Tuesday, September 29, 2015

Configuring the Windows Web Server role and assigning a certificate

I’ve detailed the different Office 365 Identity options previously. I’ve also detailed how to install Azure AD Connect (which replaces both Azure AD Sync and DIRSYNC) and why it is necessary for both synchronised and federated Office 365 identities.

What I plan to cover in upcoming articles is how to establish federated identities (i.e. ADFS) for Office 365. I’ll break these down into a number of posts and then bring everything together as a single point of reference at the end.

This post will take you through the initial process of configuring the pre-requisites on the ADFS server. This means installing the Windows Server Web Server role and assigning a certificate to this Windows Web Server.

Prior to the steps here, I already have established a domain controller (DC) on the network. The local domain is called kumoalliance.com I have already successfully installed and configured Azure AD Connect on this DC. I am successfully synchronising user information from the local Active Directory (AD) to Office 365 via Azure AD Connect. I have also installed and configured the custom domain kumoalliance.com into my Office 365 tenant. This ensures that the UPN of the local AD matches those in Office 365. I have also assigned the appropriate Office 365 licenses for active users.

I have also added a separate member server (called CIAOPS365-ADFS) to this domain that will function as the ADFS server. I am now ready to configure the pre-requisites for ADFS which is the Windows Web Server role and an SSL certificate. The Web Server on this machine will be configured to respond to the URL https://adfs.kumoalliance.com for clients on the local network. Clients outside the domain (i.e. external) will use an ADFS proxy which will be configured later on after the ADFS server has been configured.

image

Launch the Server Manager Dashboard as shown above.

image

In the top right hand corner select the Manage menu item and then Add Roles and Features from the menu that appears.

image

This will launch the Add Roles and Feature Wizard as shown above.

Select Next to continue.

image

Ensure that Role based or feature based installation is selected, then select Next to continue.

image

Select the ADFS server name from the list of servers displayed. Typically, that should be the only server that appears. Select Next to continue.

image

Scroll down the list of roles until you locate Web Server (IIS) and select this.

image

This will pop up a dialog shown above. No configuration is required, so simply select the Add Features button to continue.

image

You’ll be return to the list of roles and you should now see that Web Server (IIS) is selected as shown above. Select Next to continue.

image

No additional options need to be made. Select Next to continue.

image

Select Next to continue.

image

No additional options need to be made. Select Next to continue.

image

Select the Install button.

image

The wizard will now install and configure Internet Information Services (IIS) on the server. This process should only take a few minutes and not require the server to be rebooted.

image

Ensure the installation process completed successfully then select the Close button to complete wizard.

image

In the top right of the Server Manager Dashboard you should see a message flag. if you select this you should receive confirmation that the Web Server role has been successfully installed.

image

In the Server Manager Dashboard, select the Tools option in the top right and then Internet Information Services (IIS) from the menu that appears.

image

Select the server name in the right pane. Then from the icons in the middle pane double click Server Certificates.

image

In the top of the right pane select Create Certificate Request.

image

Use the FQDN of the server (i.e. adfs.kumoalliance.com) as the Common name.

Complete the remaining fields with the information from the organisation. Select Next to continue.

image

Leave the Cryptographic service provider set to Microsoft RSA SChannel Cryptographic provider. However, ensure that the Bit length is set to 2048.

Select Next to continue.

image

Enter a file location to write the server key and select Finish to complete the process.

image

If you look at the file created you should see that it is simply a text file like that shown above.

image

You now need to take that certificate request information to your certificate provider and use it to request a certificate.

In this case I am using Digicert which allows me simply to copy and paste the text from the server certificate request directly into a web page, nominate which web server it came from (in this case IIS 8.0) and complete the certificate request.

image

In short order, you should receive confirmation that the certificate has been approved and in this case I am sent the certificate files as an attachment.

image

Copy the certificate files to the server and check to see that the files include a .CER file, which is the actual certificate.

image

Return to to the IIS Manager and in the top right now select Complete Certificate Request.

image

Provide the location to the certificate file received from the certificate authority in the first field.

For the friendly name enter the FQDN of the server (here adfs.kumoalliance.com).

Leave the certificate store as Personal and select OK.

image

When this process completes you should see the new certificate listed as shown above.

image

On the left hand pane of the IIS Manager, drill down and select Default Web Site.

Now on the right hand pane select the Bindings option towards the top.

image

Select the Add button in the top right of the dialog that appears.

image

Change the Type field to https.

Leave the Host name field blank.

In the SSL certificate area select the certificate that was added from the certificate authority (here, adfs.kumoalliance.com). Then select OK to complete the configuration.

image

You should now see an entry for https on port 443 displayed in the bindings as shown above.

Select the Close button.

You now need to create an entry in the DNS for the local domain so that requests to https://adfs.kumoalliance.com will be directed to the web server on this machine.

image

Open DNS management on the domain controller. navigate to the Forward Lookup Zones for the local domain (here kumoalliance.com).

Right mouse click on an empty location in the right panel and select he option to Add a new A record.

In the name field enter the first part of the common name you used when requesting the certificate (here adfs). The local domain will be appended to this name to create the FQDN of the server (here adfs.kumaolliance.com). This needs to generally match the common name on the certificate generated from the certificate authority.

Enter the IP address of the ADFS server on which IIS has just been installed. Then select Add Host button to complete the process.

image

To ensure everything is working as expected try and ping the FQDN of the ADFS server (here adfs.kuoalliance.com). You should receive a resolution to the IP address of the ADFS server, although the actual ping may time out due to firewall configurations. The important thing is that the name is resolved to the IP address of the ADFS server.

If that is successful, open up a web browser on the domain controller and navigate to the FQDN of the ADFS server (here https://adfs.kumoalliance.com) . Ensure you use https to verify that SSL and the certificate are operational. If they are you should be greeted with the default IIS web page as shown above.

If you then examine the certificate you should be able to verify that it is valid and issued by the certificate authority you used above.

Now that a secure Web Server has been configured on the ADFS machine, the next steps is to add the ADFS role to this same server. This will be the subject of an upcoming post so stay tuned.