Relying Party – Blog by Raihan Al-Beruni

Migrate Office 365 Relying Party Trust to Different ADFS Farm

To migrate Office 365 Relying Party Trust from an existing ADFS Farm to new ADFS Farm, follow the step by step guide. Migrating Office 365 Relying Party Trust will incur a minor disruption to SSO environment.

Prerequisites:

Existing ADFS Farm with FQDN sts.domain.com
New ADFS Farm with FQDN sts1.domain.com
Existing Certificate CN=sts.domain.com or a wildcard certificate
New certificate with CN=sts1.domain.com
New public IP address for the public CNAME sts1.domain.com
A public CNAME record sts1.domain.com
An internal CNAME record sts1.domain.com

Note: keep the existing AAD Connect unless you have a requirement to build a new one.

Here are the steps:

Step1: Verify AAD Connect Configuration

Open AAD Connect, View Sign-in Option.
Check AAD Connect Wizard to make sure you did not configure “Federation with ADFS” Sign-in option. If you have done so then run AAD Connect Wizard again and replace the certificate and ADFS farm details to new ADFS server sts1.domain.com

Step2: Build ADFS and WAP Servers

Build a new ADFS farm side by side with an existing ADFS farm. It would be redundant effort to write another blog. Please follow my previous blog to deploy ADFS and WAP.

Building Multiple ADFS Farms in a Single Forest

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Branding and Customizing the ADFS Sign-in Pages

Step3: Test SSO

Log on to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx using on-premises credentials to make sure you can single sign-on.

Step4: Gather list of existing federated domains from existing ADFS Farm

Log on to the existing primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Get-MsolDomain

Record a list of Federated Domains.

Step5: Update Office 365 RP within the new ADFS Farm

Log on to the new primary ADFS Server, Open PowerShell as an Administrator, execute the following cmdlets.

$cred=Get-Credential

Connect-MsolService –Credential $cred

Update-MsolFederatedDomain –DomaiName “Domain.com” –SupportMultipleDomain –Confirm Execute Update-MsolFederatedDomain Cmdlets if you have additional federated domains such as DomainB.com

Get–MsolDomain

Open ADFS Management Console, Make sure Office 365 RP has been created with necessary tokens and permissions. If necessary, clone all incoming and outgoing claims and permission from previous ADFS farm to new ADFS Farm and apply to the newly created Office 365 RP.

Step6: Test SSOOnce you have completed the Step5, wait for Microsoft to update their backend Identity and Federation systems. In my previous implementation work, it took 30 minutes the change to take effect. Sign on to portal.office.com; you will be redirected to https://sts1.domain.com to authenticate. Once you have sign-in successfully, you have completed the migration work.

Step7: New AAD Connect Server (Optional)Check step1 before running AAD Connect Wizard and reconfigure sign-in options. If you need to change sign-in options, please follow the guide to change Sign-in Option.

Relevant Articles:

Upgrading AD FS to Windows Server 2016 FBL

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Work Folder in Azure Cloud

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. The work folder can be deployed on-premises and in Azure Cloud. In this article, I will demonstrate how to deploy Work Folder in Azure. Before that, let’s start with application of Work Folder.

Applications of Work Folder in Corporate Environment

Provide a single point of access to work files from a user’s work and personal devices
Access the work files online and offline. While accessing offline, the data can be synced back to the Sync Server when the device connected to internet or intranet again
Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
Use Windows File Server, SMB Share and other CIFS share for example NetApp CIFS share
Use file classification and folder quotas, to manage user data
Apply security policy and encryption to encrypt Work Folders and use a lock screen password
Use Microsoft Failover Clustering with Work Folders to provide a high-availability solution

Enhanced Functionality:

Azure AD Application Proxy support
Faster change replication
Integrated with Windows Information Protection (WIP)
Microsoft Office integration

Supported Environment:

NetApp CIFS, Windows File Server or Windows SMB Storage as the UNC path of Sync Share
Windows Server 2012 R2 or Windows Server 2016 for hosting sync shares with user files
A public certificate or internal certificate domain joined computer
Windows Server 2012 R2 level AD DS Schema
Windows 10 version 1703,
Android 4.4 KitKat and later
iOS 10.2 and later

Internal DNS records (CNAME records)

workfolders.domain.com pointed to syncserver1.domain.com and sycserver2.domain.com
sts.domain.com point to ADFS Servers
enterpriseregistration.domain.com pointed to ADFS servers

Internal DNS records (Host A Record)

syncserver1.domain.com
syncserver2.domain.com

Publishing Work Folder for mobile workforce

Access from Internet or use Azure Credentials
Web Application Proxy
Active Directory Federation Services (AD FS) with public DNS record sts.domain.com and enterpriseregistration.domain.com
A public DNS record i.e. CNAME = workfolders.domain.com
A public certificate from a public CA i.e. CN= workfolders.domain.com SAN=syncserver1.domain.com, syncserver2work.domain.com. There must be private key associated with the certificate which means the certificate must in pfx format before importing into the sync servers.

Deploy Work Folder Server

Log on to Azure Portal, Deploy a Windows Server 2016 from Azure Marketplace. Since we will be using this VM for Sync Share. I would recommend selecting an L series VM which storage optimised VM.
Once the VM is provisioned, attached premium data disk for high I/O and low latency file store.
Build a Windows Server 2016, Configure TCP/IP and Join the server to the domain
Remote into the server using domain admins credential. Open the Add Roles and Features Wizard.
On the Select installation type page, choose Role-based or feature-based deployment.
On the Select destination server page, select the server on which you want to install Work Folders.
On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.
When asked if you want to install IIS Hostable Web Core, click Ok to install the minimal version of Internet Information Services (IIS) required by Work Folders.
Click Next until you have completed the wizard.
Repeat the steps for all Work Folder Servers.

Install Certificate on the Work Folder Server

On the Windows server 2016 where you want to install the SSL certificate, open the Console.
In the Windows start menu, type mmc and open it.
In the Console window, in the top menu, click File > Add/Remove Snap-in.
In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add
In the Certificate snap-in window, select Computer account and then click Next
In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish
In the Add or Remove Snap-ins window, click OK.
In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), right-click on the Web Hosting folder, and then click All Tasks > Import.
In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, browse to and select the file that you want import and then, click Next.
Notes: In the File Explorer window, in the file type drop-down, make sure to select All Files (*.*). By default, it is set to search for 509 Certificate (*.cert;*.crt) file types only.
On the Private key protection page, provide the password when you exported the certificate, check Mark the Private Key exportable for future use, and check import all extended properties.
On the Certificate Store page, do the following and then click Next, Select Place all certificates in the following store and click Browse.
In the Select Certificate Store window, select Web Hosting and click OK.
On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
Repeat the steps for all Work Folder Servers.

Bind the Certificate:

Log on to a jump box where IIS Management Console is installed, Open IIS Management Console, Connect to Work Folder Server. Select the Default Web Site for that server. The Default Web Site will appear disabled, but you can still edit the bindings for the site and select the certificate to bind it to that web site.
Use the netsh command to bind the certificate to the Default Web Site https interface. The command is as follows:

netsh http add sslcert ipport=<IP address of Sync Share Server>:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

Create Active Directory Security Group

You need minimum two AD security groups for Work Folder. One for Work Folder Admin and another for Work Folder Sync Share. For this article, let’s assume we have a Sync Share. We will create two Security Groups named FS-HRShareUser-SG and FS-HRShareAdmin-SG
Make sure these security group scope is Global not Universal. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

Create a Sync Share

In Server Manager, click File and Storage Services, and then click Work Folders.
A list of any existing sync shares is visible at the top of the details pane. To create a new sync share, from the Tasks menu choose New Sync Share…. The New Sync Share Wizard appears.
On the Select the server and path page, specify where to store the sync share. If you already have a file share created for this user data, you can choose that share. Alternatively you can create a new folder.
On the Specify the structure for user folders page, choose a naming convention for user folders within the sync share. Select either User alias or User alias@domain
On the Enter the sync share name page, specify a name and a description for the sync share. This is not advertised on the network but is visible in Server Manager
On the Grant sync access to groups page, specify the group that you created that lists the users allowed to use this sync share.
On the Specify device policies page, specify whether to request any security restrictions on client PCs and devices. Select either Automatically lock screen, and require a password or Encrypt Work Folders based on your requirements.
Review your selections and complete the wizard to create the sync share.

Setup a Tech Support Email Address

In Server Manager, click File and Storage Services, and then click Servers.
Right-click the sync server, and then click Work Folders Settings. The Work Folders Settings window appears.
In the navigation pane, click Support Email and then type the email address or addresses that users should use when emailing for help with Work Folders. Click Ok when you’re

Publish Work Folder using ADFS Server

You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn’t been set up yet. The relying party trust must be set up to enable Work Folders to use AD FS. Because you’re in the process of setting up AD FS, now is a good time to do this step.

To set up the relying party trust:

Log on to ADFS Server. Open Server Manager, on the Tools menu, select AD FS Management.
In the right-hand pane, under Actions, click Add Relying Party Trust.
On the Welcome page, select Claims aware and click Start.
On the Select Data Source page, select Enter data about the relying party manually, and then click Next.
In the Display name field, enter WorkFolders, and then click Next.
On the Configure Certificate page, click Next..
On the Configure URL page, click Next.
On the Configure Identifiers page, add the following identifier: https://workfolders.domain.com/V1. This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. Click Next.
On the Choose Access Control Policy page, select Permit Everyone, and then click Next.
On the Ready to Add Trust page, click Next.
After the configuration is finished, the last page of the wizard indicates that the configuration was successful. Select the checkbox for editing the claims rules, and click Close.
In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.
The Edit Claim Issuance Policy for WorkFolders window opens. Click Add rule.
In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.
On the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.
In the Attribute store drop-down list, select Active Directory.
In the mapping table, enter these values:
- User-Principal-Name: UPN
- Display Name: Name
- Surname: Surname
- Given-Name: Given Name
Click Finish. You’ll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.
In the AD FS snap-in, select the WorkFolders relying party trust, On the properties, choose the Encryption tab, Remove the certificate encryption
Choose the Signature tab and make sure the Work Folder Certificate was imported
Click Apply, Click Ok.

Set relying part trust options

These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can’t be set through the UI. These options are:

Enable the use of JSON web tokens (JWTs)
Disable encrypted claims
Enable auto-update
Set the issuing of Oauth refresh tokens to All Devices.
Grant clients access to the relying party trust

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1” -EnableJWT $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1” -Encryptclaims $false

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1” -AutoupdateEnabled $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1” -IssueOAuthRefreshTokensTo AllDevices

Grant-AdfsApplicationPermission -ServerRoleIdentifier “https://workfolders.domain.com/V1” –AllowAllRegisteredClients

Enable Workplace Join

To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName domain\svc-adfsservices$

Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

Set up AD FS authentication

To configure Work Folders to use AD FS for authentication, follow these steps:

Log on to Sync Share Server. Open Server Manager.
Click Servers, and then select your Work Folders server in the list.
Right-click the server name, and click Work Folders Settings.
In the Work Folder Settings window, select Active Directory Federation Services, and type in the ADFS URL. Click Apply. In the test example, the URL is https://sts.domain.com.

Publish the Work Folders web application

The next step is to publish a web application that will make Work Folders available to clients. To publish the Work Folders web application, follow these steps:

Import Work Folder Certificate into WAP Servers
Open Server Manager, and on the Tools menu, click Remote Access Management to open the Remote Access Management Console.
Under Configuration, click Web Application Proxy.
Under Tasks, click Publish. The Publish New Application Wizard opens.
On the Welcome page, click Next.
On the Preauthentication page, select Active Directory Federation Services (AD FS), and click Next.
On the Support Clients page, select OAuth2, and click Next.
On the Relying Party page, select Work Folders, and then click Next. This list is published to the Web Application Proxy from AD FS.
On the Publishing Settings page, enter the following and then click Next, use these values:

Name: WorkFolders
External URL: https://workfolders.domain.com
External certificate: Select Work Folder Certificate
Backend server URL: https://workfolders.domain.com

The confirmation page shows the Windows PowerShell command that will execute to publish the application. Click Publish.
On the Results page, you should see the application was published successfully.

Configure Work Folders on the client

To configure Work Folders on the non-domain join client machine, follow these steps:

On the client machine, open Control Panel and click Work Folders.

Click Set up Work Folders.

On the Enter your work email address page, enter either the user’s email address (for example, user@domain.com) or the Work Folders URL (in the test example, https://workfolders.domain.com), and then click Next.
If the user is connected to the corporate network, the authentication is performed by Windows Integrated Authentication. If the user is not connected to the corporate network, the authentication is performed by ADFS (OAuth) and the user will be prompted for credentials. Enter your credentials and click OK.
After you have authenticated, Click Next.
The Security Policies page lists the security policies that you set up for Work Folders. Click Next.
A message is displayed stating that Work Folders has started syncing with your PC. Click Close.
The Manage Work Folders page shows the amount of space available on the server, sync status, and so on. If necessary, you can re-enter your credentials here. Close the window.
Your Work Folders folder opens automatically. You can add content to this folder to sync between your devices.

To configure Work Folders on the domain joined client machine, follow these steps:

Configure using GPO, use Go to User Configuration > Administrative Templates > Windows Components > Work Folders > Specify Work Folders settings.
Specify Work Folder URL as workfolders.domain.com
Apply the GPO to selected OU.

Relevant Article:

Work Folder FAQ

NetApp CIFS shares not mounting to Windows Server 2012

Configure Azure B2B, Azure Rights Management for on-premises SharePoint, Exchange and File server

Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data.

Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD.

Azure Prerequisites

A subscription that includes Azure Information Protection. For example, PAYG, EA or E5
A global administrator account (@domain.onmicrosoft.com) to sign in to the Azure portal

Minimum On-premises Prerequisites

An operational Active Directory Federation Services
An operational Azure Active Directory Connect
An Active Directory Domain Controller
An RMS Connector Server
RMS Client version 2.1 or above installed on the SharePoint or File Server or Exchange Server
Azure Information Protection for Microsoft Office 2016
A matching UPN (dmain.com) which has been federated to Azure AD
Publicly routable domains name (domain.com)
Publicly routable DNS Records (spirm.domain.com, sts.domain.com)
Public certificates with SAN or an wild card certificate
Public certificate must have private key or PFX format
An operational SharePoint or File Server or Exchange Server to be protected by Azure RMS

Deploy On-prem Infrastructures:

Register and verify domain.com to Azure ARM Portal
Install and configure Active Directory Federation Services
Install and configure Web Application Proxy Server

Install and configure Azure Active Directory Connect. AAD Connect installation pretty straight forward. To use Azure RMS you have to select three extra steps in AAD Connect. Either you can modify existing configuration to the below or if you are installing from scratch then you have to select an additional features. To provide the RMS functionality to synced users, Azure RMS has been selected in AAD Connect Wizard along with the Azure AD Apps.
On the AAD Connect Installation Page, click Customize to start a customized settings installation.
On User Signin Page Select Federation With ADFS.
On the Optional feature Page, Select Azure AD App and Attribute Filtering. Make sure you select all features which include Azure RMS

Activate Azure RMS

Sign to Azure Portal using a Global Admin user (@domain.onmicrosoft.com)
Open Azure Information Protection, Click RMS Settings, Click Activate.

If you are protecting SharePoint Server then you have to the additional steps on ADFS Server and SharePoint Server mentioned below.

Internal CNAME DNS record:

domain.com pointed to ADFS Server
domain.com pointed to SP Server
domain.com pointed to RMS Connector Server

ADFS Configuration:

Add a Claim Provider Trust using Wizard, type the name of the Claim Provider as “AzureAD” Select the URL to import metadata from https://login.microsoftonline.com/domain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml

Right Click on the the Azure AD Claim Provider, Edit Claim Rule and Add a custom claim rule

c:[] => issue(claim = c);

Add SharePoint 2013/2016 as a Relying Party Trust with the below properties:

Method to Add RP: Manual

Name: SP

RP Identifier: urn:sharepoint:domain

Enable WS-Federation and provide the following passive reply url: https://spirm.domain.com /_trust/

Add two Claim Rules

UPN Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”%5D
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

B2B User Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D
=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Specify AzureAD as SharePoint 2013 Claim Provider

Set-AdfsRelyingPartyTrust -TargetName “SP” -ClaimsProviderName @(“AzureAD”)

Specify Claim Provider for Internal Users:

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

Add Azure Web Application:

Log on to portal.azure.com, Click Azure AD, On the App registration section, Register an Azure Web Application using the below parameter:

App ID URI: http://sts.domain.com/adfs/services/trust
Reply URL: https://sts.domain.com/adfs/ls
Signin URL or Home Page: https://spirm.domain.com
Permission: Windows Azure AD

Grant Access to Azure AD user and B2B User to this Application

Sign in to the Azure Active Directory admin center with an account that’s a global admin for the directory.
Select Azure Active Directory and then Users and groups.
On the Users and groups blade, select All users, and then select New Guest user.
Go back to newly registered App, Assign access permission to the guest user

Assign RMS Licenses to Azure B2B users:

Connect-MsolService

$AccountSkuId = “domain:ENTERPRISEPACK”

$UsageLocation = “AU”

$Users = Import-Csv c:\temp\userlist.csv

$Users | ForEach-Object {

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId

}

Where userlist.csv contain userprincipal name or B2B username in first column. Further references.

Azure Licenses for B2B user https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing

Configure Right Management Connector

Download Rights Management Connector on the server where you are going to install the Connector.
Create a Service account in Windows Active Directory with federated UPN SVCRMS@domain.com
SVCRMS@domain.com is AAD Synced Account.
Open AD users and Computers, Add SVCRMS@domain.com as a member of domain admins group.
Sign into Azure Portal, Assign SVCRMS@domain.com as global admin, Azure RightsManagement global administrator
On the computer on which you want to install the RMS connector, run exe with Administrator privileges. When prompted for credential use SVCRMS@domain.com account and alphanumeric password.

Note: do not install RMS connector on Exchange, File and SharePoint Server.

SharePoint Specific Configuration: Reference1 and reference2

Add-PSSnapIn Microsoft.SharePoint.PowerShell

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:\ADFSCertificates\STSTokenSigning.cer”)

New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming

$realm = “urn:sharepoint:dealdocs”

$signInURL = “https://sts.dealdocs.com/adfs/ls/”

$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl “https://sts.dealdocs.com/adfs/ls/” -IdentifierClaim $emailClaimmap.InputClaimType

Download and run GenConnectorConfig.ps1 the below command on SP Server. This command automate changes in registry values.

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013

Configure RMS Connector for SharePoint Server

On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
On the Security page, in the Information Policy section, click Configure information rights management.
On the Information Rights Management page, in the Information Rights Management section, select Use this RMS server type https://rmsconnector.domain.com).
Click OK.
Next step Add users to SharePoint Library

For Exchange Server, Download and run GenConnectorConfig.ps1 on Exchange Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013

Run the below command in Exchange Server

Set-IRMConfiguration -InternalLicensingEnabled $true

For File Server Download and run GenConnectorConfig.ps1 on File Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012

Create classification rules and file management tasks to protect documents with RMS Encryption.

Testing:

Download Azure Information Protection and protect a document for B2B user
Upload the document into SharePoint Library
Request the B2B user to access from the invitation you have sent.

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: