It’s kind of killing my laptop, but I have managed to get my virtual lab environment working with ADFS to an Office 365 trial. I think I’ve probably got the bare minimum config going on here, so for reference, here’s what I had to do.<\/p>\n
<\/p>\n
Note: there is now a 64 bit version of DirSync so it should be possible to install that\u00c2\u00a0on the DC as well.<\/p><\/blockquote>\n
AD<\/h3>\n
The name of my virtual AD domain did not match the external domain I had to use for ADFS. This does not matter – just add the external domain as a UPN suffix to AD.<\/p>\n
You then also need to make sure any account you want to test with has a UPN of accountname@myrealdomain.com<\/a><\/em>.<\/p>\n
Certificate<\/h3>\n
I was under the impression that I’d need a public cert so Microsoft would trust my ADFS server, so I got a free one month cert from freessl<\/a>. However I can see now that the cert is only used for internal communication between my ADFS server and my client, so I think now if I’d generated one in my own CA it would have been fine. The only provisio is the name of the cert must match myrealdomain.com<\/em>.<\/p>\n
ADFS<\/h3>\n
The instructions <\/a>walk you through a proper setup with NLB and federation proxies. With a laptop lab I did none of this. I just have the one federation server running on my DC. Pretty much all I did was:<\/p>\n
\n
- Installed ADFS – make sure you choose “first server in a farm”,<\/li>\n
- Installed the SSL certificate for myrealdomain.com<\/em> onto the default IIS website,<\/li>\n
- Ran the ADFS wizard,<\/li>\n
- Ran the powershell cmdlets to add and federate the domain in Office 365 (documentation<\/a>).<\/li>\n<\/ol>\n
Internet Firewall<\/h3>\n
Another thing I was mistaken about was thinking\u00c2\u00a0the Microsoft Federation gateway would need to talk directly to my ADFS server but actually it doesn’t – the communication is between the client browser and ADFS. I’m not allowing external devices to access Office 365 via my lab, so I don’t need to grant access to my ADFS VM through the network firewall. Which is a relief!<\/p>\n
DNS<\/h3>\n
The domain myrealdomain.com<\/em> has a real, live ip address on the internet, however in my virtual network I want it to resolve to the internal ip address of my ADFS server. To do this I:<\/p>\n
\n
- Created a Primary Zone for myrealdomain.com<\/em> in my domain’s DNS service,<\/li>\n
- Created an A record in the zone pointing to the internal ip address of the ADFS server,<\/li>\n
- Set a forwarder to the external DNS server, and<\/li>\n
- Made sure all VMs in my virtual network used the virtual DC for DNS, rather than going straight to the external DNS.<\/li>\n<\/ul>\n
DirSync<\/h3>\n
As I noted above, when I wrote this article there was only 32 bit DirSync. Now we finally have a 64 bit version. It should run on the DC but I haven’t tried it.<\/p>\n
DirSync is damn easy to install. Just follow the instructions<\/a>.<\/p>\n
Activate an account<\/h3>\n
Once you have accounts DirSync’d up to Office 365, with the correct UPN matching the real domain that you federated, you can now activate one or two of them to use as tests.<\/p>\n
Test<\/h3>\n
To test I logged in to my virtual workstation. This has a bridged internet connection in addition to the virtual network connection, and all DNS goes via the virtual DC.<\/p>\n