SharePoint <-> Office 365 users synchronization, ADFS and WAP

Azure AD Connect

Prerequisites:

  • (existing) AD DC
  • (new) DirSync Server, joined to domain (e.g. ds.domain.local), OS = Windows Server 2012 R2
  • domain admin and local admin account
  • Office 365 global admin account

steps:

  • add your domain to your Office 365 environment in advance (it takes time)
  • add .net 3.5 and .net 4.5 features to the DirSync server
  • ensure your account is local admin and domain admin and Enterprise Admin
  • go to Office 365 admin center, Settings, Services and Add-Ins, Directory Synchronisation, Start Wizard and follow instructions (start check etc.)

 

ADFS

Prerequisites:

  • (existing) AD DC
  • (new) ADFS Server, joined to domain (e.g. fs.domain.local), OS = Windows Server 2012 R2
  • (new) WAP Server (e.g. wap.domain.local)
  • (create new) account for ADFS (like domain\adfs-svc) and make it local admin on ADFS Server
  • let say our service name is “adfs.domain.com” ( server name is “fs.domain.local”), then we need to
    enroll a certificate for service name (i.e. adfs.domain.com), not a wildcard

    • Subject name and subject alternative name must contain your federation service name, such as adfs.domain.com
    • Subject alternative name must contain the value enterpriseregistration followed by the UPN suffix of your organization, such as, for example,enterpriseregistration.domain.local
    • Subject alternative name must contain the value certauth followed by the adfs service name, e.g. certauth.adfs.domain.com
    • set private key as exportable
  • export this certificate (with password)
  • ensure A record in internal DNS for service name (i.e. adfs.domain.com) points to ADFS server (“fs.domain.local”)

 

steps:

  1. create A-record for adfs.domain.com pointing to fs.domain.local
  2. (login on ADFS Server as adfs-svc), add (install) Active Directory Federation Services role
  3. Configure role
    1. choose “create the first…”
    2. provide domain admin account credentials
    3. choose SSL certificate (adfs.domain.com) and service name (same name),
      provide FS display name
    4. specify a domain user account (use an existing adfs-svc) and password
    5. create database (or use existing sql)
  4. Check configuration 
    1. go to “https://localhost/adfs/ls/idpinitiatedsignon.htm” (ignore certificate error, and do not login)
    2.  

 

WAP

 

  1. Add role “Remote Access”, features by default, choose role services “Web Application Proxy”, add features.
  2. import certificate
  3. Configure role: enter FS name (adfs.domain.com), provide credentials (domain\adfs-svc)
  4. Create A-record on external DNS for FS name (adfs.domain.com) pointing to WAP external IP

 

 

==================

Based on

 

One thought on “SharePoint <-> Office 365 users synchronization, ADFS and WAP

  1. Pingback: Hybrid SharePoint 2013/2016 - Vladilen

Comments are closed.