Mar 29, 2021

7 min read

Azure Active Directory Connect (AADC) Part 3 — Active Directory Federation Service(ADFS) and Web Application Proxy (WAP)

Prerequisite Steps

Create PFX certificate file

  • After updating the TXT record in your custom domain, press “Enter”. At this point, you should be getting fullchain,pem, chain,pem, cert.pem and privkey.pem under the path of /etc/letsencrypt/live/<domain name>/.
  • Take cert.pem and privkey.pem to create the PFX file

Configure AADC to have AAD use ADFS as the authentication method

If you have followed through the steps in the previous articles, your AADC should be using either PHS or PTA. The only way to configure AADC to use ADFS is by reinstalling the AADC, to go through AADC installation user interface again.

  • Uninstall AADC
  • Download AADC installation execution again here if you have not
  • Once you agree the terms on the first page of the AADC installation user interface, you could select “Customize”
  • Select “Install” unless you have existing services ready for the implementation
  • Select “Federation with AD FS”
  • Put down AAD Global Administrator credential
  • Put down Windows AD Enterprise Administrator credential
  • Check “Continue with matching all UPN suffixes to verified domains” as our internal domain name is not verified on AAD and it should not be.
  • Select “Sync all domains and OUs” or “Sync selected domains and OUs”
  • If users are unique in the Windows AD forest, just use the default selection. Otherwise, choose accordingly.
  • Select “Synchronize all user and devices” unless other concerns
  • Select the optional features accordingly.
  • PHS here is acting as a backup option when PTA is not working. For example, AADC agent server lost connectivity and users are not able to authenticate themselves on Azure. If you have PHS as optional feature, there would be hashed content of each user’s password stored on the cloud, so users could use the existing data to authenticate themselves.
  • Password writeback allows users to change Windows AD users’ password from the cloud, but this would need extra attention on Windows AD group policy around password management.
  • Put down Domain Administrator credential
  • Since we have already created both ADFS and WAP server, we choose “Use an existing AD FS farm”
  • Choose Azure AD domain and select “Next”
  • Synchronize
  • Add a record that could resolve ADFS service name to ADFS private IP address within AADC hosts file
  • Verify ADFS service name could be resolved from Intranet and Internet
  • When logging in on Azure portal, it will be redirected to your own ADFS service to complete the authentication process
  • Check Azure AD Connect section, you should see “Federation” showing “Enabled”
  • On ADFS server, please ensure both “Windows Internal Database” and “Active Directory Federation Services” are running
  • On WAP server, please ensure “Web Application Proxy Service” is running