Setting up ADFS in Azure

Posted by

 

Part 1 – Setting the VPN to Azure

Part 2 – Extending Active Directory to Azure

Part 3 – Setting up ADFS in Azure

Part 4 – Connecting ADFS with Azure Active Direct Access Control Service (ACS) (to follow)

At this point you should have Azure configured as a branch office using a VPN from your on premise network to a virtual network in Azure. You have also extended your AD into the cloud by promoting an Azure VM to a domain controller. In this section we will go over the steps required to install an ADFS server and ADFS proxy into Azure. In the final part of this series we will cover the steps required to connect your ADFS environment to Office365 and Azure ACS for your 3rd party  / custom applications.

 

ADFS and ADFS Proxy

The ADFS server will be a member server in our domain. The server will be hosted in Azure on the servers virtual network and will have connectivity with our Active Directory domain controller. It will also have a direct connection over SSL TCP443 to our ADFS proxy server. The proxy server will be hosted in Azure on a separate virtual network. The proxy server will listen on TCP443 on its public IP address. It then passes ADFS traffic to the internal ADFS server over SSL. It will have no other connectivity to any other server. Normally we would have this configured in a true perimeter network with hardware firewalls between servers, but we are unable to achieve this using just Azure, so we will use the Windows firewall to accomplish this.

image

You will need to create a new Virtual network in Azure which is not linked to your existing network. The only way servers from this network will communicate to servers in your other virtual network are by using Azure endpoints over the public IP addresses. This network can be a standard Azure network and doesn’t need to have specific DNS servers unless you plan on putting your own DNS / Domain controllers in this network – this may be useful if you want to have a separate extranet domain environment. I’ve called this network Extranet Servers and given it an IP address range of 172.16.1.0/24.

image

You now need to create two new small Server 2012 Virtual Machines in Azure:

ADFS Server

Server Name SV-ADFS01
Virtual Network Main Server Subnet
Disk Two hard drives (1 OS and 1 Data)
Endpoints HTTPS : TCP443
RemoteDesktop : Default_Random_Port

ADFS Proxy Server

Server Name SV-ADFSP01
Virtual Network Extranet Servers
Disk Two hard drives (1 OS and 1 Data)
Endpoints HTTPS : TCP443
RemoteDesktop : Default_Random_Port

Service Account

ADFS requires a domain service account. It doesn’t need any special rights, but does need to be able to log on as a service, log on as batch job and generate security audits.

I’ve created a service account in the corp.int domain where ADFS is going to be installed and called it SVC-ADFS. I’ve set the password to never expire.

When installing ADFS it will automatically register the SPN for the service account so you shouldn’t need to do this manually.

DNS

Both the internal ADFS server and ADFS Proxy need to use the same resolvable DNS name to access the ADFS service. We also want to ensure that our internal clients use the internal adfs server, and our external clients go via the ADFS proxy. There are a number of ways to achieve this depending on your DNS setup. I use a .int domain name space (corp.int) for my domain. My corp.com is externally hosted by my isp. All my internal clients use their local DC for name resolution, so in AD, i create a new DNS AD Integrated Primary Zone called ADFS.CORP.COM. (I’ve kept the images as thumbnails here to save on space)

image

image

image

image

image

image

image

image

image

Check the IP address of your ADFS server.

image

Create a new entry in the zone leaving the name blank, this will create a same as parent A record, meaning it creates adfs.corp.com as the A record.

image

image

On the ADFS Proxy server we will create a host file entry for adfs.corp.com and point it to the public azure endpoint IP of our ADFS internal server.

image

image

We will then register ADFS.CORP.COM with our ISP Hosted DNS server for external clients to resolve to the public Azure endpoint address for the ADFS Proxy server.

Certificate

We need to have a trusted SSL certificate which has the subject name of our ADFS service. In this example i am using the name ADFS.CORP.COM, and I’ve got a wildcard certificate from a trusted source for *.CORP.COM. The certificate needs to be installed in the personal computer store of both ADFS and ADFS Proxy Servers.

Firewall configuration

ADFS works primarily using HTTPS TCP443. We need to open up the Azure Endpoints to allow HTTPS traffic into the internal ADFS server as well as the ADFS proxy.

From within Azure, on both virtual servers add the endpoint as follows:

image

image

image

We need to configure the Windows firewall to restrict traffic to the ADFS server. To do this, enable the windows firewall on all profiles, then allow an inbound HTTPS TCP443 rule to allow traffic in from only the public IP address of the ADFS Proxy Server. You should lock down the firewall on both servers to prevent any other unrequired traffic.

ADFS Server Installation

We can now begin the installation of the ADFS server. This is the domain joined server, SV-ADFS01.

1. From server manager, install a new role and select Active Directory Federation Server. You will need to click next through the install, selecting to install all components apart from the ADFS Proxy server. Once the install is complete you should be able to configure the ADFS server using the ADFS management console.

2. Launch ADFS console from server manager or the start menu, select AD FS Federation Server Configuration Wizard

image

3. Select to create a new federation service

image

4. Select new federation server farm

image

5. Select the correct certificate from the SSL Certificate box. If you don’t see the cert make sure you have a valid certificate which is installed in the local computer personal store on the server.

image

6. Enter the credentials that you created for your ADFS Service account.

image

7. The wizard is now complete and you should see the installation complete successfully.

image

image

If you have any installation errors you may find you have to fully uninstall the role and IIS from server manager then reboot and restart the installation of the role. You may need to delete some of the IIS folders if they are left behind before attempting to reinstall.

If you use other browsers than IE, you may need to make a change in IIS to support them and turn off extended protection. Otherwise your browser might keep prompting for the username and password and getting a 401 error. In the event logs you would see

“An account failed to log on”

“An Error occurred during logon”

“0xc00035b”

To turn off extended protection in IIS 7.5 open IIS manager, in the tree select the default website > adfs> ls. Then double click the authentication icon and right click Windows Authentication and select advanced settings. Then set extended protection to off.

ADFS Proxy Installation

1. Launch the Add Roles Feature Wizard on the ADFS Proxy server, select ADFS role and use the defaults, selecting only the Federation Service Proxy when prompted

image

2. Once installed, launch the configuration wizard from server manager. If you get an error like this one

image

You need to make sure that you have put a binding to the SSL certificate on the default website from IIS.

image

image

Click Add then select the correct cert and set type to HTTPS

image

You can now relaunch the ADFS Proxy configuration wizard.

3. Click next on the first welcome screen

image

4. Make sure the federation service name is correct – it should detect this from the subject name in the certificate – if you are using a wildcard cert you may need to change this. It should be the DNS name of your ADFS server, the same as you previously specified in the hosts file.

image

5. Click Test Connection and make sure you get a success result.

image

If you don’t, check that the proxy server can resolve the federation service name (entry in host file or dns). Also make sure that HTTPS TCP443 is open outbound and allowed inbound on the ADFS internal server.

6. You should now be prompted for credentials to establish the trust, You should use the service account credentials you created earlier.

image

7. Verify the installation steps and complete the installation

image

image

This completes the ADFS installation, we haven’t done any configuration within ADFS and this will be configured in the Part 4.