Connect an On-Premise Active Directory (AD) Lab to Azure AD
For this demonstration, I selected the federated identity configuration option using Active Directory Federated Services (ADFS). There are other configuration options but I went with ADFS because the AD user passwords never leave the site. The domain used in this post is infrasecsolutions.com.
Before you Begin:
1. Ensure you have an existing AD environment with a domain name that is routable over the internet. An example would be domain.com rather than domain.local. This environment could be your test lab or on-premise AD used at your work.
Note: I used my domain which happens to be routable. There is a Microsoft recommended-method to integrate non-routable domains with Azure AD. The example they use to work with is a .local domain.
2. Register your AD Azure subscription. Here are instructions on how to register.
3. Run Microsoft’s IDFix tool against your Active Directory server. It is designed to identify errors in your directory before the sync can begin.
Azure AD Setup
First we need to add and register your domain. Login to the portal and use the global administrator account used when you created your Office365 organization.
1. Scroll down and click on Domain Names
2. Click on Add Domain Name
3. Enter the domain name that you will sync with Azure AD and click Add Domain
4. Now the domain must be verified. I recommend adding the TXT record Microsoft wants you to add with your domain registrar. Microsoft uses this TXT record to verify the domain by doing a TXT DNS record lookup on your domain. They also offer configuring an MX record for verification but I went with adding a TXT record for simplicity.
It may take up to 24 hours for this record to get propagated across the public DNS servers.
5. Highlight the unverified domain and click on verify. Once it is verified, you will see the domain in a verified state within the portal.
Server Set Up
The proper infrastructure needs to be in place for Active Directory to sync with Azure AD and support Single Sign On. Note that the setup discussed in this post is ideal for a lab environment. There are other factors involved when configuring it for a production environment such as High Availability/Disaster Recovery.
- AD Connect server: This server manages the sync between Active Directory and Azure AD.
- ADFS: This server manages the Federated login and should never be directly exposed to the internet. Operating system must be Windows 2012 R2 or above.
- Web Proxy: This should reside on your DMZ. It passes the authentication requests to the ADFS server. Operating system must be Windows 2012 R2 or above.
- Existing Active Directory environment.
1. ADFS Server
1. Open up Server Manager and click on Add roles and features
2. The Add Roles and Features Wizard pops up. Click Next
3. Select Role-based or feature-based installation and click Next twice
4. Check Active Directory Federation Services and select Next twice
5. Click Install in the Confirmation screen
Windows will begin the installation process
Generate and Install TLS certificate
A TLS certificate is required when configuring Single Sign On using ADFS. I recommend using Digicert’s tool. Install and run it on the ADFS server.
1. Click Create CSR and enter the appropriate information. Remember that the common name must match what your external exposed SSO login URL will be. One example is login.testdomain.com if your domain is testdomain.com. This post uses login.infrasecsolutions.com.
2. Use an external certificate authority to generate your certificate. If you are just testing, then you can use Comodo‘s 90 day free certificate
3. Once you have the certificate, copy it to your ADFS and import it into the Digicert Tool. Enter a friendly name and click Finish
A confirmation window will pop up reading that the certificate was successfully imported.
The certificate now is displayed as imported in the Digicert Utility
4. Import the certificate into the ADFS’s certificate store. Once imported verify it is in the correct store by using Microsoft Management Console (mmc) and adding the certificate snapin for the computer account. Expand Personal and click on Certificates. The certificate should be there.
5. Export the certificate along with the private key using the Digicert Utility in pfx format. Remember to note down the password used. It will be needed later.
6. Copy the exported cert/private key to the AD Connect server and the Web Application Proxy server.
2. Web Application Proxy server
1. Open Server Manager and select Add Roles and Features. Similar to how ADFS configured.
2. Select Remote Access and click Next three times
3. Select Web Application Proxy
4. Another window will instantly pop up. Click Add Features
5. On the Confirm Installation Selections page, click Install
3. AD Connect server
1. Login to your AD Connect server.
2. Download, install and run the AD Connect tool.
3. Agree to the license terms and click Continue
4. Select Customize. Express settings does not support ADFS.
5. Select Federation with ADFS and click Next
6. Enter the credentials of the Global Administrator you configured when you set up Azure AD.
7. Now enter an account which has domain user permissions and click Add Directory. Do not use a domain administrator account. You should see your domain under Configured Directories. Click Next.
8. There will be some activity of the directories syncing. Next you will see the sign in configuration. Select what method to use to login or you can leave it as User Principle Name
9. Select the domain and OU you wish to Sync with Azure AD. Ensure you have planned what accounts or groups feel is necessary to sync in the cloud.
10. Continue to click Next or Continue until the Configuring AD FS Farm window opens. Select Provide a password protected pfx certificate file. Select the pfx certificate you exported out of the Digicert tool and select the Subject Name.
11. Select where to install ADFS. This should be the ADFS server you configured earlier.
- You will need to enter the domain admin credential for the install to continue.
- If you receive a connectivity error over Powershell. Add the Domain Admin account to the Schema Admins group.
12. Once configured the ADFS server will be selected. Click Next.
13. Add the IP address of the Web Application Proxy server. This server should reside in the DMZ and not be a domain member server.
- Add in the credentials of the local administrator account of the server
- If, for some treason, AD Connect cannot connect to the Web Application proxy then skip this step and continue. We It is not imperative for this configuration and Microsoft allows us to configure the Web Application proxy directly on the server.
14. Specify the ADFS Service Account. This is a service account with regular domain user credentials and not a Domain Administrator account.
15. Select the Azure AD domain you configured for sync. Click Next until you are prompted to Install.
16. The directory will begin syncing with Azure AD.
4. Web Application Proxy Post-Configuration
This section only applies if there were issues connecting or configuring the Web Application Proxy server using the AD Connect tool.
1. Edit the hosts file on the Web Application Proxy file by creating an entry where the login URL maps to the IP of the ADFS server. Eg. If your login URL (CN in your certificate) is login.domain.com then map that URL to the ADFS server’s IP
2. On the Web Application Proxy server, open Server Manager. There will be a flag next to the Menu tab with an exclamation mark indicating to be addressed
3. Click on the flag and another mini window will pop up. Click on the link reading Open the Web Application Proxy Wizard
4. This will open the Web Application Proxy Configuration Wizard. Click Next
5. Enter in the ADFS server name (FQDN) under Federation Service Name and then enter in a local administrator account for the ADFS server
6. Copy the certificate you generated using the DigiCert tool to the Web Application proxy server. Select the certificate and click Next. The certificate is the one used for your Single Sign On login URL.
7. Review the configuration and click Configure.
8. Verify the configuration was successful and click Close.
IdP Initiated Login Test
Ensure the proper firewall rules allowing external traffic to TCP 443 of your web app proxy server and test by using the IDP initiated login URL
https://<login.domain.com>/adfs/ls/IdpInitiatedSignon.aspx where login.domain.com is the SSO login URL.
For example, this post configured the SSO login to be login.infrasecsolutions.com, therefore, the IdP initiated URL to test Federation is https://login.infrasecsolutions.com/adfs/ls/IdpInitiatedSignon.aspx
Login using a domain account you configured to be synced with Azure AD.
I will demonstrate how to add Microsoft services such as Skype for Business in future posts as well as security best practices. So stay tuned. If you found this article to be valuable, please share it with your friends, family, and coworkers. To read more articles like this one, visit my article catalogue.