Okta AD Integration with Azure AD Domain Services

1. Introduction

This is a experimental article, using a existing Azure Active Directory (AD) and Azure Active Directory (AD) Domain Services deployment and integrating it with a Okta solution.

2. Preparation tasks

3. Assumptions

The following assumptions are made in following this article:

  • Windows 2012 R2 Member server of the  Azure AD Domain Services
  • The member server has internet access
  • Okta free trail without any modifications made

 

4. Installation

4.1 Create Service Account in Azure AD

  1. Log into Azure AD, Go to Users and Click “ADD USER
  2.  In “Type of user“, Choose “New user  in your organization
  3. In “User Name”, Use company Service Account Name convention e.g. okta
  4. okta6
  5. In “First Name“, “Last Name” and “Display Name“, Enter Okta
  6. In “Role”, Choose “User”
  7. Create a temporary password, and document the password for next step.
  8. Go to http://portal.office.com, Login as the new user and set the password.
  9. The default password expiry is set on the account and should be disabled by using Azure AD PowerShell.

4.2 Okta AD Agent Install

Please follow theses steps for integrating Azure AD Domain services with Okta:

  1. Log onto the Domain joined Server that will run the Okta Agent
  2. Go to your okta administrator url e.g. https://<Company>-admin.okta.com/admin/dashboard
  3. On the top navigation bar, go to Security, Authentication
  4. okta1
  5. Click “Configure Active Directory
  6. okta2
  7. Click, “Set Up Active Directory
  8. okta3
  9. Click, “Download Agent
  10. okta4
  11. Once the agent is finished downloading, run the installation.
  12. In the Welcome screen, Click “Next
  13. okta5
  14. Choose the path for the installation and click “Install
  15. In The Domain field, enter company domain and click “Next” e.g. schmarr.com
  16. Choose “Use an alternate account that I specify
  17. Enter username and password and click “Next
  18. At Okta AD agent Proxy Configuration, Click “Next
  19. At Register Okta AD Agent, Choose Production and in “Enter Subdomain” add company name.
  20. Click “Next
  21. Sign in with your Okta Admin Account
  22. Click “Allow Access
  23. Agent Installed, Click “Next”
  24. As an Example choose the following in “Basic Setting
  25. okta7
  26. Click “Next
  27. Click “Next
  28. In “Select the attributes to build your Okta User profile“, Click “Next
  29. Done
  30. okta8

Conclusion

The ability to add SaaS applications in Azure AD and Okta, Azure AD being the Identity store for both.

Advertisements

Integrate SharePoint with Azure AD

1. Introduction

This article will show the quick configuration tasks, that are required to make Azure AD a trusted identity provider for a SharePoint 2013 installation.

2. Assumptions

The following assumptions are made during this article:

3. Preparation

Before starting with the article the following needs to be in place:

  • Azure AD PowerShell tools installed, look here for more details.

4. Configuration

The configuration will be broken into the following sections:

  • Azure AD configuration
  • SharePoint configuration
  • Assigning Users

4.1 Azure AD Configuration

Follow these tasks to document the Azure AD WS-Federation metadata URL for later use:

  1. In the Azure Management Portal (Classic), Click Active Directory.
  2. Click on the Azure AD that will be integrated with SharePoint 2013
  3. Click Applications
  4. On the bottom bar, Click View Endpoints
  5. Document the Federation metadata document url for later use

Follow these tasks to create / configure the namespace in Azure AD :

  1. In the Azure Management Portal (Classic), Click Active Directory.
  2. Click Access Control Namespaces, and create a new namespace and called it “Company”
  3. Click Manage on the bottom bar. This should open https://company.accesscontrol.windows.net/v2/mgmt/web.
  4. Click Identity Providers, Click Add
  5. Click WS-Federation identity provider, click Next.
  6. In Displayname enter, “Company”
  7. In Login link Text enter, “Company”
  8. In WS-Federation metadata, choose URL and enter the URL that was documented in tasks above Example: https://accounts.accesscontrol.windows.net/company.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
  9. Click Save
  10. Click Relying party applications, then click Add
  11. Enter the following in each field:
    1. Name: “Company SharePoint”
    2. Realm: “urn:sharepoint:company”
    3. Token format: SAML 1.1
    4. Token lifetime (secs) default is 600: Recommended value is 2 hours
  12. Click Save
  13. Click Rule Groups, and then Add
  14. Click Generate
  15. Click Add
  16. Fill in all the fields as illustrated below:
  17. The claim rules in Azure Access Control
  18. Click Save
  19. Delete the existing claim rule named upn
Extract the X.509 certificate from Azure Access Control for later use
  1. In the Access Control Service pane, under Development, click Application integration.
  2. In Endpoint Reference, locate the Federation.xml that is associated with your Azure tenant, and then copy the location in the address bar of a browser.
  3. In the Federation.xml file, locate the RoleDescriptor section, and copy the information from the <X509Certificate> element, as illustrated in the following figure.
  4. X509 Certificate element of Federation.xml file
  5. from the root of drive C:\, create folder named Certs
  6. Save the X509Certificate information using notepad to the folder C:\Certs and name the file ACS.cer
  7. Run the following PowerShell commands:
    1. “Connect-MsolService”
    2. “Import-Module MSOnlineExtended -Force”
    3. $replyUrl = New-MsolServicePrincipalAddresses -Address “https://company.accesscontrol.windows.net&#8221;
    4. “New-MsolServicePrincipal -ServicePrincipalNames @(“https://company.accesscontrol.windows.net&#8221;) -DisplayName “Company ACS Namespace” -Addresses $replyUrl”

4.2 SharePoint 2013 Configuration

Follow these steps to configure Azure AD as the identity provider for SharePoint 2013:

  1. From the Start menu, click All Programs.
  2. Click Microsoft SharePoint 2013 Products.
  3. Click SharePoint 2013 Management Shell
  4. Run the following PowerShell commands:
    1. $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Certs\ACS.cer”)
    2. New-SPTrustedRootAuthority -Name “Token Signing Cert Parent” -Certificate $root
    3. $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Certs\ACS.cer”)
    4. New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert
    5. $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221; -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
    6. $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname&#8221; -IncomingClaimTypeDisplayName “GivenName” -SameAsIncoming
    7. $map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname&#8221; -IncomingClaimTypeDisplayName “SurName” -SameAsIncoming
    8. $map4 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role&#8221; -IncomingClaimTypeDisplayName “Role” -SameAsIncoming
    9. $realm = “urn:sharepoint:company”
    10. $signInURL = “https://company.accesscontrol.windows.net/v2/wsfederation&#8221;
    11. $ap = New-SPTrustedIdentityTokenIssuer -Name “ACS Provider” -Description “SharePoint secured by SAML in ACS” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 -SignInUrl $signInURL -IdentifierClaim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;
  5. Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

    In Central Administration, on the home page, click Application Management.

  6. On the Application Management page, in the Web Applications section, click Manage web applications.
  7. Click the appropriate web application.
  8. From the ribbon, click Authentication Providers.
  9. Under Zone, click the name of the zone. For example, Default.
  10. On the Edit Authentication page, in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your provider, which for purposes of this article is ACS Provider. Click OK.
  11. The following figure illustrates the Trusted Provider setting.
The Trusted Provider setting in a web app

4.3 Assigning Users

Use the following steps to set the permissions to access the web application.

  1. In Central Administration, on the home page, click Application Management.
  2. On the Application Management page, in the Web Applications section, click Manage web applications.
  3. Click the appropriate web application, and then click User Policy.
  4. In Policy for Web Application, click Add Users.
  5. In the Add Users dialog box, click the appropriate zone in Zones, and then click Next.
  6. In the Add Users dialog box, type user2@company.onmicrosoft.com (ACS Provider).
  7. In Permissions, click Full Control.
  8. Click Finish, and then click OK.

Conclusion

Azure AD is the trusted identity provider for SharePoint 2013, and Azure AD users will be able to authenticate and use SharePoint 2013 resources.

External Links

Some good extra reading articles:

 

 

Getting Started with Azure Active Directory Free Edition

 Introduction

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

More in-depth detail about Azure AD can be found here.

The article illustrate the registration process and the essential configuration tasks for Azure AD free edition for use of organization internal users. (Future posts will look at other scenarios)

Preparation tasks

The follow preparation tasks will be required:

  1. Have a Microsoft account ready to use for sign-up;
    1. Generate a Microsoft account by going here;
    2. Follow the on-screen wizard and complete sign-up;
  2. A credit Card – This will only be used for verification and not be charged unless you explicitly upgrade to a paid offer;
  3. Optional – External Domain Name e.g. schmarr.com to integrate into Azure AD;
    1. P.S. You’ll need to be able to create TXT records in the external domain.

Installation

Registration

Please follow theses steps in registering your free Azure subscription that will host Azure AD:

  1. Go to the following url: https://azure.microsoft.com/en-us/trial/get-started-active-directory/;
  2. Click on “Create a free Azure Account”;
  3. Click “Start Now”;
  4. Fill in the form and submit;
  5. The subscription will take up to 4 minutes to be created.
  6. Once the process is complete you should see the following screen:

AzureADFree-ScreenShot1

By now a default Azure AD is already created, skip “Create Azure AD” section if default instance shouldn’t be used.

Create Azure AD (Optional)

Follow the these steps to create a new Azure AD:

  1. In the left corner click on the “+ New” icon
  2. Click “Security + Identity”
  3. Click “Active Directory”
  4. It will re-direct to the Azure Classic portal (This might change in the future)
  5. You will get the following Wizard
  6. AzureADFree-ScreenShot2
  7. Fill in the form and click the check to create the Azure AD

Essential Azure AD Configuration

At this point Azure AD is fully functional, with the following constraints:

  • Manual process is required for creating user accounts (GUI, PowerShell or CSV import);
  • User passwords will not be in-sync with their network passwords;
  • Usernames at this stage will be <username>@<AzureADName>.onmicrosoft.com;
    • Users will be required to remember their usernames. (Most users find it difficult remember their password);

Follow my Essential Azure Configuration guide here if you want to address the constraints mentioned above.

Conclusion

After completion of this guide, Azure AD free edition will available and be functional with available features.

Essential Azure AD Configuration

Introduction

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

More in-depth detail about Azure AD can be found here.

a fresh Azure AD installation will have the following constraints:

  1. Usernames at this stage will be <username>@<AzureADName>.onmicrosoft.com;

    Users will be required to remember usernames. (Most users find it difficult remember their passwords);

  2. Manual process is required for creating user accounts (GUI, PowerShell or CSV import);
  3. User passwords will not be in-sync with their network password;

This article will only focus in addressing the constraints above, with the least possible effort. More complex options are available and will depend on security & business requirements.

Configuration / Installation

Each optional tasks below should be followed chronological order to address the constraints above.

1. Add Email Domain (Optional)

This step should be done first before proceeding with step 2.

Only one Azure AD can own the organization email domain and Microsoft will not allow registering the email domain into another Azure AD Subscriptions.

Follow these steps to allow usernames to be the same as the organization email address:

  1. Go to https://manage.windowsazure.com
  2. On the left menu click “Active Directory”
  3. Open your new create Azure AD, you should see the following screen:
  4. AzureADFree-ScreenShot3
  5. Click “Domain” Tab
  6. Click “ADD A CUSTOM DOMAIN”, the following wizard will appear:
  7. AzureADFree-ScreenShot4
  8. Enter company domain name, example: “schmarr.com”, click “add”
  9. On Page 2, will have the TXT record that should be created in the company domain external DNS service. Please see example:
  10. AzureADFree-ScreenShot5
  11. Once the DNS TXT record is created, Click “verify” (Please allow DNS replication to complete up to 48 hours)
  12. Change the user accounts manually to reflect user emails addresses

    For automating user creation and password sync, please proceed to step 2.

2. Automate Account creation in Azure AD (Optional)

It is recommended that step 1 should be completed first, otherwise all users account will be created with system created domain name e.g. “<username>@<AzureADName>.onmicrosoft.com”

Assumptions / Requirements

The following assumptions are made in this section:

  • Internal Active Directory up and running
  • Windows 2012 R2 Member server of the Active Directory, ready to install Azure AD Connect
  • The member server has internet access
  • Active Directory userPrincipalName(UPN) reflects the user’s mail address
    • This assumption is in most cases are a challenge for most organizations and the following options are available:
      • Run the Azure AD Connect (Steps below is expert install) in advanced mode and choose “mail” attribute instead of userPrincipalName(UPN) – Easy fix;
      • Fix the UPN to be the same as email address, here is a microsoft tool that can assist;
  • Azure AD
  • A Active Directory enterprise administrator account
  • global admin account is created with default domain context e.g. admin@<AzureADName>.onmicrosoft.com

Azure AD Configuration

  1. Go to https://manage.windowsazure.com
  2. On the left menu click “Active Directory”
  3. Open your new create Azure AD, you should see the following screen:
  4. AzureADFree-ScreenShot3
  5. Click “DIRECTORY INTEGRATION” Tab
  6. Click “ATIVATED”, then click “SAVE”

Azure AD Connect Installation

The following tasks will be completed on the domain member server.

  1. Download Azure AD Connect from Here
  2. Run the downloaded setup file on the Windows 2012 R2 member server
  3. Click “Continue”
  4. Click “Use express settings”
  5. Enter your Azure AD Admin username e.g. admin@<AzureADName>.onmicrosoft.com and password
  6. Click “Next”
  7. Enter the Active Directory Enterprise Admin account and password
  8. Click “Next”
  9. Click “Install”
  10. AzureADFree-ScreenShot6

Once the installation is complete all user accounts will be created in Azure AD automatically with the current user email address. Password synchronization will also be automatically enabled.

Advanced installation will allow disabling password sync if not required.

Conclusion

User will be now be able to login into Azure AD using exiting email address and network password.

 

 

 

ADFS 2016 Technical Preview 4 Install Guide

Introduction

Microsoft is in the process of releasing a new version of Windows Server 2016, with this new release it will include and new version of ADFS.

In this article I will be only focusing on the installation process of ADFS 2016 preview (The easy bit), future guides will have more focus on integration.

Here is also some related reading material from my previous posts:

  • Group Managed Service Accounts – This is highly recommended for all ADFS implementations. This article was written on 2012 but still relevant for 2016.

My Lab

The lab is running in Microsoft Azure, the following relevant services for ADFS 2016 is running in this lab:

  • Active Directory – Single Forest, Single Domain
    • OS – Windows 2012 R2
    • Server Name – DC2012R2
  • PKI Certificate Server running on the domain controller (Not a recommended for production)
  • ADFS 2016 Backend Server
    • OS – Windows 2016 Technical Preview 4
    • Server Name – S2016PR4ADFS01
  • ADFS 2016 Web Applications Proxy Server
    • OS – Windows 2016 Technical Preview 4
    • Server Name – S2016PR4PRX01

Preparation

All ADFS implementation will require the following high-level preparation tasks before starting with the installation: (Microsoft has a well documented checklist that should be follow)

  • Split Brain DNS – This allows internal users to resolved the ADFS URL to the Internal ADFS backend servers. Info can be found here.
  • DNS records
    • External DNS
      • A Record – adfs2016.schmarr.com
        • Point to Web Application Proxy Server external IP
      • A Record – enterpriseregistration.schmarr.com
        • Point to Web Application Proxy Server external IP
      • A Record – certauth.adfs2016.schmarr.com
        • Point to Web Application Proxy Server external IP
    • Internal DNS
      • A record – adfs2016.schmarr.com
        • Point to ADFS 2016 backend server internal IP
      • A Record – enterpriseregistration.schmarr.com
        • Point to ADFS 2016 backend server internal IP
      • A Record – certauth.adfs2016.schmarr.com
        • Point to ADFS 2016 backend Server internal IP
  • ADFS features – ADFS has additional feature which needs to be consider before proceeding in acquiring the required certificate for encryption. e.g. workplace join have some additional requirements for the certificate, Read more about workplace join here.
  • Certificate – All ADFS communication between the client and ADFS is encrypted, so the certificate should be trusted by all parties. A External Certificate is advised.
    • In this article a internal certificate was used.
    • Lab SSL Certificate attributes:
      • Subject Name (CN): adfs2016.schmarr.com
      • Subject Alternative Name (DNS): adfs2016.schmarr.com
      • Subject Alternative Name (DNS): enterpriseregistration.schmarr.com
  • Group Managed Service Account  – how-to
    • Enable Managed Service Accounts (On Domain Controller running 2012 R2 or higher)
    • ADFSGmsa
      • Powershell command  – “New-ADServiceAccount ADFSGmsa -DNSHostName adfs2016.schmarr.com -ServicePrincipalNames http/adfs2016.schmarr.com”
  • Topology – Choose the correct topology to fit business requirements. More information about topologies can be found here.
    • Stand-Alone Federation Server using WID (Windows Internal Database) will be used in this article.
      • Gotcha – Limit memory usage for WID

Installation

ADFS 2016 backend server installation

  1. Install the required SSL certificate.
    1. Here is a guide for requesting a SAN certificate for internal PKI or External certificate provider.
    2. ADFS2016Preview-ScreenShot2
    3. Additional information for the “certauth” url can be found here
  2. Install Active Directory Federation Services role on server
    1. Powershell command – “Install-windowsfeature adfs-federation –IncludeManagementTools
    2. Get the 2012 R2 wizard options from here
  3. Configure Active Directory Federation Services
    1. Powershell command – “Install-AdfsFarm -CertificateThumbprint ff236398ad5b51b9dd427cf819e6586b43d2009b -FederationServiceName adfs2016.schmarr.com -GroupServiceAccountIdentifier AS\ADFSGmsa$
    2. Get the 2012 R2 wizard options from here
  4. Limit WID memory usage
    1. Install SQL Management Studio Express – Download from here
    2. Open admin Command prompt – “osql -E -S \.pipeMICROSOFT##WID
    3. Enter the following commands
      1. exec sp_configure ‘show advanced option’, ‘1’;
      2. reconfigure;
    4. To check current config:
      1. exec sp_configure;
      2. go
    5. Reconfigure to use 2GB
      1. exec sp_configure ‘max server memory’, 2048;
      2. reconfigure with override;
      3. go
      4. quit
    6. Restart the Windows Internal Database service
    7. Optional – Uninstall SQL Management Studio Express
  5. Testing Installation
    1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
    2. Go to the following url https://adfs2016.schmarr.com/adfs/ls/IdpInitiatedSignOn
      1. User should be able to sign-in from domain joined machine on the internal network
      2. User should be able to sign-in from non domain joined machine on the internal network
    3. Optional – Disabled IdPInitiatedSignonPage
      1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $false

 ADFS 2016 Web Application Proxy Server installation

  1. Export the certificate from the ADFS backend server with private key
  2. Import into computer store of Web Application proxy server
  3. Install Web Application Proxy Role
    1. Powershell Command – “Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
    2. Get the 2012 R2 wizard options from here
  4. Configure Web Application Proxy Role
    1. Powershell Command – “Install-WebApplicationProxy –CertificateThumbprint ‘‎ff236398ad5b51b9dd427cf819e6586b43d2009b’ -FederationServiceName adfs2016.schmarr.com
    2. Get the 2012 R2 wizard options from here
  5. Testing Installation
    1. On ADFS backend Server run Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
    2. Go to the following url https://adfs2016.schmarr.com/adfs/ls/IdpInitiatedSignOn
      1. User should be able to sign-in from domain joined machine on the external network
      2. User should be able to sign-in from non domain joined machine on the internal network
    3. Optional – Disabled IdPInitiatedSignonPage
      1. Powershell command – “Set-AdfsProperties -EnableIdPInitiatedSignonPage $false

Conclusion

This article demonstrated installing ADFS 2016 preview 4 in a Stand-Alone Federation Server using WID topology.