Office 365 AD FS 3.0 implementation SSO (IV)

To continue our experiment, the previous steps can be returned to the

First article: http://gshao.blog.51cto.com/3512873/1788027

Article Two: http://gshao.blog.51cto.com/3512873/1788038

Article Three: http://gshao.blog.51cto.com/3512873/1788048

----------------------------------I'm a slightly soiled mid-line-------------------------------------

The approximate idea steps are as follows:

1. Add a UPN to configure the user's UPN suffix (this is related to whether or not your domain name is consistent, if you miss this step directly)
2. Application certificate (public network)
3. Install the AD FS service
4. Internal DNS server new forward zone resolution
5. Add an extranet DNS record and configure port 443 to map out
6. Add a custom domain name in Office 365 to configure related extranet records
7. Convert your custom domain name to a federated domain
8. Activate dir-sync in Office 365, install AAD
9. Configuring directory synchronization and AD FS
10. Verify the user's login status

----------------------------------I'm a slightly soiled mid-line-------------------------------------

Configure directory synchronization and AD FS

1. At user logon, select Use AD FS for federated authentication, click Next;

650) this.width=650; "title=" image_thumb[41] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[41" "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO-PA4MtdAAEhblvWasE847.png " Width= "562" height= "395"/>

2. When connecting to Azure AD, enter your account and password and click Next.

650) this.width=650; "title=" image_thumb[42] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[42" "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO-ShnwdrAAC2iAECpeg074.png " Width= "562" height= "/>"

3. In the connection directory, enter the account number and password, click Next;

650) this.width=650; "title=" image_thumb[43] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[43" "src=" Http://s3.51cto.com/wyfs02/M01/82/98/wKiom1dcO-WRBRf0AADXV8v9JXc248.png " Width= "562" height= "401"/>

4. Click Next;

650) this.width=650; "title=" image_thumb[44] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[44" "src=" Http://s3.51cto.com/wyfs02/M01/82/98/wKiom1dcO-azwNWzAAFuxn-l3e8765.png " Width= "562" height= "398"/>

5. Select the OU you want to sync, and click Next.

650) this.width=650; "title=" image_thumb[45] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[45" "src=" Http://s3.51cto.com/wyfs02/M02/82/98/wKiom1dcO-eg7b51AAECizCWiWA972.png " Width= "562" height= "401"/>

6. In the unique identification of the user, click Next; (This action means a SID-like concept, that is, you want to define an identity that cannot be changed, that is, the concept of SID number)

650) this.width=650; "title=" image_thumb[46] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[46" "src=" Http://s3.51cto.com/wyfs02/M02/82/98/wKiom1dcO-izWLwHAAEK8JjsI3o187.png " Width= "562" height= "396"/>

7. Click Next, (this thing is mainly for the back of the Mdm\sway\intune service)

650) this.width=650; "title=" image_thumb[47] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[47" "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKioL1dcPPfjBQQFAADIPGtI2qQ058.png " Width= "562" height= "397"/>

8. In the optional function, click Next;

650) this.width=650; "title=" image_thumb[48] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[48" "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO-nCSy2CAADej0QQrxs259.png " Width= "562" height= "399"/>

9. In the AD FS farm, browse to the AD FS server and click Next.

(Friendly tip: In fact this step can not be operated in AAD Connect, you input Set-msoladfscontext-computer Adfsserverfqdn in Aad PowerShell)

650) this.width=650; "title=" image_thumb[49] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[49" "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKioL1dcPPjiC6sCAADmaeM3gvc862.png " Width= "562" height= "/>"

10. Enter the domain administrator credentials and click Next; (In fact, in this step, everyone can find the AAD Connect remote computer to install the AD FS service)

650) this.width=650; "title=" image_thumb[50] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[50" "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKioL1dcPPmxKOcpAADhdZoE208856.png " Width= "562" height= "397"/>

11. In the AD FS service account, click Next.

650) this.width=650; "title=" image_thumb[51] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[51" "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKioL1dcPPrjaWkvAADH-cWS10E204.png " Width= "562" height= "403"/>

12. In the Azure AD domain, click Next;

650) this.width=650; "title=" image_thumb[52] "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "image_thumb[52" "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKioL1dcPPvROTlWAACwfUyYwuY293.png " Width= "562" height= "392"/>

13. Click Next;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/98/wKiom1dcO-7iELxCAADXbCa6uAc531.png "height=" 394 "/>

14. If this error occurs, check that the Dir-sync status is activated;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO--iy9QGAAFogJNtT6Q071.png "height=" 396 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKioL1dcPP2REBbAAAB4KQqmFiI738.png "height="/>

15. After troubleshooting step 14, this occurs because the remote management of WinRM is not turned on;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/98/wKiom1dcO_CAGpFqAAEm0Z04bFc081.png "height=" 294 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/97/wKioL1dcPP-DF-dQAAFeBrKPOR4160.png "height=" 385 "/>

16. The installation is complete, click Verify; (the error below is the parsing problem)

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKioL1dcPQChF4NAAAD9QhBwHM4164.png "height=" 396 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO_PCwxUHAADhNVz6BiE030.png "height=" 393 "/>

Verifying the user's login status

17. In the Office 365 Admin interface, you can see the local directory synced to Office 365 user account information;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO_Sy9aORAACeuO3p_3M482.png "height=" 237 "/>

18. Assigning licenses to local users;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKioL1dcPQPDsKB-AACQLY52QiY141.png "height=" 237 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/98/wKiom1dcO_aQ3JNNAACXN4Y7cDQ219.png "height=" 261 "/>

19. Open Exchange Online (outlook.office.com) by logging in to the computer in the domain with the user in the domain;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/98/wKiom1dcO_aiCpPQAADOAldYhhA189.png "height="/>

20. Enter the email address of the external domain name suffix, automatically jump to AD FS authentication;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKioL1dcPQaxz3fCAAIJlTEgVWA150.png "height=" 254 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO_qDSlysAAJQUgRjm_k180.png "height=" 269 "/>

21. Can see successfully jump to AD FS server to do authentication, enter account and password, and remember my credentials;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKioL1dcPQuhN5YuAAMiER3nDe0656.png "height=" 434 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcO_7juAOiAAGYV93tNsA720.png "height=" 268 "/>

22. You can see normal access to the Exchange Online OWA interface;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/97/wKioL1dcPQ2DRLjWAABsvdYsesU522.png "height=" 255 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/82/98/wKiom1dcPACgfsdRAAB6svNx47o068.png "height=" 307 "/>

23. Log in with the Skype for business client;

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/98/wKiom1dcPADi3Q18AABE7rODF8s920.png "height=" 598 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/82/97/wKioL1dcPQ-wnJJUAABJi9QOteA116.png "height=" 598 "/>

24.Skype for business online can also be logged in normally.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/82/98/wKiom1dcPAHwqDdcAABEd7s1waQ029.png "height=" 598 "/>

End words:

This experiment environment probably to realize, because I this is simple to build, actually less TMG or WAP server do reverse proxy (for the reverse proxy of TMG engineer, this step is not complicated), and we in the certificate request is pre-configured to export the private key. If a large environment is to be considered for multiple AD FS servers, configure NLB to build the AD FS server farm. If I have any of these articles missing or something wrong, you can leave a message to me, but also welcome you big God lot of brick support.

This article from "Gs_hao" blog, declined reprint!

Office 365 AD FS 3.0 implementation SSO (IV)