mod 3: office 365 dirsync, single sign-on & adfs · 2013. 8. 3. · it should not be interpreted to...

Published: 9/10/2012

1

©2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other

countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Office 365 for SMB Jump Start


Mod 3: Office 365 DirSync, Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge Technology

Stephen Hall | CEO & SMB Technologist | District Computers


2






Day 1

Administering Office 365

Day 2

Administering Exchange Online

Office 365 Overview & Infrastructure Exchange Online Deployment & Migration

Office 365 User Management Exchange Online FOPE

Office 365 DirSync, Single Sign-On & ADFS Exchange Online Archiving & Compliance

MEAL BREAK

Administering Lync Online

Administering SharePoint Online

Exchange Online Overview & User Management

Jump Start Schedule – Target Agenda


3






Module 3: Office 365 DirSync, Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS


4






Cloud Identity

• Separate credential from

corporate credential

• Authentication occurs via cloud

directory service

• Password policy stored in

Office 365

Federated Identity

• Same credential as corporate

credential

• Authentication occurs via on-

premises Active Directory

service

• Password policy is stored on-

premises

• Requires Directory

Synchronization

Reviewing Identity Types


5






Cloud IdentityCloud Identity +

DirSyncFederated Identity*

Scenario• Smaller organizations

without on-premises Active

Directory

• Medium to Large organizations

with Active Directory on-

premises

• Large enterprise organizations

with Active Directory on-premises

• Requires DirSync

Pros

• Does not require on-

premises server

deployment

• “Source of Authority” is on-

premises

• Enables coexistence

• Single Sign-On experience

• “Source of Authority” is on-

premises

• 2 Factor Authentication options

• Enables coexistence

Cons

• No Single Sign-On

• No 2 Factor Authentication

options

• 2 sets of credentials to

manage with, potentially,

different password policies

• No Single Sign-On

• No 2 Factor Authentication

options

• 2 sets of credentials to manage

with, potentially, different

password policies

• Requires on-premises server

deployment

• Requires on-premises server

deployment in high availability

scenario

Reviewing Identity Usage Scenarios


6








7






• Application that synchronizes on-premises Active

Directory with Office 365

• x64 version based on FIM‒ Previous x86 versions based upon ILM 2007

• Bundled with SQL 2008 R2 Express Edition

• Designed as an “appliance”‒ “Set it and forget it”

What is DirSync?


8






• Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment

• Provides unified Global Address List experience between on-premises and Office 365‒ Objects hidden from GAL on-premises also hidden from Office 365

GAL

• Enables mail routing between on-premises and Office 365 with a shared domain namespace

• Enables application coexistence for Microsoft Lync

• Enables Exchange coexistence scenarios‒ simple and hybrid scenarios

DirSync | Enables Coexistence


9






• Enables “run state” administration and management of

users, groups, and contacts‒ Synchronizes adds/deletes/modifications of users, groups, and

contacts from on-premise to Office 365

• Not intended as a single use bulk upload tool

DirSync | Enables Single Sign-On


10






• Entire Active Directory forest scoped for synchronization

• What is synchronized?‒ All user objects

‒ All group objects

‒ Mail-enabled contact objects

‒ Passwords are not synchronized

‒ Synchronization is from on-premises to Office 365 only (unless “write-

back” is enabled)

• Synchronization occurs every 3 hours‒ Use “Start-OnlineCoexistenceSync” cmdlet to force a sync

DirSync Synchronization


11






• Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users)‒ Visible in the Office 365 GAL (unless explicitly hidden from GAL)

‒ Logon enabled, but not automatically licensed to use services

‒ Target address is synchronized for mail-enabled users

• Regular NT users are synchronized as regular NT users‒ Not automatically provisioned as mail-enabled in Office 365

• Resource mailboxes are synchronized as resource mailboxes

• Synchronized users are not automatically assigned a license

DirSync Synchronization | User Objects


12






• Group Objects‒ Mail-enabled groups are synchronized as mail-enabled

‒ Group memberships are synchronized

‒ Security groups are synchronized as security groups

• Contacts Objects‒ Only mail-enabled contacts are synchronized

‒ Target address is synchronized to Office 365



13






• New user, group, and contact objects that are added to

on-premises are added to Office 365

• Existing user, group, and contact objects that are deleted

from on-premises are deleted from Office 365

• Existing user objects that are disabled on-premises are

disabled in Office 365

• Existing user, group, or contact objects attributes (those

that are synchronized) that are modified on-premises are

modified in Office 365



14






Microsoft Online Services

Logon Enabled User Object (Unlicensed)

Mail-Enabled User (not Mailbox-Enabled)

ProxyAddresses:

SMTP: [email protected]

smtp: [email protected]

TargetAddress:

[email protected]


On-premises

Active

Directory

Exchange

Server

DirSync(client side)

Online

Directory

AWS(DirSync Web

Service)

SharePoint

Online

Live ID

Exchange

Online

Lync Online

Sync Cycle Step 1:

Import Users, Groups,

and Contacts from source

Active Directory forest

Sync Cycle Step 2:

Imports Users, Groups, and

Contacts from Microsoft

Online Services via AWS

Sync Cycle Step 3:

Export Users, Groups, and

Contacts that do not already

exist in Microsoft Online

Services

User Object

Mailbox-Enabled

ProxyAddresses:

SMTP: [email protected]


15






• First synchronization cycle after installation is a full

synchronization‒ Time-consuming process relative to number of objects synchronized

‒ ~5000 objects per hour

• Subsequent synchronization cycles are deltas only ‒ Much faster

• Not all on-premises attributes synchronized for each

object type, but 100+ attributes are synchronized



16






• Once implemented, on-premises AD becomes the

“source of authority” for synchronized objects‒ Modifications to synchronized objects must occur in the on-premises

AD

‒ Synchronized objects cannot be modified or deleted via the portal

unless DirSync is disabled for the tenant

• Scoping/Filtering‒ Custom scoping or filtering is officially unsupported (guidance

coming soon)

‒ V1 DirSync filter XML file no longer an available option for filtering



17






• On-premises objectGuid AD attribute assigned value for

sourceAnchor attribute during initial object synchronization ‒ Referred to as a “hard match”

‒ DirSync knows which Office 365 objects it is the “source of authority”

for by examining sourceAnchor attribute

• DirSync can also match user objects created via the

portal with on-premises objects if there is a match using

the primary SMTP address‒ Referred to as a “soft match”



18






• Synchronization errors are emailed to the Technical

Contact for the subscription‒ Recommend using distribution group as Technical Contact email

address

• Example errors include:‒ Synchronization health status

• Sent once a day if a synchronization cycle has not registered 24 hours

after last successful synchronization

‒ Objects whose attributes contain invalid characters

‒ Objects with duplicate/conflicting email addresses

‒ Sync quota limit exceeded



19








20






• Must be joined to an Active Directory domain within the

same forest that will be synchronized with Office 365‒ Does not have to be joined to the root domain

• Cannot be a domain controller

• Must be able to communicate with any/all domain

controllers forest wide

• Should be located in an access controlled environment‒ Should be limited to those with access to domain controllers and

other security sensitive systems

DirSync | Computer Requirements


21






• Only routable domains can be used with DirSync

deployment ‒ Non-routable domains include .local OR .loc OR .internal.

• If organization has AD w/ only internal namespace,

must:‒ Add a routable UPN suffix in Active Directory Forests and Trusts.

‒ Configure each user with that routable UserPrincipalName suffix

‒ [email protected] must be changed do [email protected]

‒ If this is not done, once DirSync runs, users will appear in Office365

as [email protected] instead of [email protected]

DirSync | AD Requirements

mailto:[email protected]:[email protected]:[email protected]:[email protected]


22






• Windows Installer 4.5 or later

• Windows PowerShell version 2.0

• Microsoft .NET Framework version 3.5 or later.

• Windows Server 2003/R2 x86 with Service Pack 2 or

later, or Windows Server 2008 x86 with the latest

service pack installed. ‒ x64 is supported

• Microsoft Online Services Sign-In Assistant‒ Not a prerequisite for installation, but required when connecting to

Office 365

DirSync | Software Requirements


23






• Minimum of 1GB hard drive space‒ 600 MB for a complete installation of all Directory Synchronization

Tool components

‒ 400 MB required to create the initial database file

• Additional hard drive space most likely required for mid-size or larger

companies

• Server hardware should meet minimum requirements‒ For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity

Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy)

DirSync | Hardware Requirements


24






• Synchronization with Office

365 occurs over SSL

• Internal network

communication will use typical

Active Directory related ports

Service Protocol Port

LDAP TCP/UDP 389

Kerberos TCP/UDP 88

DNS TCP/UDP 53

Kerberos

Change Password

TCP/UDP 464

RPC TCP 135

RPC randomly

allocated high TCP ports

TCP1024 - 6553549152 - 655351

SMB TCP 445

SSL TCP 443

SQL TCP 1433

DirSync | Network Requirements

1 This is the range in Windows Server 2008 and in Windows Vista.


25






Account used to install DirSync must have1. local machine administrator permissions

2. If using full SQL, rights within SQL to create the DirSync database,

and to setup the SQL service account with the role of db_owner

Account used to configure DirSync must reside in the

local machine MIISAdmins group1. Account used to install DirSync is automatically added

Administrator permission in the Office 365 tenant1. DirSync uses an administrator account in the tenant to provision

and update/modify objects

DirSync | Permission Requirements


26






• Enterprise Administrator permission in the on-premise

Active Directory‒ Credential is not stored/saved by the configuration wizard

‒ Used to create the “MSOL_AD_Sync” domain account in the

“CN=Users” container of the root domain of the forest

‒ Used to delegate the following permissions on each domain

partition in the forest

• Replicating Directory Changes

• Replicating Directory Changes all

• Replication Synchronization

DirSync | Permission Requirements


27








28






• Enables users to access both the on-premises and

cloud-based organizations with a single user name and

password

• Provides users with a familiar sign-on experience

• Allows administrators to easily control account policies

for cloud-based organization mailboxes by using on-

premises Active Directory management tools.

Single Sign-On | Purpose


29






• Policy Control

• Access Control

• Reduced Support Calls

• Security

Single Sign-On | Benefits


30






• Windows Server 2008 or Windows Server 2008 R2

• Active Directory Federation Services 2.0 (ADFS 2.0)

• PowerShell

• Web Server (IIS)

• .NET 3.5 SP1

• Windows Identity Foundation

• Publicly registered domain name

• SSL Certificates

• Microsoft Online Services Module for Windows PowerShell‒ Microsoft Online Sign In Assistant

• High availability design

Single Sign-On | Server Requirements


31






• Internet Explorer 7.0 or later

• Firefox 3.0

• Chrome 6.0 or later

• Safari 4.0 or later

• Microsoft Office 2010/2007SP2

• Microsoft Office for Mac 2011 SP1

• Microsoft Office 2008 for Mac version 12.2.9

• Office 365 Desktop Setup‒ Microsoft Online Sign In Assistant

Single Sign-On | Client Requirements


32






• Office 365 Desktop Setup

• Automatically detects necessary updates for a computer‒ Installs Microsoft Online Sign In Assistant

‒ Installs operating system and client software updates required for

connectivity with Office 365

• Automatically configures Internet Explorer and rich

clients for use with Office 365

• Office 365 Desktop Setup is not an authentication or

sign-in service and should not be confused with single

sign-on

Single Sign-On | Requirements


33






• Microsoft Online Sign-In Assistant

• Can be installed automatically by Office 365 Desktop

Setup or manually

• Enables authentication support by obtaining a service

token from Office 365 and returning it to a rich client

(e.g. Lync)

• Not required for web kiosk scenarios (e.g. OWA)

• Required for on-premises computers connecting to

Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)

Single Sign-On | Requirements


34






ADFS 2.0 Components

ADFS 2.0 Server

• Default topology for Office 365 is an AD FS 2.0 federation server farm that consists of multiple servers hosting your organization’s Federation Service.

• Recommend using at least two federation servers in a load-balanced configuration.

ADFS 2.0 Proxy Server

• Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm.

• A Federation server proxies should be deployed in the DMZ


35






1. Single server configuration

2. AD FS 2.0 Server Farm and load-balancer

3. AD FS 2.0 Proxy Server or UAG/TMGi. (External Users, Active Sync, Down-level Clients with Outlook)

AD FS 2.0 Deployment Options

EnterprisePerimeter

AD FS 2.0

Server

Proxy

External

userInternal

user

Active

Directory

AD FS 2.0

Server

AD FS 2.0

Server

AD FS 2.0

Server

Proxy


36






Number of users Minimum number of servers

Fewer than 1,000 users

0 dedicated federation servers

0 dedicated federation server proxies

1 dedicated NLB server

1,000 to 15,000 users2 dedicated federation servers

2 dedicated federation server proxies

15,000 to 60,000 usersBetween 3 and 5 dedicated federation servers

At least 2 dedicated federation server proxies

Deployment Architecture


37






Identity Federation | Authentication FlowWeb Profile

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online or

SharePoint Online

Active Directory

Customer Microsoft Online Services

User

Source

ID

Logon (SAML 1.1) Token

UPN:[email protected]

Source User ID: ABC123 Auth Token

UPN:[email protected]

Unique ID: 254729


38






• ADFS 2.0 Deployment‒ http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

‒ http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-

08-exchange-online-hybrid-scenarios-part-1

• More information on DirSync‒ http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx

‒ http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-

02-deploying-sso-part-1.aspx

• Check out the course appendix

Recommended Resources

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspx


39






© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is

for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Some information relates to pre-released product which may be substantially

modified before it’s commercially released. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

mod 3: office 365 dirsync, single sign-on & adfs · 2013. 8. 3. · it should not be interpreted to...

Documents