Extranet lockout provides the following key advantages: It protects your user accounts from brute force attacks where an attacker tries to guess a user’s password by continuously sending authentication requests. In this case, AD FS will lock out the malicious … Continue reading
In order to setup Azure MFA as Primary Authentication with AD FS, this does require you to move to Azure MFA (cloud-based version). I have not deployed Azure Multi-Factor Authentication Server (on-prem/hybrid version) in a few years for anyone as … Continue reading
On the ADFS Server: Import the new SSL certificate in the computers MY“ certificate store. Run a elevated Powershell to get the thumbprint of the certificate. cd cert: cd localmachine cd my dir Identify the thumbprint in the output. In … Continue reading
Once Computer restarted the Server 2016, Now you can see that AD FS Management is available. Now Click on it and open the AD FS Management But if you see, AD FS on Server 2016 is not showing anything here. … Continue reading
To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment. Prerequisites: Existing ADFS Farm … Continue reading
The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. … Continue reading
To integrate On-Premises SSO with Splunk Cloud, you need the following items: On-premises Active Directory On-premises ADFS 2016 A Splunk Cloud tenant Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/acs Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/logout ADFS Sign-on URL https://sts.domain.com/adfs/services/trust ADFS Sign-Out URL https://sts.domain.com/adfs/ls/?wa=wsignout1.0 … Continue reading
To integrate On-Premises SSO with Google Apps, you need the following items: On-premises Active Directory On-premises ADFS 2016 A Google Apps single sign-on enabled subscription Google Apps Sign-on URL https://mail.google.com/a/domain.com ADFS Sign-on URL https://sts.domain.com/adfs/ls/ ADFS Password Change URL https://sts.domain.com/adfs/portal/updatepassword/ ADFS … Continue reading
Prerequisites: Windows Active Directory Windows Server 2016 with ADFS Role installed ServiceNow Tenant ADFS Signing certificate from ADFS Server ADFS Service Identifier: http://sts.domain.com/adfs/services/trust ServiceNow Sign On URL: https://company.service-now.com/navigate.do ServiceNow Identifier: https://company.service-now.com ADFS Signout URL: https://sts.domain.com/adfs/ls/?wa=wsignout1.0 Step1: Export Token Signing Certificate … Continue reading
Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data. Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD. Azure … Continue reading
This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in … Continue reading
Let’s paint a picture, you have an unique requirement to build multiple ADFS farms. you have a fully functional hybrid environment with EXO. you do not want to modify AAD connect and existing ADFS servers. But you want several SaaS applications use different ADFS farm with MFA but their identity is managed by the same Active Directory forest used by existing ADFS farm.
Here is the existing infrastructure:
- 1 single forest with multiple hybrid UPNs (domainA.com, domainB.com, domainC.com and many…)
- 2x ADFS servers (sts1.domainA.com)
- 2X WAP 2012 R2 cluster
- 1x AAD Connect
- 1X Office 365 Tenant with several federated domains (domainA.com, domainB.com, domainC.com and many….)
- 1x public CNAME sts1.domainA.com
Above configuration is working perfectly.
Now you would like to build a separate ADFS 2016 farm with WAP 2016 cluster for SaaS applications. This ADFS 2016 farm will be dedicated to authenticate these SaaS applications. you would also like to turn on MFA on ADFS 2016. Add new public authentication endpoint such as sts2.domainA.com for ADFS 2016 farm.
End goal is that once user hit https://tenant.SaaSApp.com/ it will redirect them to sts2.domain.com and prompt for on-prem AD credentials and MFA if they are accessing from public network.
New ADFS 2016 infrastructure in the same forest and domain:
- 2X ADFS 2016 Servers (sts2.domainA.com)
- 2X WAP 2016 Servers
- 1 X separate public IP for sts2.domainA.com
- 1X public CNAME for sts2.domainA.com
- 1X Private CNAME for sts2.domainA.com
Important Note: You have to prepare Active Directory schema to use ADFS 2016 functional level. No action/tasks necessary in existing ADFS 2012 R2 environment.
Guidelines and referrals to build new environment.
Hybrid Configuration Business Case. On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus … Continue reading
This article will describe how to install new ADFS 2016 farm or upgrade existing AD FS Windows Server 2012 R2 farm to AD FS in Windows Server 2016. Prerequisites: ADFS Role in Windows Server 2016 Administrative privilege in both ADFS … Continue reading
This article provides step by step guidelines to implement single sign on using ADFS 4.0 as the identity provider and Workday as the identifier and service provider. Important Note: Workday does not provide a service provider metadata XML file to … Continue reading
Branding and promoting Company name and logos are common business practices. You would like to see your own brand whilst signing into to Microsoft Office 365. ADFS provides opportunity for businesses to customize sign in page and promote own brand. … Continue reading
Remote Desktop Services is a server role consists of several role services. Remote Desktop Services (RDS) accelerates and securely extends desktop and applications to any device and anyplace for remote and roaming worker. Remote Desktop Services provide both a virtual desktop infrastructure (VDI) and session-based desktops.
In Windows Server 2012 R2, the following roles are available in Remote Desktop Services:
|Role service name||Role service description|
|RD Virtualization Host||RD Virtualization Host integrates with Hyper-V to deploy pooled or personal virtual desktop collections|
|RD Session Host||RD Session Host enables a server to host RemoteApp programs or session-based desktops.|
|RD Connection Broker||RD Connection Broker provides the following services
|RD Web Access||RD Web Access enables you the following services
|RD Licensing||RD Licensing manages the licenses for RD Session Host and VDI.|
|RD Gateway||RD Gateway enables you to authorized users to connect to VDI, RemoteApp|
For a RDS lab, you will need following servers.
- RDSVHSRV01- Remote Desktop Virtualization Host server. Hyper-v Server.
- RDSWEBSRV01- Remote Desktop Web Access server
- RDSCBSRV01- Remote Desktop Connection Broker server.
- RDSSHSRV01- Remote Desktop Session Host Server
- FileSRV01- File Server to Store User Profile
This test lab consist of 192.168.1.1/24 subnets for internal network and a DHCP Client i.e. Client1 machine using Windows 8 operating system. A test domain called testdomain.com. You need a Shared folder hosted in File Server or SAN to Hyper-v Cluster as Virtualization Host server. All RD Virtualization Host computer accounts must have granted Read/Write permission to the shared folder. I assume you have a functional domain controller, DNS, DHCP and a Hyper-v cluster. Now you can follow the steps below.
Step1: Create a Server Group
1. Open Server Manager from Task bar. Click Dashboard, Click View, Click Show Welcome Tile, Click Create a Server Group, Type the name of the Group is RDS Servers
2. Click Active Directory , In the Name (CN): box, type RDS, then click Find Now.
3. Select RDSWEBSRV01, RDSSHSRV01, RDSCDSRV01, RDSVHSRV01 and then click the right arrow.
4. Click OK.
Step2: Deploy the VDI standard deployment
1. Log on to the Windows server by using the testdomain\Administrator account.
2. Open Server Manager from Taskbar, Click Manage, click Add roles and features.
3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.
4. On the Select Installation Type page, click Remote Desktop Services scenario-based Installation, and then click Next.
5. On the Select deployment type page, click Standard deployment, and then click Next. A standard deployment allows you to deploy RDS on multiple servers splitting the roles and features among them. A quick start allows you to deploy RDS on to single servers and publish apps.
6. On the Select deployment scenario page, click Virtual Desktop Infrastructure, and then click Next.
7. On the role services page, review roles then click Next.
8. On the Specify RD Connection Broker server page, click RDSCBSRV01.Testdomain.com, click the right arrow, and then click Next.
9. On the Specify RD Web Access server page, click RDSWEBSRV01.Testdomain.com, click the right arrow, and then click Next.
10. On the Specify RD Virtualization Host server page, click RDSVHSRV01.Testdomain.com, click the right arrow, and then click Next. RDSVHSRV01 is a physical machine configured with Hyper-v. Check Create a New Virtual Switch on the selected server.
11. On the Confirm selections page, Check the Restart the destination server automatically if required check box, and then click Deploy.
12. After the installation is complete, click Close.
Step3: Test the VDI standard deployment connectivity
You can ensure that VDI standard deployment deployed successfully by using Server Manager to check the Remote Desktop Services deployment overview.
1. Log on to the DC1 server by using the testdomain\Administrator account.
2. click Server Manager, Click Remote Desktop Services, and then click Overview.
3. In the DEPLOYMENT OVERVIEW section, ensure that the RD Web Access, RD Connection Broker, and RD Virtualization Host role services are installed. If there is an icon and not a green plus sign (+) next to the role service name, the role service is installed and part of the deployment
Step4: Configure FileSRV1
You must create a network share on a computer in the testdomain domain to store the user profile disks. Use the following procedures to connect to the virtual desktop collection:
- Create the user profile disk network share
- Adjust permissions on the network share
Create the user profile disk network share
1. Log on to the FileSRV1 computer by using the TESTDOMAIN\Administrator user account.
2. Open Windows Explorer.
3. Click Computer, and then double-click Local Disk (C:).
4. Click Home, click New Folder, type RDSUserProfile and then press ENTER.
5. Right-click the RDSUSERPROFILE folder, and then click Properties.
6. Click Sharing, and then click Advanced Sharing.
7. Select the Share this folder check box.
8. Click Permissions, and then grant Full Control permissions to the Everyone group.
9. Click OK twice, and then click Close.
Setup permissions on the network share
1. Right-click the RDSUSERPROFILE folder, and then click Properties.
2. Click Security, and then click Edit.
3. Click Add.
4. Click Object Types, select the Computers check box, and then click OK.
5. In the Enter the object names to select box, type RDSVHSRV01.Testdomain.com, and then click OK.
6. Click RDSVHSRV01, and then select the Allow check box next to Modify.
7. Click OK two times.
Step5: Configure RDSVHSRV01
You must add the virtual desktop template to Hyper-V so you can assign it to the pooled virtual desktop collection.
Create Virtual Desktop Template in RDSVHSRV01
1. Log on to the RDSVHSRV01 computer as a Testdomain\Administrator user account.
2. Click Start, and then click Hyper-V Manager.
3. Right-click RDSVHSRV01, point to New, and then click Virtual Machine.
4. On the Before You Begin page, click Next.
5. On the Specify Name and Location page, in the Name box, type Virtual Desktop Template, and then click Next.
6. On the Assign Memory page, in the Startup memory box, type 1024, and then click Next.
7. On the Configure Networking page, in the Connection box, click RDS Virtual, and then click Next.
8. On the Connect Virtual Hard Disk page, click the Use an existing virtual hard disk option.
9. Click Browse, navigate to the virtual hard disk that should be used as the virtual desktop template, and then click Open. Click Next.
10. On the Summary page, click Finish.
Step6: Create the managed pooled virtual desktop collection in RDSVHSRV01
Create the managed pooled virtual desktop collection so that users can connect to desktops in the collection.
1. Log on to the RDSCBSRV01 server as a TESTDOMAIN\Administrator user account.
2. Server Manager will start automatically. If it does not automatically start, click Start, type servermanager.exe, and then click Server Manager.
3. In the left pane, click Remote Desktop Services, and then click Collections.
4. Click Tasks, and then click Create Virtual Desktop Collection.
5. On the Before you begin page, click Next.
6. On the Name the collection page, in the Name box, type Testdomain Managed Pool, and then click Next.
7. On the Specify the collection type page, click the Pooled virtual desktop collection option, ensure that the Automatically create and manage virtual desktops check box is selected, and then click Next.
8. On the Specify the virtual desktop template page, click Virtual Desktop Template, and then click Next.
9. On the Specify the virtual desktop settings page, click Provide unattended settings, and then click Next. In this step of the wizard, you can also choose to provide an answer file. A Simple Answer File can be obtained from URL1 and URL2
10. On the Specify the unattended settings page, enter the following information and retain the default settings for the options that are not specified, and then click Next.
§ In the Local Administrator account password and Confirm password boxes, type the same strong password.
§ In the Time zone box, click the time zone that is appropriate for your location.
11. On the Specify users and collection size page, accept the default selections, and then click Next.
12. On the Specify virtual desktop allocation page, accept the default selections, and then click Next.
13. On the Specify virtual desktop storage page, accept the default selections, and then click Next.
14. On the Specify user profile disks page, in the Location user profile disks box, type \\FileSRV01\RDSUserProfile, and then click Next. Make sure that the RD Virtualization Host computer accounts have read and write access to this location.
15. On the Confirm selections page, click Create.
Step8: Test Remote Desktop Services connectivity
You can ensure the managed pooled virtual desktop collection was created successfully by connecting to the RD Web Access server and then connecting to the virtual desktop in the Testdomain Managed Pool collection.
1. Open Internet Explorer.
2. In the Internet Explorer address bar, type https://RDSWEBSRV01.Testdomain.com/RDWeb, and then press ENTER.
3. Click Continue to this website (not recommended).
4. In the Domain\user name box, type TESTDOMAIN\Administrator.
5. In the Password box, type the password for the TESTDOMAIN\Administrator user account, and then click Sign in.
6. Click Testdomain Managed Pool, and then click Connect.