Office 365 sync with AD DS, use AD FS 2.0 to create a Single Sign-On
Good afternoon, I would like to share with you the knowledge gained in this area.
This article is hardly useful to experienced administrators or engineers, all this can bedealt with using Google Bing and patience, but it happens that deadlines are tight, the topic is not interesting, or some other circumstances interfere with the workflow. In addition, I do not have the opportunity to take screenshots of everything and everything, because in part they will be stumbled from the web, but the installation process of most components comes down to poking a button further to insanity.
Server for DirSync'A (Microsoft utility to synchronize AD DS and Office 365), Windows Server 2003 or higher, domain member, not domain controller, NET Framework 3.0 or 3.5, and Powershell
AD DS 2003 mixed \ native mode or higher, from one forest. Enterprise administrator account in the domain. It is used only to create MSOL_AD_Sync, login \ password is not saved anywhere in DirSync'e. The account is granted permissions to read and synchronize changes in AD DS.
Administrator account for Office 365, domain verified in Office 365 . The domain name may not coincide with the verified domain, in this case you just need to add the UPN domain suffix and bind users to this suffix.
Certificate for AD FS publication (any, even a self-signed one, will come down for testing)
Note : DirSync works on ports 80 and 443, does not know how to log in to proxy servers, for it you will need to make a separate “hole” in the proxy server. To synchronize more than 50,000 users, you will need to install a full SQL server.
')
1. Go to the Office 365 portal, in the users section.
2. We are looking for “Active Directory Synchronization” and click the “Set up” button.
3. In the window that opens, under item number 3, we enable synchronization by clicking on “Activate”
4. In point 4 we swing DirSync.
Download AD FS 2.0, install it, we need AD FS Server, not AD FS Server Proxy. After installing AD FS 2.0, go to IIS and bind the AD FS site to port 443 and certificate.
Note : It is recommended to remove the binding to port 80 and enable “Require SSL” in the site settings. All this is done intuitively through the IIS Management interface.
Next, go to the AD FS 2.0 Management Console and run the AD FS 2.0 Server Configuration Wizard or C: \ Program Files \ Active Directory Federation Services 2.0 \ FsConfigWizard.exe. Actually, further, further, further, further ... It is necessary to set up a farm , an account service for AD FS is desirable, the minimum additional permissions necessary for its work are the right of “write” to the OU “Program Data”.
You can check by clicking on the link _https: //adfs_server_name/adfs/ls/idpinitiatedsignon.aspx
Now a little "magic"
C: \ Program Files \ Microsoft Online Directory Sync \ SYNCBUS \ Synchronization Service \ UIShell \ miisclient.exe in this path lies the hidden GUI for DirSync (in fact, it is the usual Fim Synchronization Service). If your knowledge is enough, you can “play around” with the settings, but changing the settings through the GUI is not supported by Microsoft, if something needs to be changed, Microsoft offers to go through the Configuration wizard again. If you are not allowed in the DirSync GUI, you just need to re-login, your account has been added to the Fim Synch Service group.
Forced synchronization can be done through the DirSync GUI or via powershell:
1. Run povershell
2. cd C: \ Program Files \ Microsoft Online Directory Sync
3.. \ DirSyncConfigShell.psc1
4. In the new window Start-OnlineCoexistenceSync
results can be viewed through the Event Log and \ or on the Office 365 portal.
For a test run, you can choose which OUs will be synchronized. To do this, we go to the GUI, double-click the SourceAD management agent in the item “Connect to Active Directory forest”, click “Containers” and select the necessary containers. If you have several domains, then select the desired domain from the list and click on “Containers”. Repeat with each domain.
Note : If you do not do this in Office 365, all accounts from all OUs will "go away". Including service accounts and “built-in” accounts.
Making the domain federated:
1. $ cred = Get-Credential - in the appeared window we drive in the login \ password of the administrative account of Office 365.
2. Connect-MsolService –Credential $ cred - connect to Office 365.
3. Set-MsolADFSContext –Computer <AD FS 2.0 server name> is an optional step, only needed if you are running powershell not from the computer on which the AD FS Server is installed.
4. Convert-MSOLDomainToFederated - domainname <domain.com> - you need to specify the name of the “root” domain, if you say you need to convert office365.domain.com, you must have verified the office365.domain.com and domain.com domains. But when converting a domain, you need to specify domain.com, not office365.domain.com. Converted domain and all subdomains.
Note : After this operation, users will NOT be able to use Office 365 if the AD FS-Office 365 bundle is not configured or configured incorrectly, the domain has already become federated.
5. Update-MSOLFederatedDomain –domainname <domain.com>
If everything is done correctly, go to the Office 365 login page. You will see that the password field is no longer available.
1. Block high-bit characters and verify normalization in https protocol properties should be turned off.
2. Link Translation must be turned off.
3. In the settings of the rule there should be a checkmark “request appear to come from the ISA server computer '”
4. In the listener settings, you must add the certificate that you imported into IIS when installing AD FS.
After publication, you can check the work through the Office 365 portal or outlook.com page. Great site for troubleshooting SSO.
Note : In order for users to work, they need to assign licenses, you can assign a license to the test user by hand. For bulk adding of licenses to users it is possible to use powershell .
The result is a working infrastructure where users can log in to Office 365 using their mailbox and password from the “computer”. All passwords are stored in your AD DS. Passwords are not synchronized (for this, you need AD FS). All changes to user information are made in your native AD DS and replicated to Office 365 automatically.
I hope the article is useful to someone.
The experience was obtained as a “side event” when working with FIM 2010, it’s a pity that we don’t have a community around this program, I plan to write about FIM in the future.
This article is hardly useful to experienced administrators or engineers, all this can be
Risks
Zero, one-way synchronization, if the authorities didn’t like \ earned anything \ didn’t allocate money \ everything broke - stop DirSync and AD FS, Delete DirSync, delete MSOL_AD_Sync account in AD DS, delete synchronized accounts from Office 365. If mail has moved you can set up forwarding back.Minimum infrastructure requirements
Server for AD FS, Windows Server 2008 or higher, domain member, not domain controllerServer for DirSync'A (Microsoft utility to synchronize AD DS and Office 365), Windows Server 2003 or higher, domain member, not domain controller, NET Framework 3.0 or 3.5, and Powershell
AD DS 2003 mixed \ native mode or higher, from one forest. Enterprise administrator account in the domain. It is used only to create MSOL_AD_Sync, login \ password is not saved anywhere in DirSync'e. The account is granted permissions to read and synchronize changes in AD DS.
Administrator account for Office 365, domain verified in Office 365 . The domain name may not coincide with the verified domain, in this case you just need to add the UPN domain suffix and bind users to this suffix.
Certificate for AD FS publication (any, even a self-signed one, will come down for testing)
Note : DirSync works on ports 80 and 443, does not know how to log in to proxy servers, for it you will need to make a separate “hole” in the proxy server. To synchronize more than 50,000 users, you will need to install a full SQL server.
')
Office 365
First you need to activate synchronization with AD DS, this step is convenient to do first, since enabling synchronization takes up to 24 hours (less practice), this time is more than enough to set up and prepare the other components involved in synchronization.1. Go to the Office 365 portal, in the users section.
2. We are looking for “Active Directory Synchronization” and click the “Set up” button.
3. In the window that opens, under item number 3, we enable synchronization by clicking on “Activate”
4. In point 4 we swing DirSync.
AD FS
Before installing AD FS, you must import or generate a domain or self-signed certificate that will be used to publish AD FS to IIS.Download AD FS 2.0, install it, we need AD FS Server, not AD FS Server Proxy. After installing AD FS 2.0, go to IIS and bind the AD FS site to port 443 and certificate.
Note : It is recommended to remove the binding to port 80 and enable “Require SSL” in the site settings. All this is done intuitively through the IIS Management interface.
Next, go to the AD FS 2.0 Management Console and run the AD FS 2.0 Server Configuration Wizard or C: \ Program Files \ Active Directory Federation Services 2.0 \ FsConfigWizard.exe. Actually, further, further, further, further ... It is necessary to set up a farm , an account service for AD FS is desirable, the minimum additional permissions necessary for its work are the right of “write” to the OU “Program Data”.
You can check by clicking on the link _https: //adfs_server_name/adfs/ls/idpinitiatedsignon.aspx
Installing DirSync
The process is very simple, on and on and on and on. After installation, the wizard opens. Again, quite trivial, on the second paragraph, you need to specify the Office 365 administrator account (synchronization with AD DS should be enabled at this point), on the third paragraph, specify the administrator's enterprise account. In the fourth paragraph, you will be offered to include “Rich Coexistance”, but I will not consider it in the framework of this article. After installation, you can remove the checkmark "Synchronize directories now", it will not synchronize now, but synchronization is performed on a schedule every 3 hours.Now a little "magic"
C: \ Program Files \ Microsoft Online Directory Sync \ SYNCBUS \ Synchronization Service \ UIShell \ miisclient.exe in this path lies the hidden GUI for DirSync (in fact, it is the usual Fim Synchronization Service). If your knowledge is enough, you can “play around” with the settings, but changing the settings through the GUI is not supported by Microsoft, if something needs to be changed, Microsoft offers to go through the Configuration wizard again. If you are not allowed in the DirSync GUI, you just need to re-login, your account has been added to the Fim Synch Service group.
Forced synchronization can be done through the DirSync GUI or via powershell:
1. Run povershell
2. cd C: \ Program Files \ Microsoft Online Directory Sync
3.. \ DirSyncConfigShell.psc1
4. In the new window Start-OnlineCoexistenceSync
results can be viewed through the Event Log and \ or on the Office 365 portal.
For a test run, you can choose which OUs will be synchronized. To do this, we go to the GUI, double-click the SourceAD management agent in the item “Connect to Active Directory forest”, click “Containers” and select the necessary containers. If you have several domains, then select the desired domain from the list and click on “Containers”. Repeat with each domain.
Note : If you do not do this in Office 365, all accounts from all OUs will "go away". Including service accounts and “built-in” accounts.
A bunch of AD FS 2.0 - Office 365
We download and install the Sign-in Assistant and powershell module for working with Office 365 on the AD FS server. A new shortcut will appear in the Start menu and on the desktop, powershell for working with Office 365 (you can use the “normal” powershell after making import-module MSOnline ).Making the domain federated:
1. $ cred = Get-Credential - in the appeared window we drive in the login \ password of the administrative account of Office 365.
2. Connect-MsolService –Credential $ cred - connect to Office 365.
3. Set-MsolADFSContext –Computer <AD FS 2.0 server name> is an optional step, only needed if you are running powershell not from the computer on which the AD FS Server is installed.
4. Convert-MSOLDomainToFederated - domainname <domain.com> - you need to specify the name of the “root” domain, if you say you need to convert office365.domain.com, you must have verified the office365.domain.com and domain.com domains. But when converting a domain, you need to specify domain.com, not office365.domain.com. Converted domain and all subdomains.
Note : After this operation, users will NOT be able to use Office 365 if the AD FS-Office 365 bundle is not configured or configured incorrectly, the domain has already become federated.
5. Update-MSOLFederatedDomain –domainname <domain.com>
If everything is done correctly, go to the Office 365 login page. You will see that the password field is no longer available.
Publishing AD FS Server Using ISA or TMG
Published as a regular web site, but there are a couple of nuances:1. Block high-bit characters and verify normalization in https protocol properties should be turned off.
2. Link Translation must be turned off.
3. In the settings of the rule there should be a checkmark “request appear to come from the ISA server computer '”
4. In the listener settings, you must add the certificate that you imported into IIS when installing AD FS.
After publication, you can check the work through the Office 365 portal or outlook.com page. Great site for troubleshooting SSO.
Note : In order for users to work, they need to assign licenses, you can assign a license to the test user by hand. For bulk adding of licenses to users it is possible to use powershell .
Results
The result is a working infrastructure where users can log in to Office 365 using their mailbox and password from the “computer”. All passwords are stored in your AD DS. Passwords are not synchronized (for this, you need AD FS). All changes to user information are made in your native AD DS and replicated to Office 365 automatically.
I hope the article is useful to someone.
The experience was obtained as a “side event” when working with FIM 2010, it’s a pity that we don’t have a community around this program, I plan to write about FIM in the future.
Source: https://habr.com/ru/post/151632/
All Articles