Office 365 AD FS 3.0 Implementation SSO (II)

To continue our experiment, the previous steps can be returned to the first article: http://gshao.blog.51cto.com/3512873/1788027

----------------------------------I'm a slightly soiled mid-line-------------------------------------

The approximate idea steps are as follows:

1. Add a UPN to configure the user's UPN suffix (this is related to whether or not your domain name is consistent, if you miss this step directly)
2. Application certificate (public network)
3. Install the AD FS service
4. Internal DNS server new forward zone resolution
5. Add an extranet DNS record and configure port 443 to map out
6. Add a custom domain name in Office 365 to configure related extranet records
7. Convert your custom domain name to a federated domain
8. Activate dir-sync in Office 365, install AAD
9. Configuring directory synchronization and AD FS
10. Verify the user's login status

----------------------------------I'm a slightly soiled mid-line-------------------------------------

Installing the AD FS Service

1. In the Add Roles and Features Wizard, click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/95/wKioL1dcKhyivawdAAFg8Kbjh_M510.png "height=" 398 "/>

2. In the Select installation type, click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcKh2iZCJqAAEU66hmNRY674.png "height=" 402 "/>

3. Select the target server and click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcKRDCnOboAAFfZzQrQ2c597.png "height=" 402 "/>

4. In the Select Server role, tick active Directory Federation Services and click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/95/wKioL1dcKh-hf56FAAFqnbOjthI665.png "height=" 394 "/>

5. In the Select function, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcKRKRh15zAAGAWCgPyOc330.png "height=" 396 "/>

6. In Active Directory federated Authentication Service (AD FS), click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcKRaxZkmDAAGABK9N6mc392.png "height=" 399 "/>

7. After confirming the installation of the selection, click Install;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKReDjkBvAAEaWZzXLeI575.png "height=" 397 "/>

8. On the installation progress, click Configure the Federated Authentication Service on this server;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcKiaSZ9W_AAEaV9zwz8g227.png "height=" 397 "/>

9. In the Welcome screen, select Create the first federation server in the federation server farm and click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcKRmSXqB2AAE1XAGc3L0361.png "height=" 413 "/>

10. In the Connect to Active Directory domain service, specify the account number, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/95/wKioL1dcKiijCSftAAEYXoNrQOU877.png "height=" 413 "/>

11. In the specified service properties, select the requested public network certificate, fill in the Federated Authentication Service display name, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/95/wKioL1dcKimS2uOSAAET22q0Mpc264.png "height=" 411 "/>

12. In the designated service account, a warning appears;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKRyissehAAFmLbOCMSc752.png "height=" 419 "/>

13. In PowerShell input add-kdsrootkey-effectivetime ((get-date). AddHours (-10))

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcKR2gta_LAACqs9atwAY270.png "height="/>

14. In the designated service account, fill in the account number and password, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/95/wKioL1dcKiyjAEzRAAEqG6OrvKI892.png "height=" 413 "/>

15. In the Specify configuration database, select Create database using Windows Internal database on this server, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcKi3D9owbAAE7-91M-X0630.png "height=" 411 "/>

16. After viewing the options, make sure the content is correct, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcKSHjK84GAAFKD0V8HHk288.png "height=" 411 "/>

17. In the prerequisite check, click Configure;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/95/wKioL1dcKi_Aixw5AAEwJd5-v18422.png "height=" 414 "/>

18. In the result, click Close;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcKSOgaYwdAADdfaNc_-k437.png "height=" 408 "/>

Internal DNS server new forward zone resolution

19. In the DNS server, in the forward lookup zone, right-click New Zone (Z);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKSPB_DWTAADX7CY7Rvc892.png "height=" 252 "/>

20. In the New Zone Wizard, click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/95/wKioL1dcKjORL5_ZAAJcNhGVT0Y097.png "height=" 481 "/>

21. In the area type, select the main area and click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcKSew1xYTAAGy4Bmp1Qk243.png "height=" 477 "/>

22. In the Active Directory zone transfer scope, select all DNS servers that are running on the domain controllers in this domain (D): gshinternel.com, click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKiom1dcKSixJ-8UAAFiVyZL2i0853.png "height=" 480 "/>

23. In the zone name, enter adfs.gshcloud.com (FQDN of external ADFS) and click Next.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/96/wKioL1dcKjeD-qjJAAERQqmdZ78674.png "height=" 481 "/>

24. In the dynamic update, click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKioL1dcKjjgQn87AAHZoR4wsOA765.png "height=" 487 "/>

25. In the Completing the New Zone Wizard, click Finish;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKioL1dcKjqAQuJ0AAK9v0Kd5Lg256.png "height=" 479 "/>

26. In the newly created area, right-click the new host (A or AAAA) (S);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKiom1dcKS3yGQezAACd_u0bBzc242.png "height=" 553 "/>

27. In the new host, the name is empty, the IP address points to the internal IP of AD FS, click Add Host (H);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKS6gQiKyAAA-eIiftR0035.png "height=" 474 "/>

28. Ensure that the host record is added successfully;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKioL1dcKjzSleMFAADdschNxjI685.png "height=" 257 "/>

29. Verify that the ad FS URL is healthy within the domain (

Https://adfsname.domain.com/adfs/ls/IdpInitiatedSignon.aspx

）

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKTCSCexUAAHG9DnPbco007.png "height=" 425 "/>

30. In Internet Options-security-Local intranet, add ADFS address;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/96/wKioL1dcKkKSEKpZAAGQT-0Tdbo424.png "height=" 392 "/>

31. Re-open the AD fsurl, you can see the success of the landing;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/96/wKioL1dcKkPS4W9mAAFw-4Byvk4134.png "height=" 353 "/>

Add an extranet DNS record, configure port 443 to map out

32. Add an alias record in Wan to point to the cloud server address ( hint : My side is a cloud-built environment, if deployed in the local enterprise, point to the extranet IP address)

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/82/97/wkiom1dcktaiptq-aadrwcc2h2m747.png "height=" 151 "/>

33. Make sure that you are able to properly parse

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKioL1dcKkSTl72YAAAc956peuA416.png "height=" 151 "/>

34. Add an endpoint on the adfs0604 server ( hint : If you are deploying locally, do a map port on the firewall);

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/96/wKioL1dcKkixa2yPAACPphDP0nY753.png "height=" 383 "/>

35. Add 443 ports;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKT7g1DlMAAB1opwRxiU281.png "height=" 398 "/>

36. Ensure that the added success, and the external network can normally telnet 443 port;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/96/wKioL1dcK6KRdNVwAABIpDpYtt0344.png "height=" 123 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKiom1dcKpXizTraAAAcclJm-vI368.png "height=" 355 "/>

This article from "Gs_hao" blog, declined reprint!

Office 365 AD FS 3.0 Implementation SSO (II)