02. January 2013 · Comments Off on AD FS for Office 365 – Simplified Installation Guide · Categories: Office365 · Tags: , , ,

Step 1. Prepare Your Active Directory Domain

Office 365 SSO requires an Internet-resolvable domain name to use as the suffix in each user’s username. Don’t worry, though, if your Active Directory domain name doesn’t meet this requirement. Most of them don’t. You can make things work by giving users an alternate User Principal Name (UPN) that matches any public domain name you own.

Let’s assume your public domain name is contoso.com, but your inside-the-firewall Active Directory domain is contoso.local. You can’t resolve contoso.local via Internet servers, therefore you won’t be able to with Office 365 DNS servers. That said, you can use federation to set each user’s UPN to a publicly resolvable domain name and let them log in as username@contoso.com.

While each user’s UPN might look like an e-mail address, it has nothing to do with SMTP or Session Initiation Protocol. This change merely maps your users’ Active Directory accounts with an external address that Office 365 can understand.

Launch Active Directory Domains and Trusts and view the Properties of its top-level node. In the box titled Alternative UPN suffixes, enter your publicly resolvable domain name and click Add. Then launch Active Directory Users and Computers and view the Properties of a user account. Under its Account tab, you can now set the User logon name to that publicly resolvable domain name. Do this for each Office 365-enabled user. They’ll be using this as their Office 365 username in a minute.

Step 2. Prepare Your Server and Install ADFS

You can install ADFS on a domain controller or another server. You’ll first need to configure a few prerequisites. The following steps assume you’re installing to Windows Server 2008 R2.

Using Server Manager, install the IIS role and the Microsoft .NET Framework 3.5.1. Then purchase and install a server-authentication certificate from a public certificate authority. Make sure you match the certificate’s subject name with the Fully Qualified Domain Name of the server. Launch IIS Manager and import that certificate to the default Web site.
More »