Mod 3: DirSync, Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge TechnologyStephen Hall | CEO & SMB Technologist | District Computers

Version 2.0 for Office 365

Day 1Administering Office 365

Day 2Administering Office 365

Office 365 Overview & Infrastructure Administering Lync Online

Office 365 User Management Administering SharePoint Online

Office 365 DirSync, Single Sign-On & ADFS Exchange Online Basic Management

MEAL BREAKExchange Online Deployment & MigrationExchange Security & Protection

Exchange Online Archiving & Compliance

Jump Start Schedule – Target Agenda

Module 3: DirSync, Single Sign-On & ADFS

• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS

For Midsize Businesses and Enterprises

Identity management deals with identifying individuals in a system and controlling access to the resources in that system

Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.

Integral components of identity and access management

Determining which actions an authenticated entity is authorized to perform on the network

Authentication Authorization

What is identity management?

Core identity scenarios with Office 365Cloud Identity

Single identity in the cloud Suitable for small organizations with no integration to on-premises directories

Directory & Password Synchronization* 

Single identitysuitable for medium and large organizations without federation*

Federated Identity

Single federated identity and credentials suitable for medium and large organizations

* Password Synchronization may not be available at GA, the target is to update the service by 1HCY2013

Cloud identityRich experience with Office AppsEase of deployment, management and supportLower cost as no additional servers are required On-PremisesHigh availability and reliability as all Identities and Services are managed in the cloud

Windows Azure Active Directory

User

Cloud IdentityEx: alice@contoso.com

Directory & Password Synchronization*Rich experience with Office AppsDirectory synchronization between on-premises and onlineIdentities are created and managed on-premises and synchronized to the cloudSingle identity and credentials but no single Sign-On for on-premises and office 365 servicesPassword synchronization enables single sign-on at lower cost than federationReuse existing directory implementation on-premises

Windows Azure Active Directory

User

On-Premises IdentityEx: Domain\Alice

Directory SynchronizationPassword Synchronization

Cloud IdentityEx: alice@contoso.com

ADNon-AD(LDAP)

* Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013

Federated identitySingle identity and sign-on for on-premises and office 365 servicesIdentities mastered on-premises with single point of managementDirectory synchronization to synchronize directory objects into Office 365Secure Token based authenticationClient access control based on IP address with ADFSStrong factor authentication optionsfor additional security with ADFS

Windows Azure Active Directory

User

On-Premises IdentityEx: Domain\Alice

Federation

ADNon-AD(LDAP)

Directory Synchronization

Module 3: DirSync, Single Sign-On & ADFS

• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS

For Midsize Businesses and Enterprises

What is DirSync? An application that synchronizes on-premises Active

Directory Objects with Office365 Users, Contacts and Groups

Initially designed as a software based “appliance” “Set it and forget it”

Multi Forest Support now available Now called the Windows Azure Active Directory Sync

Tool

DirSync | Enables Coexistence Provisions objects in Office 365 with same email

addresses as the objects in the on-premises environment

Provides a unified Global Address List experience between on-premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the GAL in Office

365 Enables coexistence for Exchange

Works in both simple and hybrid deployment scenarios Enabler for mail routing between on-premises and

Office 365 with a shared domain namespace Enables coexistence for Microsoft Lync

DirSync | Enables Single Sign-On Enables “run-State” administration and management

of users, groups and contacts Synchronizes adds/deletes/modifications of users, groups and contacts from on-

premise to Office 365 Enabler for Single Sign-On Not intended as a single use bulk upload tool

Directory Synchronization Options

Suitable for small/medium size organizations with AD or Non-ADPerformance limitations apply with PowerShell and Graph API provisioningPowerShell requires scripting experiencePowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning)

PowerShell & Graph API

Suitable for Organizations using Active Directory (AD)Provides best experience to most customers using ADSupports Exchange Co-existence scenariosCoupled with ADFS, provides best option for federation and synchronizationSupports Password Synchronization with no additional costDoes not require any additional software licenses

Suitable for large organizations with certain AD and Non-AD scenariosComplex multi-forest AD scenariosNon-AD synchronization through Microsoft premier deployment supportRequires Forefront Identity Manager and additional software licenses

Single Forest Dirsync• X64 FIM Appliance (set and forget)• X86 MIIS Appliance now unsupported

• If you call into support with they will make you upgrade first before helping• Scoping of object sync within Forest now

supported• AD GUID used as SourceAnchor (Link between

AD and Office 365 Object)• Password Synchronization for DirSync coming

1H CY2013• Password Sync Early On-Boarding program underway

DirSync Synchronization Entire Active Directory Forest is scoped for

synchronization by default Ability to modify what gets synced has been added

What is synchronized? All user objects All group objects Mail-enabled contact objects Synchronization is from on-premises to Office 365 only (unless “write-back” is

enabled Synchronization occurs every 3 hours

Use “Start-OnlineCoexistenceSync” cmdlet to force a sync

DirSync Synchronization | User Objects Mail-enabled/mailbox-enabled users are synchronized

as mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users

Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365

Resource mailboxes are synchronized as resource mailboxes

Synchronized users are not automatically assigned a license

DirSync Synchronization Group Objects

Mail-enabled groups are synchronized as mail-enabled Group memberships are synchronized Security groups are synchronized as security groups

Contacts Objects Only mail-enabled contacts are synchronized Target address is synchronized to Office 365

DirSync Synchronization New user, group, and contact objects that are added to

on-premises are added to Office 365 Existing user, group, and contact objects that are

deleted from on-premises are deleted from Office 365 Existing user objects that are disabled on-premises are

disabled in Office 365 Existing user, group, or contact objects attributes

(those that are synchronized) that are modified on-premises are modified in Office 365

Objects are recoverable within 30 days of deletion

DirSync Synchronization First synchronization cycle after installation is a full

synchronization Time-consuming process relative to number of objects synchronized ~5000 objects per hour

Subsequent synchronization cycles are deltas only Much faster

Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized

DirSync Synchronization Once implemented, on-premises AD becomes the

“source of authority” for synchronized objects Modifications to synchronized objects must occur in the on-premises AD Synchronized objects cannot be modified or deleted via the portal unless DirSync

is disabled for the tenant Scoping/Filtering

• Customers can exclude objects from synchronizing to Office 365• Scoping can be done at the following levels:

• AD Domain-based

• Organizational Unit-based

• User Attribute based

DirSync Synchronization On-premises objectGuid AD attribute assigned value

for sourceAnchor attribute during initial object synchronization Referred to as a “hard match” DirSync knows which Office 365 objects it is the “source of authority” for by

examining sourceAnchor attribute DirSync can also match user objects created via the

portal with on-premises objects if there is a match using the primary SMTP address Referred to as a “soft match”

DirSync Synchronization Synchronization errors are emailed to the Technical

Contact for the subscription Recommend using distribution group as Technical Contact email address

Example errors include: Synchronization health status

Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization

Objects whose attributes contain invalid characters Objects with duplicate/conflicting email addresses Sync quota limit exceeded

List of attributes that are synchronized http://

support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0

Module 3: DirSync, Single Sign-On & ADFS

• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS

For Midsize Businesses and Enterprises

DirSync Prerequisite Remediation Run the Microsoft Office 365 Deployment Rediness Tool

– http://community.office365.com/en-us/forums/183/p/2285/8155.aspx Analyze on-premise environment

Domains User Identity and Account Provisioning Exchange Online Lync Online SharePoint Online Client Network

DirSync Requirements DirSync (Single Forest) must be joined to a domain

with the same forest that will be synchronized DirSync Server should never be installed on a domain

controller DirSync Server should be Windows Server 2008 (x64)

or better By default SQL Server 2008 R2 Express is installed

10GB Database limit (approx. 50,000 objects) Full SQL Option available

X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios

DirSync | AD Requirements Only routable domains can be used with DirSync

deployment Non-routable domains include .local OR .loc OR .internal.

If organization has AD w/ only internal namespace, must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix user@domain.local must be changed do user@domain.com If this is not done, once DirSync runs, users will appear in Office365 as

user@domain.onmicrosoft.com instead of user@domain.com

Hardware Recommendations Recommend a system that exceeds the

minimum OS requirementsNumber of

objects in ADCPU Memory Hard disk size

Fewer than 10,000

1.6GHz 4GB 70GB

10,000-50,000 1.6GHz 4GB 70GB50,000-100,000 1.6GHz 16GB 100GB100,000-300,000

1.6GHz 32GB 300GB

300,000-600,000

1.6GHz 32GB 450GB

More than 600,000

1.6GHz 32GB 500GB

DirSync | Network Requirements Synchronization with

Office 365 occurs over SSL

Internal network communication will use typical Active Directory related ports

DirSync server must be able to contact all DC’s in the Forest

Service Protocol PortLDAP TCP/UDP 389

Kerberos TCP/UDP 88DNS TCP/UDP 53

Kerberos Change

Passowrd

TCP/UDP 464

RPC TCP 135RPC randomly allocated high

TCP Ports

TCP 1024-6443549152-65535*

SMB TCP 445SSL TCP 443SQL TCP 1433

* This is the range in Windows Server 2008

DirSync | Permission Requirements• Account used to install DirSync must have

• local machine administrator permissions• If using full SQL, rights within SQL to create the DirSync database, and to setup

the SQL service account with the role of db_owner• Account used to configure DirSync must reside in the

local machine MIISAdmins group• Account used to install DirSync is automatically added

• Administrator permission in the Office 365 tenant• DirSync uses an administrator account in the tenant to provision and

update/modify objects

DirSync | Permission Requirements Enterprise Administrator permission in the on-premise

Active Directory Credential is not stored/saved by the configuration wizard Used to create the “MSOL_AD_Sync” domain account in the “CN=Users” container

of the root domain of the forest Used to delegate the following permissions on each domain partition in the forest

Replicating Directory Changes Replicating Directory Changes all Replication Synchronization

Module 3: DirSync, Single Sign-On & ADFS

• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS

For Midsize Businesses and Enterprises

Single Sign-On | Purpose Enables users to access both the on-premises and cloud-based organizations with a single user name and password

Provides users with a familiar sign-on experience

Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.

Single Sign-On | Benefits Policy Control Access Control Reduced Support Calls Security

Single Sign-On | Server Requirements Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported) ADFS 2.0 Setup installs: Web Server (IIS), .Net 3.5 SP1, Windows Identity

Foundation Publicly registered, routable domain name SSL Certificate(s), *Wild Card Supported Microsoft Online Services Module for Windows PowerShell Microsoft Online Sign In Assistant High Availability Design, Dual-Site, Load Balanced Choice between Windows Internal Database(WID) and SQL

WID supports a maximum of 5 Federation Servers SQL supports SAML Replay Detection, Artifact Store

Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.

Single Sign-On | Client Requirements Browser

Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later

Office Client Microsoft Office 2010/2007 (Latest Service Pack) Microsoft Office for Mac 2011 (Latest Service Pack) Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended

4/9/2013

Office 365 Desktop Setup (Suggested) Microsoft Online Sign In Assistant

Single Sign-On | Client Endpoints Active Federation (MEX)

Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server

Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web

Services Clients send “basic authentication” credentials to Exchange Online via SSL.

Exchange Online proxies the request to the on-premises ADFS server on behalf of the client

Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server

When working through the firewall considerations ensure that MSO Datacenter IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ.

Client access controlLimit access to Office 365 based on network connectivity (internet versus intranet)Block all external access to Office 365 based on the IP address of the external clientBlock all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online

Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.

Deployment Considerations for UPN User objects must have a value for UPN in on-premises

Active Directory UPN domain suffix must match a verified domain in

Office 365 Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified

domain and is used if UPN does not match a verified domain Users must switch to using UPN to logon to Office 365

Not domain\username UPN must have valid characters

Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters

If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.

Single Sign-On | Requirements Office 365 Desktop Setup Automatically detects necessary updates for a

computer Installs Microsoft Online Sign In Assistant Installs operating system and client software updates required for connectivity

with Office 365 Automatically configures Internet Explorer and rich

clients for use with Office 365 Office 365 Desktop Setup is not an authentication or

sign-in service and should not be confused with single sign-on

Single Sign-On | Requirements Microsoft Online Sign-In Assistant Can be installed automatically by Office 365 Desktop

Setup or manually Enables authentication support by obtaining a service

token from Office 365 and returning it to a rich client (e.g. Lync)

Not required for web kiosk scenarios (e.g. OWA) Required for on-premises computers connecting to

Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)

Single Sign-On | ADFS 2.x Components

AD FS 2.x Server• Default topology for Office 365 is

an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service

• Recommend using at least two federation servers in a load-balanced configuration

AD FS 2.x Proxy Server• Federation server proxies are

used to redirect client authentication requests coming from outside your corporate network to the federation server farm

• Federation server proxies should be deployed in the DMZ

Single Sign-On | ADFS 2.x Deployment Options Single server configuration AD FS 2.x Server Farm and load-balancer AD FS 2.x Proxy Server or UAG/TMG

(External Users, Active Sync, Down-level Clients with Outlook)

1. Single server configuration2. AD FS 2.0 Server Farm and load-balancer 3. AD FS 2.0 Proxy Server or UAG/TMG

i. (External Users, Active Sync, Down-level Clients with Outlook)

AD FS 2.0 Deployment Options

EnterprisePerimeter

AD FS 2.0 ServerProxy

External user

Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server

AD FS 2.0 ServerProxy

Deployment ArchitectureNumber of users Minimum number of servers

Fewer than 1,000 users0 dedicated federation servers0 dedicated federation server proxies 1 dedicated NLB server

1,000 to 15,000 users 2 dedicated federation servers2 dedicated federation server proxies

15,000 to 60,000 usersBetween 3 and 5 dedicated federation serversAt least 2 dedicated federation server proxies

AD FS 2.0 Capacity Planning Sizing Spreadsheethttp://www.microsoft.com/en-us/download/details.aspx?id=2278

Understanding client authentication path

Lync 2010/Office Subscription

Active Sync

Corporate Boundary

Exchange Online

AD FS 2.0Server

MEX

Web

Active

AD FS 2.0 Proxy

MEX

Web

Active

Outlook 2010/2007IMAP/POP

UsernamePassword

UsernamePassword

OWAInternal

Lync 2010/Office Subscription

Outlook 2010/2007IMAP/POP

OWAExternal

UsernamePassword

Active Sync

UsernamePassword

Basic auth proposal: Pass

client IP, protocol, device name

Module 3: DirSync, Single Sign-On & ADFS

• Reviewing Identities• Understanding DirSync• DirSync Requirements• Understanding Single Sign-On & ADFS• Windows Azure & ADFS

For Midsize Businesses and Enterprises

Windows Azure & ADFS Virtual Network Support – Site to Site VPN Computing: 99.95% SLA Uptime for High Available

System 99.9% SLA Uptime for Single System

Storage: 99.9% Full Control over your Virtual Machines Pay as you Go, OPEX vs CAPEX

Why Windows Azure for ADFS?

48

IaaS

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 ServerActive

Directory

Enterprise

VPN

Windows Azure: Terminology Cloud Service: Role which several VM’s take upon

themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud Service

Availability Group

Windows Azure: Terminology EndPoints: You need to add an endpoint to a machine

for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication.

Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.

Windows Azure Example

ADFS – Windows Azure

IP SEC DEVICEGATEWAY

CLOUD SERVICE

AD FS 2.0 Server

AD FS 2.0 Server

DirSyncLB

ENDPOINT

EnterpriseWindows Azure

Additional Resources Prepare for directory synchronization:

http://technet.microsoft.com/en-us/library/jj151831.aspx Directory synchronization roadmap: http://technet.microsoft.com/en-us/library/hh967642.aspx

Set up your directory sync computer: http://technet.microsoft.com/en-us/library/dn144767.aspx

Update Rollup 2 for ADFS 2.0: http://support.microsoft.com/kb/2681584

ADFS 2.0 Step-by-Step and How To Guides http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx