Hello to everyone !!!
I hope that you all have been keeping busy with I.T. related things. I have been doing quite a bit of Office 365 work with customers recently, and have been spending a lot of that time setting up ADFS solutions for customers onboarding into the O365 cloud. While that is always exciting work, and technically challenging at times, it does not have to be complicated if you take your time and plan out exactly what you need to do in order to be successful.
To that end, the following checklist will prove to be helpful for those of you staring down the face of a ADFS / O365 integration solution. The checklist will walk you through the logical steps associated with the deployment and integration, as well as providing you links to all of the necessary Microsoft TechNet documentation to support that step.
Checklist: Setting Up a Federation Server
This checklist includes the deployment tasks that are necessary to prepare a server running Windows Server 2008/2008R2 for the federation server role in Active Directory Federation Services (AD FS) 2.0.
|You can find additional AD FS 2.0 resource links at the AD FS 2.0 Content Map page on the Microsoft TechNet Wiki. This page is managed by members of the AD FS 2.0 Community and is monitored on a regular basis by the AD FS Product Team.|
Checklist: Setting up a federation server
|Before you begin deploying your AD FS 2.0 federation servers, review the; 1.) advantages and disadvantages of choosing either Windows Internal Database (WID) or SQL Server to store the AD FS configuration database 2.) AD FS 2.0 deployment topology types and their associated server placement and network layout recommendations.||Determine Your AD FS 2.0 Deployment TopologyAD FS 2.0 Deployment Topology Considerations|
|Review AD FS 2.0 capacity planning guidance to determine the proper number of federation servers you should use in your production environment.||Planning for Federation Server Capacity|
|Review information in the AD FS 2.0 Design Guide about where to place federation servers in your organization||Planning Federation Server PlacementWhere to Place a Federation Server|
|Determine whether a stand-alone federation server or a federation server farm is better for your deployment.||When to Create a Federation ServerWhen to Create a Federation Server Farm|
|Determine whether this new federation server will be created in the account partner organization or in the resource partner organization.||Review the Role of the Federation Server in the Account PartnerReview the Role of the Federation Server in the Resource Partner|
|Review information about how federation servers use service communication certificates and token-signing certificates to securely authenticate client and federation server proxy requests.
|Certificate Requirements for Federation Servers|
|Review information about how to update the corporate network Domain Name System (DNS) so that successful name resolution to federation servers can occur.||Name Resolution Requirements for Federation Servers|
|Join the computer that will become the federation server to a domain in the account partner forest or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests.
|Join a Computer to a Domain|
|Create a new resource record in the corporate network DNS that points the DNS host name of the federation server to the IP address of the federation server.||Add a Host (A) Resource Record to Corporate DNS for a Federation Server|
|(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm.
|Export the Private Key Portion of a Server Authentication Certificate|
|After you obtain a server authentication certificate (or private key) from a certification authority (CA), you must then import the certificate file to the default Web site for each federation server.
|Import a Server Authentication Certificate to the Default Web Site|
|(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use Internet Information Services (IIS) 7.0 to create a sample certificate for your federation server.
|IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0 and then complete the procedure Import a Server Authentication Certificate to the Default Web Site|
|If you will be configuring a federation server farm environment in an account partner organization, you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where the farm will reside and configure each federation server in the farm to use this account. By performing this procedure, you will allow clients on the corporate network to authenticate to any of the federation servers in the farm using Windows Integrated Authentication.||Manually Configure a Service Account for a Federation Server Farm|
|Install the AD FS 2.0 software.||Install the AD FS 2.0 Software|
|Configure the AD FS 2.0 software on the computer to act in the federation server role by using the AD FS 2.0 Federation Server Configuration Wizard.Follow this procedure when you want to set up a stand-alone federation server, create the first federation server in a new farm or join a computer to an existing federation server farm.
|Create a Stand-Alone Federation ServerCreate the First Federation Server in a Federation Server FarmAdd a Federation Server to a Federation Server Farm|
|(Optional) Use the AD FS 2.0 Management snap-in to add and configure the necessary AD FS 2.0 certificates required to deploy your design. For more information about when to add or change certificates using the snap-in, see Certificate Requirements for Federation Servers.||Add a Token-Signing CertificateAdd a Token-Decrypting CertificateSet a Service Communications Certificate|
|If this is the first federation server in your organization, configure the Federation Service so that it conforms to your AD FS 2.0 design.||Checklist: Configuring the Account Partner OrganizationChecklist: Configuring the Resource Partner Organization|
|From a client computer, verify that the federation server is operational.||Verify That a Federation Server Is Operational|
- Rockin’ the CASB – What you need to know about Cloud Access Security Brokers …
- Cloud Tweaks Blog … What Do You Know About Cloud Security?
- Security Awareness @ ISC2 Security Congress 2015
- Secure the Power of the Cloud … (and get certified while doing it)
- Announcing Exchange Server 2016 Preview!
- VMware Scripting Overview – A quick look under the hood
- Checklist: Use AD FS to implement and manage single sign-on with Server 2012/R2
- Checklist: Setting up a Federation Server (ADFS) for use with Office 365 on Windows Server 2008/R2
- The (ISC)² CISSP Domain Refresh … Are you prepared?
- vSphere 6.0 is on the way !!! …. Are you ready???