How I set up Microsoft AD Azure Hybrid model.

cloud-security

How I set up Microsoft AD Azure Hybrid model.

  1. First create or sign in with your Microsoft account You receive a $250 dollar bill credit
  2. I activated the Azure AD premium solution and the enterprise mobility suite free trial picture-1
  1. Now add and verify your domain. picture-2
    picture-3
  2. Microsoft needs to verify your domain using MX record or TXT record. I chose a TXT record. Create the following record where you host your name servers.picture-4
  3. Wait an hour. I waited 5 minutes and the domain was verified. I made it the primary domain.
  4. Turn on Active Directory sync picture-5
  5. Ensure the correct domain(s) are configured in Azure. They need to match the domain of your on premise Active Directory. picture-6

Server setup

  1. I set up 4 servers in my environment.Internal – DC- ADFS Backend – and AD Connect DMZ – ADFS server running Windows 2012R2 which will authenticate the logins for external resources The ADFS servers must be running Windows 2012 R2
  2. Configure the server in the DMZ with the proxy service role. This allows for connections originating from the
    extranet
  3. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.
    server-1

    • In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen. server-2
    • On the Select server roles dialog, select Remote Access, and then click Next. server-3
    • Click Next
    • On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next. server-4
    • On theConfirm installation selections dialog, click Install. server-5
    • On the Installation progress dialog, verify that the installation was successful, and then click Close.
    • Ensure it is not on the domain
    • Import the TLS certificate created for Federation into the Web Application Proxy. You can do this ny double-clicking on the certificate and following the import wizard. Ensiure it is imported as a computer account.

Configure post-deployment on the Web Application proxy

  • Edit the hosts file on the Web Application Proxy file by creating an entry where the login URL maps to the IP of the ADFS server. Eg. If your login URL (CN in your certificate) is login.domain.com then map to the ADFS server’s IP
  • On the Web Application Proxy server, open Server Manager. There will be a flag next to the Menu tab with an exclamation mark which means something needs to be addressed server-6
  • Click on the flag and another mini window will pop up. Click on the link reading Open the Web Application Proxy Wizard server-7
  • This will open the Web Application Proxy Configuration Wizard. Click Next server-8
  • Enter in the ADFS server name (FQDN) under Federation Service Name and then enter in a local administrator account for the ADFS server server-9
  • Select the certificate you imported earlier. server-10
  • Click Configure
  1. Create a SSL certificate for your domain on the ADFS. I used the DigiCert Certificate Utility to create our CSR
  • Download Digicert tool from https://www.digicert.com/util/DigiCertUtil.exe on the ADFS server
  • Run the tool server-11
  • Select Create CSR and enter the appropriate information server-12
  • Use an external certificate provider to generatw the certificate. You can use Comodo’s free 90 day certificate.
  • Copy the certificate to your ADFS server and import the cert using the DigiCert tool server-13
  • Enter a friendly name and click Finish server-14
  • You should see a successful import. server-15
  • You should see the certificate in the DigiCert tool as imported. server-16
  • Export into a pfx format along with the private key and copy it to the AD Connect server. Note down the password you created during the export. This will be needed later during the ADFS configuration. server-17
  1. Configure ADFS on the backend server.
  • Configure it to use the ADFS rile server-18
  • Select Install server-19
  1. Next run IDfix on the DC rto ensure no errors exist server-20
  1. Configure the Web Application Proxy
  1. Now install active directory sync on the Active Connect server server-21
  • Select Custom Settings. It is required if we are going to configure WS-Federation server-22
  • Select Federation with ADFS server-23
  • Enter the credentials of an account which has global administrator access in Azure server-24
  • Now enter an account which has domain user permissions and click Add Directory. You should see your domain under Configured Directories. Click Next server-25
  • There will be some activity of the directories syncing. Next you will see the sign in configuration. Select what method to use to login or you can leave it as User Principle Name server-26
  • Select the domain and OU yuo wish to Sync with Azure AD server-27
  • Leave everything else blank until you get to configuring ADFS Farm
    • Select Configure a new ADFS farm
    • Select Provide a password-protected PFX certificate file and select the certificate file and subject name server-28
  • Select where to install ADFS server-29
  • You will need to enter the domain admin credential for the install to continue
  • If you receive a connectivity error over Powershell. Add the domain admin account to the Schema Admins group
  • Once configured you should see the server selected. Click Next. server-30
  • Add the IP of the Web Proxy server. This should reside in the DMZ and not be joined to the domain.Click Next server-31
  • Specify the ADFS Service Account. Ake this a service account with regular domain user credentials. server-32

Ensure you have the proper firewall rules allowing traffic from port 443 to your web app proxy server and test by using the IDP initioated login URL https://login.infrasecsolutions.com/adfs/ls/IdpInitiatedSignon.aspx
server-33

No Comments

Post a Comment