Azure Active Directory Connect (AADC) Part 3 — Active Directory Federation Service(ADFS) and Web Application Proxy (WAP)

Please read part 1 and part 2 of this series before going forward as we would be reusing a lot of the content there in here.

We should ensure at least the prerequisite steps in part 1 are completed. If that is not an issue, we could carry on with the steps below for configuring AADC to use ADFS as the authentication method.

Prerequisite Steps

Create PFX certificate file

When you get to the stage of installing SSL certificate, if you would not prefer to use self-signed but one with certified authority, please follow the steps below.

I have my custom domain managed in hover. As many of you may know, there is nowhere to download the custom domain certificate. In this article, we would use certbot to generate the required x.crt and x.key file.

First of all, install certbot in your running environment. If you are not using Windows, you could leverage Azure Cloud Shell or Windows Subsystem for Linux 2 to execute the following commands.

• sudo apt-get install certbot
• sudo certbot — version
• sudo certbot certonly — manual \
  — preferred-challenges=dns \
  — email jonathan18186@gmail.com \
  — server https://acme-v02.api.letsencrypt.org/directory \
  — agree-tos \
  — manual-public-ip-logging-ok \
  -d jonathan18186.website

• After updating the TXT record in your custom domain, press “Enter”. At this point, you should be getting fullchain,pem, chain,pem, cert.pem and privkey.pem under the path of /etc/letsencrypt/live/<domain name>/.

• Take cert.pem and privkey.pem to create the PFX file

openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out jonathan18186_website.pfx

** If you are using Azure VM for both Domain Controller and AADC agent, please check this site on how to create Azure VMs from scratch.

Windows Server 2016/2019 as ADFS server

Please ensure the PFX certificate file is already copied to the ADFS server as the installation process would need it.

Create a Windows Server 2016/2019 (better to have at least 2 vCPU, 4GB of memory) and promote it to be ADFS server. For more information on how to complete this, please check this site.

Windows Server 2016/2019 as Web Application Proxy (WAP) server

Please ensure the PFX certificate file is already copied and installed in the Local Machine → Personal Certificate store on the WAP server. The WAP installation process would also need the PFX file.

Create a Windows Server 2016/2019 (better to have at least 2 vCPU, 4GB of memory) and promote it to be WAP server. For more information on how to complete this, please check this site.

We would need to manually create a record within WAP server to let it know that ADFS service name would be resolved into ADFS server private IP address.

Configure AADC to have AAD use ADFS as the authentication method

If you have followed through the steps in the previous articles, your AADC should be using either PHS or PTA. The only way to configure AADC to use ADFS is by reinstalling the AADC, to go through AADC installation user interface again.

• Uninstall AADC

• Download AADC installation execution again here if you have not

• Once you agree the terms on the first page of the AADC installation user interface, you could select “Customize”

• Select “Install” unless you have existing services ready for the implementation

• Select “Federation with AD FS”

• Put down AAD Global Administrator credential

• Put down Windows AD Enterprise Administrator credential

• Check “Continue with matching all UPN suffixes to verified domains” as our internal domain name is not verified on AAD and it should not be.

• Select “Sync all domains and OUs” or “Sync selected domains and OUs”

• If users are unique in the Windows AD forest, just use the default selection. Otherwise, choose accordingly.

** Since this page mentions about “Hard Match” and “Soft Match”, quoting from the official documentation on what those are.

“When Azure AD Connect (sync engine) instructs Azure Active Directory to add or update objects, Azure AD matches the incoming object using the sourceAnchor attribute to the immutableId attribute of objects in Azure AD. This match is called a Hard Match.

When Azure AD does not find any object that matches the immutableId attribute with the sourceAnchor attribute of the incoming object, before provisioning a new object, it falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match. This match is called a Soft Match. The Soft Match is designed to match objects already present in Azure AD (that are sourced in Azure AD) with the new objects being added/updated during synchronization that represent the same entity (users, groups) on premises.”

— Quoted from Trouble-shoot synchronization errors — Learn | Microsoft Docs

• Select “Synchronize all user and devices” unless other concerns

• Select the optional features accordingly.
• PHS here is acting as a backup option when PTA is not working. For example, AADC agent server lost connectivity and users are not able to authenticate themselves on Azure. If you have PHS as optional feature, there would be hashed content of each user’s password stored on the cloud, so users could use the existing data to authenticate themselves.
• Password writeback allows users to change Windows AD users’ password from the cloud, but this would need extra attention on Windows AD group policy around password management.

• Put down Domain Administrator credential

• Since we have already created both ADFS and WAP server, we choose “Use an existing AD FS farm”

• Choose Azure AD domain and select “Next”

• Synchronize

• Add a record that could resolve ADFS service name to ADFS private IP address within AADC hosts file

• Verify ADFS service name could be resolved from Intranet and Internet

• When logging in on Azure portal, it will be redirected to your own ADFS service to complete the authentication process

** Please remember to use Windows AD user credential with alternate domain suffix. If you are not clear how to do this, please refer to AADC Part 1 — PHS article. Inside the section of prerequisite steps, you would find the how to achieve this.

• Check Azure AD Connect section, you should see “Federation” showing “Enabled”

• On ADFS server, please ensure both “Windows Internal Database” and “Active Directory Federation Services” are running

Windows → Search “services.msc” → type “w” → type “a”

Windows → Search “services.msc” → type “w”

• On WAP server, please ensure “Web Application Proxy Service” is running

If you are still not clear how AADC uses ADFS as the main authentication method, detailed step-by-step instruction could be found in Microsoft official documentation.

That should cover a very basic scenario for AADC with ADFS! We would crate separate articles to go through some of the basic troubleshooting around AADC and ADFS! Stay tuned!