Shulou(Shulou.com)06/02 Report--

1. First log in to Office 365: https://login.partner.microsoftonline.cn/

Add domain: nos.hk.cn

Add the TXT record in the domain name resolution settings:

Skip the step of adding users here.

Add the above record to the domain name resolution:

Among them: login and owa two records are recommended to be added to facilitate login.

Then return to office 365 for verification:

Show that it has been added successfully!

Next, set up AD synchronization:

Next

Prepare for single sign-on

Environment:

AD DC windows server 2008 R2 DC08.nos.hk.cn

AD FS windows server 2012 R2 FS.nos.hk.cn

WebProxy windows server 2012 R2 WAP (no domains can be added, placed in DMZ area)

two。 Prerequisites: https://docs.microsoft.com/zh-cn/azure/active-directory/connect/active-directory-aadconnect-prerequisites

1) Azure AD Connect: https://www.microsoft.com/en-us/download/details.aspx?id=47594

To install an AzureADConnect.msi,Azure ADConnect server on DC08, you must install .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later

Install PS 3.0 / .net 4.5.1: Azure AD Connect depends on Microsoft PowerShell and .NET Framework 4.5.1

Https://www.microsoft.com/zh-cn/download/details.aspx?id=40855

Windows6.1-KB2819745-x64-MultiPkg: https://download.microsoft.com/download/3/D/6/3D61D262-8549-4769-A660-230B67E15B25/Windows6.1-KB2819745-x64-MultiPkg.msu

Microsoft .NET Framework 4.5.1 (Offline Installer): https://download.microsoft.com/download/1/6/7/167F0D79-9317-48AE-AEDB-17120579F8E2/NDP451-KB2858728-x86-x64-AllOS-ENU.exe

2) enable TLS 1.2 for Azure AD Connect:

If you use Windows Server 2008R2, make sure that TLS 1.2 is enabled. TLS 2012 should already be enabled on TLS 2012 servers and later. [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ TLS 1.2] [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ TLS 1.2\ Client] "DisabledByDefault" = dword:00000000 "Enabled" = dword:00000001 [HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ TLS 1.2\ Server] "DisabledByDefault" = dword:00000000 "Enabled" = dword:00000001

Made a mistake.

If the target server is added to the domain, make sure that Windows remote hosting is enabled

In the elevated PSH command window, use the command Enable-PSRemoting-force

If the target server is a WAP computer that is not joined to the domain, some additional requirements need to be met

On the target computer (WAP computer):

Ensure that the winrm (Windows remote Management / WS-Management) service is running through the Services snap-in

In the elevated PSH command window, use the command Enable-PSRemoting-force

On the computer on which the wizard is running (if the target computer is not joined to the domain or is not trusted):

In the elevated PSH command window, use the command:

Set-Item WSMan:\ localhost\ Client\ TrustedHosts-Value-Force-Concatenate

Run on server AD FS: Enable-PSRemoting-force

On the WAP server:

Run: Enable-PSRemoting-force

Run on DC08:

Set-Item WSMan:\ localhost\ Client\ TrustedHosts-Value WAP-Force-Concatenate

Unable to parse adfs.nos.hk.cn in WAP

In DC's DNS server and add:

Adfs and wap two records:

And to the host file in the WAP server:

Add WAP server again successfully:

There was a mistake:

Open on the AD FS server: AD FS Management

Add: urn:federation:MicrosoftOnline

Then go back and try again:

And then there was a mistake:

Install manually on WAP: WAP

You have to import the certificate first:

Back to the wizard, you can select the certificate:

Released successfully!

Then return to the Azure AD Connect configuration and click retry!

Configuration complete, next step:

Configure public network DNS to add A record:

Configure firewall port mapping:

Map port 443 of the public network IP to the WAP server of the DMZ zone

Next, verify that ADFS is OK?

To verify that a federation server is operational

Open a browser window and in the address bar, type the federation server name, and then append it withfederationmetadata/2007-06/federationmetadata.xml to browse to the federation service metadata endpoint. For example, https://fs.contoso.com/federationmetadata/2007-06/federationmetadata.xml.

If in your browser window you can see the federation server metadata without any SSL errors or warnings, your federation server is operational.

You can also browse to the AD FS sign-in page (your federation service name appended with adfs/ls/idpinitiatedsignon.htm, for example, https://fs.contoso.com/adfs/ls/idpinitiatedsignon.htm). This displays the AD FS sign-in page where you can sign in with domain administrator credentials.

1. Visit at IE: https://adfs.nos.hk.cn/federationmetadata/2007-06/federationmetadata.xml

two。 Visit: https://adfs.nos.hk.cn/adfs/ls/idpinitiatedsignon.htm

This indicates that the ADFS configuration is successful.

Next, we configure the client SSO that joins the domain

Group Policy Settings IE trusted sites:

1. In the computer configuration-Administrative templates-Windows components-Internet control panel, there is a list of site-to-region assignments:

Ensure that https://adfs.nos.hk.cn is added to the trusted zone:

Make sure that enable Integrated Windows Authentication is checked in IE Settings Advanced:

Then open owa.nos.hk.cn in IE and log in to OWA:

Automatically jump to adfs.nos.hk.cn

Enter the domain account and password to log in, and select "remember my credentials":

In the future, you will log in automatically. You don't have to enter the account password to log in automatically.

Summary: the main points to note when doing SSO with Office 365 and AD FS are as follows:

1. To have a public network certificate, the free Symantec certificate used in this experiment supports only one domain name (the previous StarSSL certificate cannot be used)

two。 With the latest Azure AD Connect 1.1.524.0 release time: 2017-5-17, it is best to install ADFS and WebProxy servers first.

Otherwise, there will be two mistakes in this experiment.

3. It's best to synchronize passwords before doing AD FS.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.