How I set up Microsoft AD Azure Hybrid model.
- First create or sign in with your Microsoft account You receive a $250 dollar bill credit
- I activated the Azure AD premium solution and the enterprise mobility suite free trial
- Now add and verify your domain.
- Microsoft needs to verify your domain using MX record or TXT record. I chose a TXT record. Create the following record where you host your name servers.
- Wait an hour. I waited 5 minutes and the domain was verified. I made it the primary domain.
- Turn on Active Directory sync
- Ensure the correct domain(s) are configured in Azure. They need to match the domain of your on premise Active Directory.
Server setup
- I set up 4 servers in my environment.Internal – DC- ADFS Backend – and AD Connect DMZ – ADFS server running Windows 2012R2 which will authenticate the logins for external resources The ADFS servers must be running Windows 2012 R2
- Configure the server in the DMZ with the proxy service role. This allows for connections originating from the
extranet - On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.
- In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.
- On the Select server roles dialog, select Remote Access, and then click Next.
- Click Next
- On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.
- On theConfirm installation selections dialog, click Install.
- On the Installation progress dialog, verify that the installation was successful, and then click Close.
- Ensure it is not on the domain
- Import the TLS certificate created for Federation into the Web Application Proxy. You can do this ny double-clicking on the certificate and following the import wizard. Ensiure it is imported as a computer account.
Configure post-deployment on the Web Application proxy
- Edit the hosts file on the Web Application Proxy file by creating an entry where the login URL maps to the IP of the ADFS server. Eg. If your login URL (CN in your certificate) is login.domain.com then map to the ADFS server’s IP
- On the Web Application Proxy server, open Server Manager. There will be a flag next to the Menu tab with an exclamation mark which means something needs to be addressed
- Click on the flag and another mini window will pop up. Click on the link reading Open the Web Application Proxy Wizard
- This will open the Web Application Proxy Configuration Wizard. Click Next
- Enter in the ADFS server name (FQDN) under Federation Service Name and then enter in a local administrator account for the ADFS server
- Select the certificate you imported earlier.
- Click Configure
- Create a SSL certificate for your domain on the ADFS. I used the DigiCert Certificate Utility to create our CSR
- Download Digicert tool from https://www.digicert.com/util/DigiCertUtil.exe on the ADFS server
- Run the tool
- Select Create CSR and enter the appropriate information
- Use an external certificate provider to generatw the certificate. You can use Comodo’s free 90 day certificate.
- Copy the certificate to your ADFS server and import the cert using the DigiCert tool
- Enter a friendly name and click Finish
- You should see a successful import.
- You should see the certificate in the DigiCert tool as imported.
- Export into a pfx format along with the private key and copy it to the AD Connect server. Note down the password you created during the export. This will be needed later during the ADFS configuration.
- Configure ADFS on the backend server.
- Configure it to use the ADFS rile
- Select Install
- Next run IDfix on the DC rto ensure no errors exist
- Configure the Web Application Proxy
- Now install active directory sync on the Active Connect server
- Select Custom Settings. It is required if we are going to configure WS-Federation
- Select Federation with ADFS
- Enter the credentials of an account which has global administrator access in Azure
- Now enter an account which has domain user permissions and click Add Directory. You should see your domain under Configured Directories. Click Next
- There will be some activity of the directories syncing. Next you will see the sign in configuration. Select what method to use to login or you can leave it as User Principle Name
- Select the domain and OU yuo wish to Sync with Azure AD
- Leave everything else blank until you get to configuring ADFS Farm
- Select Configure a new ADFS farm
- Select Provide a password-protected PFX certificate file and select the certificate file and subject name
- Select where to install ADFS
- You will need to enter the domain admin credential for the install to continue
- If you receive a connectivity error over Powershell. Add the domain admin account to the Schema Admins group
- Once configured you should see the server selected. Click Next.
- Add the IP of the Web Proxy server. This should reside in the DMZ and not be joined to the domain.Click Next
- Specify the ADFS Service Account. Ake this a service account with regular domain user credentials.
Ensure you have the proper firewall rules allowing traffic from port 443 to your web app proxy server and test by using the IDP initioated login URL https://login.infrasecsolutions.com/adfs/ls/IdpInitiatedSignon.aspx