange Hybrid Server

There’s a lot of confusion about the Exchange Hybrid server when creating an Exchange Hybrid environment and to be honest, it took quite some time for me as well to get rid of the confusion.

A true hybrid server does not exist, but in Microsoft terminology, the hybrid server is the Exchange server where the Hybrid Configuration Wizard (or HCW) is run to configure a Hybrid Configuration. And the Hybrid Configuration is nothing more than some information written in Active Directory so it can be easily found and used by all Exchange servers in the organization. In Figure 1, the hybrid server can be either server EXCH01 or server EXCH02.

An additional Exchange 2013 server can be added as a hybrid server. You can even use a dedicated FQDN like hybrid.contoso.com for this to separate SMTP and migration traffic from/to Office 365 form regular client traffic accessing the normal Exchange servers EXCH01 and EXCH02.

Free/busy information in this scenario for example is not using the dedicated hybrid server, since it is not possible to designate this kind of traffic to dedicated servers. When users in Exchange Online are creating new meetings with users in Exchange on-premises, the free/busy information is found using the normal Exchange EWS virtual directory. This information in turn is found using normal Autodiscover requests.

So, before you start building your Exchange Hybrid environment you have to make absolutely sure your starting point is working flawlessly, internally and externally. If you run into issues with AutoDiscover, free/busy, out-of-office or Certificate errors you have to fix these first before continuing with the hybrid configuration. One great tool to test your existing environment is the Remote Connectivity Analyzer (www.testexchangeconnectivity.com) and of course your own Outlook clients Glimlach 

Note. If you are running Exchange 2010 you can also use the existing Exchange 2010 servers to create a hybrid environment without adding Exchange 2013 servers (although you have to be absolutely sure about this, Exchange 2010 is no longer in mainstream support). If you want to use Exchange 2013 in your existing Exchange 2010 environment you have to start a coexistence project first. When this is fully functioning (without error of course) you can continue with the DirSync and hybrid configuration.

When all is running fine you can continue with implementing the DirSync solution, as outlined in the following blogpost: https://jaapwesselius.com/2015/05/13/implementing-directory-synchronization/

AutodiscoverRedirect in Exchange 2013 SP1 on Windows 2012 R2

In earlier versions of Exchange you can use the Autodiscoverredirect option to retrieve autodiscover information if your primary SMTP domain in your email address does not match the domain name of the autodiscover DNS record in your Exchange deployment. You’ll face this issue when your Client Access server is using webmail.contoso.com and autodiscover.contoso.com but your email address is john@fabrikam.com. In this case your Outlook client will automatically start looking for a DNS record called autodiscover.fabrikam.com which points to the autodiscover.contoso.com. As a result a certificate warning is presented since the name of the request does not match the name on the certificate.

Continue reading AutodiscoverRedirect in Exchange 2013 SP1 on Windows 2012 R2