ADFS SSO

Hello,

I'm implementing an Exchange 2013 Hybrid Deployment with SSO for Office 365. From what I have read, I have to setup (at least) on new ADFS server and an ADFS proxy server in order to have SSO for my users.

So, I have to buy 2 SSL certificates for my two ADFS servers or use one wildcard for these two server? Am I right? Are there any special requirements to notice?

If my users connect only from the company network, can I use a self-signed certificate for my ADFS server or this is not supported?

July 14th, 2015 3:00am

Hi John,

Have you checked out the Exchange Server Deployment Assistant:
https://technet.microsoft.com/en-us/office/dn756393.aspx?f=255&MSPPError=-2147217396


When you set up single sign-on, it enables users to access both the on-premises and Office 365 organizations with a single user name and password. To use single sign-on, you'll need to make sure the AD FS servers meet specific requirements.

Learn more at: Prepare for single sign-on
https://msdn.microsoft.com/en-us/library/azure/jj151786.aspx

If you plan to use AD FS, you will need to do one of the following:

Download, install and deploy AD FS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 server. Also, if users will be connecting from outside your companys network, you must deploy an AD FS 2.0 proxy.

Install the AD FS role service on a Windows Server 2012 or Windows Server 2012 R2 server.

Checklist: Use AD FS to implement and manage single sign-on

https://msdn.microsoft.com/en-us/library/azure/jj205462.aspx

Certificates Requirements:

https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx#BKMK_2

The same certificate should be used on each federation server in a farm and the Proxy. You must have both the certificate and its private key available.

The DNS name of the Federation Service must be used in the Subject name of the Secure Sockets Layer (SSL) certificate. So you can't use WildCard, for ADFS to work with O365 it needs to be trusted, hence self-signed won't do as well.

"Because this certificate must be trusted by clients of AD FS and Microsoft cloud services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte."

However you can use the self-signed token-signing certificate generated by AD FS. This is additional certificate required apart from the others.

Free Windows Admin Tool Kit Click here and download it now
July 14th, 2015 6:08am

Thank you for your answer.

So, to confirm this before buying any SSL certificate, here's my scenario based on Deployment Assistant.

Active Directory forest root: contoso.com

Internal Exchange 2013 server host name: mail.contoso.com

External Exchange 2013 server FQDN: mail.contoso-inc.com

Primary SMTP namespace:  *

User principal name domain: contoso.com

Microsoft Online ID domain: company.com

 

Internal Active Directory Federation Services (AD FS) server hostname (only for organizations choosing to deploy single sign-on): adfs.contoso.com

External AD FS server FQDN (only for organizations choosing to deploy single sign-on): adfsproxy.company.com

On-premises Autodiscover FQDN: mail.contoso.com

Service tenant FQDN (You can only choose the subdomain portion of this FQDN. The domain portion must be "onmicrosoft.com".): contoso.com.onmicrosoft.com

Notice that my local AD domain name contoso.com is not internet routable, it's used locally only. My domain name that's internet routable is the company.com.

So, as I cannot use any wildcard cert, what and how many SLL certs do I need to buy from DigiCert for both ADFS and ADFS Proxy? What details should I pass to DigiCert for purchase?

July 15th, 2015 3:11am

Hi John,

Thank you for your question.

Because there are many services which use the certificate, we suggest you buy SAN certificate for your deployment. SAN certificate could include all name space which you have referred. The more details you could contact the certificate supplier.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now
July 15th, 2015 4:47am

Hi John,

Thank you for your question.

Because there are many services which use the certificate, we suggest you buy SAN certificate for your deployment. SAN certificate could include all name space which you have referred. The more details you could contact the certificate supplier.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

July 15th, 2015 4:47am

Hi ,

DigiCert will not allow you to use a .local domain name. You might think up of using a DNS suffix for the server to get a new domain name(You need to lookup on this,I'm not sure if it works)

As per what I read you would need 3 certs covering all domain names.

Two 3rd party, one self-signed token.

Free Windows Admin Tool Kit Click here and download it now
July 15th, 2015 8:50am

Hi ,

DigiCert will not allow you to use a .local domain name. You might think up of using a DNS suffix for the server to get a new domain name(You need to lookup on this,I'm not sure if it works)

As per what I read you would need 3 certs covering all domain names.

Two 3rd party, one self-signed token.

July 15th, 2015 8:50am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics