03 o365 Smb Js Dirsync Sso Adfs

7/26/2019 03 o365 Smb Js Dirsync Sso Adfs

1/39

Published: 9/10/2012

12012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or othercountries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Office 365 for SMB Jump Start


Mod 3: Office 365 DirSync,

Single Sign-On & ADFSChris Oakman | Managing Partner Infrastructure Team | Eastridge Technology

Stephen Hall | CEO & SMB Technologist | District Computers


2/39




Day 1Administering Office 365

Day 2Administering Exchange Online

Office 365 Overview & Infrastructure Exchange Online Deployment & Migration

Office 365 User Management Exchange Online FOPE

Office 365 DirSync, Single Sign-On & ADFS Exchange Online Archiving & Compliance

MEAL BREAK

Administering Lync Online

Administering SharePoint Online

Exchange Online Overview & User Management

Jump Start Schedule Target Agenda


3/39




Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS


4/39




Cloud Identity

Separate credential fromcorporate credential

Authentication occurs via clouddirectory service

Password policy stored inOffice 365

Federated Identity

Same credential as corporatecredential

Authentication occurs via on-premises Active Directoryservice

Password policy is stored on-premises

Requires Directory

Synchronization

Reviewing Identity Types


5/39




Cloud IdentityCloud Identity +

DirSyncFederated Identity*

Scenario Smaller organizations

without on-premises Active

Directory

Medium to Large organizations

with Active Directory on-

premises

Large enterprise organizations

with Active Directory on-premises

Requires DirSync

Pros

Does not require on-

premises serverdeployment

Source of Authority is on-

premises

Enables coexistence

Single Sign-On experience

Source of Authority is on-

premises

2 Factor Authentication options

Enables coexistence

Cons

No Single Sign-On

No 2 Factor Authentication

options

2 sets of credentials to

manage with, potentially,

different password policies

No Single Sign-On

No 2 Factor Authenticationoptions

2 sets of credentials to manage

with, potentially, differentpassword policies

Requires on-premises serverdeployment

Requires on-premises server

deployment in high availability

scenario

Reviewing Identity Usage Scenarios


6/39




Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing IdentitiesUnderstanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS


7/39




Application that synchronizes on-premises ActiveDirectory with Office 365

x64 version based on FIM

Previous x86 versions based upon ILM 2007

Bundled with SQL 2008 R2 Express Edition

Designed as an appliance Set it and forget it

What is DirSync?


8/39




Provisions objects in Office 365 with same emailaddresses as the objects in the on-premises environment

Provides unified Global Address List experience between

on-premises and Office 365 Objects hidden from GAL on-premises also hidden from Office 365

GAL

Enables mail routing between on-premises and Office 365with a shared domain namespace

Enables application coexistence for Microsoft Lync

Enables Exchange coexistence scenarios simple and hybrid scenarios

DirSync | Enables Coexistence


9/39




Enables run state administration and management ofusers, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and

contacts from on-premise to Office 365 Not intended as a single use bulk upload tool

DirSync | Enables Single Sign-On


10/39




Entire Active Directory forest scoped for synchronization

What is synchronized? All user objects

All group objects

Mail-enabled contact objects

Passwords are not synchronized

Synchronization is from on-premises to Office 365 only (unless write-back is enabled)

Synchronization occurs every 3 hours Use Start-OnlineCoexistenceSync cmdlet to force a sync

DirSync Synchronization


11/39




Mail-enabled/mailbox-enabled users are synchronizedas mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL)

Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users

Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365

Resource mailboxes are synchronized as resourcemailboxes

Synchronized users are not automatically assigned alicense

DirSync Synchronization | User Objects


12/39




Group Objects Mail-enabled groups are synchronized as mail-enabled

Group memberships are synchronized

Security groups are synchronized as security groups

Contacts Objects Only mail-enabled contacts are synchronized

Target address is synchronized to Office 365



13/39




New user, group, and contact objects that are added toon-premises are added to Office 365

Existing user, group, and contact objects that are deleted

from on-premises are deleted from Office 365

Existing user objects that are disabled on-premises aredisabled in Office 365

Existing user, group, or contact objects attributes (those

that are synchronized) that are modified on-premises aremodified in Office 365


bli h d 9 10 2012


14/39




Microsoft Online Services

Logon Enabled User Object (Unlicensed)Mail-Enabled User (not Mailbox-Enabled)ProxyAddresses:

SMTP: [email protected]: [email protected]

TargetAddress:[email protected]


On-premises

ActiveDirectory

ExchangeServer

DirSync(client side)

OnlineDirectory

AWS(DirSync Web

Service)

SharePointOnline

Live ID

ExchangeOnline

Lync Online

Sync Cycle Step 1:Import Users, Groups,and Contacts from sourceActive Directory forest

Sync Cycle Step 2:Imports Users, Groups, andContacts from Microsoft

Online Services via AWS

Sync Cycle Step 3:Export Users, Groups, andContacts that do not alreadyexist in Microsoft OnlineServices

User ObjectMailbox-Enabled

ProxyAddresses:SMTP: [email protected]

P bli h d 9/10/2012ff f


15/39




First synchronization cycle after installation is a fullsynchronization Time-consuming process relative to number of objects synchronized

~5000 objects per hour

Subsequent synchronization cycles are deltas only Much faster

Not all on-premises attributes synchronized for eachobject type, but 100+ attributes are synchronized


P bli h d 9/10/2012Offi 36 f S S


16/39




Once implemented, on-premises AD becomes thesource of authority for synchronized objects Modifications to synchronized objects must occur in the on-premises

AD Synchronized objects cannot be modified or deleted via the portal

unless DirSync is disabled for the tenant

Scoping/Filtering Custom scoping or filtering is officially unsupported (guidance

coming soon)

V1 DirSync filter XML file no longer an available option for filtering


P bli h d 9/10/2012Offi 365 f SMB J S


17/39




On-premises objectGuid AD attribute assigned value forsourceAnchor attribute during initial object synchronization Referred to as a hard match

DirSync knows which Office 365 objects it is the source of authorityfor by examining sourceAnchor attribute

DirSync can also match user objects created via theportal with on-premises objects if there is a match usingthe primary SMTP address

Referred to as a soft match


Published: 9/10/2012Offi 365 f SMB J St t


18/39




Synchronization errors are emailed to the TechnicalContact for the subscription Recommend using distribution group as Technical Contact email

address Example errors include:

Synchronization health status Sent once a day if a synchronization cycle has not registered 24 hours

after last successful synchronization

Objects whose attributes contain invalid characters

Objects with duplicate/conflicting email addresses

Sync quota limit exceeded




19/39




Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing Identities

Understanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS



20/39




Must be joined to an Active Directory domain within thesame forest that will be synchronized with Office 365 Does not have to be joined to the root domain

Cannot be a domain controller Must be able to communicate with any/all domain

controllers forest wide

Should be located in an access controlled environment Should be limited to those with access to domain controllers and

other security sensitive systems

DirSync | Computer Requirements

Published: 9/10/2012Office 365 for SMB J mp Start


21/39




Only routable domains can be used with DirSyncdeployment Non-routable domains include .local OR .loc OR .internal.

If organization has AD w/ only internal namespace,must: Add a routable UPN suffix in Active Directory Forests and Trusts.

Configure each user with that routable UserPrincipalName suffix

[email protected] must be changed do [email protected]

If this is not done, once DirSync runs, users will appear in Office365as [email protected] instead of [email protected]

DirSync | AD Requirements

Published: 9/10/2012Office 365 for SMB Jump Start
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


22/39




Windows Installer 4.5 or later

Windows PowerShell version 2.0

Microsoft .NET Framework version 3.5 or later.

Windows Server 2003/R2 x86 with Service Pack 2 orlater, or Windows Server 2008 x86 with the latestservice pack installed. x64 is supported

Microsoft Online Services Sign-In Assistant Not a prerequisite for installation, but required when connecting to

Office 365

DirSync | Software Requirements



23/39




Minimum of 1GB hard drive space 600 MB for a complete installation of all Directory Synchronization

Tool components

400 MB required to create the initial database file Additional hard drive space most likely required for mid-size or larger

companies

Server hardware should meet minimum requirements For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity

Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy)

DirSync | Hardware Requirements



24/39




Synchronization with Office365 occurs over SSL

Internal networkcommunication will use typicalActive Directory related ports

Service Protocol Port

LDAP TCP/UDP 389

Kerberos TCP/UDP 88

DNS TCP/UDP 53

KerberosChangePassword

TCP/UDP 464

RPC TCP 135

RPC randomlyallocated highTCP ports

TCP1024 - 6553549152 - 655351

SMB TCP 445

SSL TCP 443

SQL TCP 1433

DirSync | Network Requirements

1 This is the range in Windows Server 2008 and in Windows Vista.



25/39




Account used to install DirSync must have1. local machine administrator permissions

2. If using full SQL, rights within SQL to create the DirSync database,

and to setup the SQL service account with the role of db_ownerAccount used to configure DirSync must reside in thelocal machine MIISAdmins group

1. Account used to install DirSync is automatically added

Administrator permission in the Office 365 tenant

1. DirSync uses an administrator account in the tenant to provisionand update/modify objects

DirSync | Permission Requirements



26/39

/ /



Enterprise Administrator permission in the on-premiseActive Directory Credential is not stored/saved by the configuration wizard

Used to create the MSOL_AD_Sync domain account in theCN=Users container of the root domain of the forest

Used to delegate the following permissions on each domainpartition in the forest Replicating Directory Changes Replicating Directory Changes all

Replication Synchronization

DirSync | Permission Requirements



27/39

/ /



Module 3: Office 365 DirSync,Single Sign-On & ADFSReviewing Identities

Understanding DirSyncDirSync RequirementsUnderstanding Single Sign-On & ADFS



28/39



Enables users to access both the on-premises andcloud-based organizations with a single user name andpassword

Provides users with a familiar sign-on experience Allows administrators to easily control account policies

for cloud-based organization mailboxes by using on-premises Active Directory management tools.

Single Sign-On | Purpose



29/39



Policy Control

Access Control

Reduced Support Calls

Security

Single Sign-On | Benefits



30/39



Windows Server 2008 or Windows Server 2008 R2 Active Directory Federation Services 2.0 (ADFS 2.0) PowerShell Web Server (IIS) .NET 3.5 SP1 Windows Identity Foundation Publicly registered domain name SSL Certificates Microsoft Online Services Module for Windows PowerShell

Microsoft Online Sign In Assistant High availability design

Single Sign-On | Server Requirements



31/39



Internet Explorer 7.0 or later

Firefox 3.0

Chrome 6.0 or later

Safari 4.0 or later

Microsoft Office 2010/2007SP2

Microsoft Office for Mac 2011 SP1

Microsoft Office 2008 for Mac version 12.2.9

Office 365 Desktop Setup Microsoft Online Sign In Assistant

Single Sign-On | Client Requirements



32/39



Office 365 Desktop Setup

Automatically detects necessary updates for a computer Installs Microsoft Online Sign In Assistant

Installs operating system and client software updates required forconnectivity with Office 365

Automatically configures Internet Explorer and richclients for use with Office 365

Office 365 Desktop Setup is not an authentication or

sign-in service and should not be confused with singlesign-on

Single Sign-On | Requirements



33/39



Microsoft Online Sign-In Assistant

Can be installed automatically by Office 365 DesktopSetup or manually

Enables authentication support by obtaining a servicetoken from Office 365 and returning it to a rich client(e.g. Lync)

Not required for web kiosk scenarios (e.g. OWA)

Required for on-premises computers connecting toOffice 365 (e.g. DirSync, Exchange, ADFS, PowerShell)

Single Sign-On | Requirements



34/39


p

ADFS 2.0 ComponentsADFS 2.0 Server

Default topology for Office 365 is an ADFS 2.0 federation server farm thatconsists of multiple servers hosting your

organizations Federation Service. Recommend using at least twofederation servers in a load-balancedconfiguration.

ADFS 2.0 Proxy Server

Federation server proxies are used toredirect client authentication requestscoming from outside your corporate

network to the federation server farm. A Federation server proxies should bedeployed in the DMZ



35/39


p

1. Single server configuration

2. AD FS 2.0 Server Farm and load-balancer

3. AD FS 2.0 Proxy Server or UAG/TMG

i. (External Users, Active Sync, Down-level Clients with Outlook)

AD FS 2.0 Deployment Options

EnterprisePerimeter

AD FS 2.0ServerProxy

ExternaluserInternal

user

ActiveDirectory

AD FS 2.0Server

AD FS 2.0Server

AD FS 2.0

ServerProxy



36/39


p

Number of users Minimum number of servers

Fewer than 1,000 users

0 dedicated federation servers

0 dedicated federation server proxies

1 dedicated NLB server

1,000 to 15,000 users2 dedicated federation servers

2 dedicated federation server proxies

15,000 to 60,000 usersBetween 3 and 5 dedicated federation servers

At least 2 dedicated federation server proxies

Deployment Architecture



37/39


p

Identity Federation | Authentication FlowWeb Profile

`

Client

(joined to CorpNet)

Authentication platformAD FS 2.0 Server

Exchange Online or

SharePoint Online

Active Directory

Customer Microsoft Online Services

UserSource

ID

Logon (SAML 1.1) TokenUPN:[email protected] User ID: ABC123 Auth Token

UPN:[email protected] ID: 254729



38/39


p

ADFS 2.0 Deployment http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1

More information on DirSync http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx

http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspx

Check out the course appendix

Recommended Resources

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-02-deploying-sso-part-1.aspxhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspxhttp://technet.microsoft.com/en-us/video/deploying-office-365-jump-start-08-exchange-online-hybrid-scenarios-part-1http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx


39/39

2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or otheri h i f i h i i f i f i l l d h i f i f C i f h d f hi i i f d h i k di i

p

2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein isfor informational purposes only and represents the current view of Microsoft Corporation as of the date of this pr esentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be acommitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Some information relates to pre-released product which may be substantiallymodified before its commercially released. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

03 o365 Smb Js Dirsync Sso Adfs

Documents

Transcript of 03 o365 Smb Js Dirsync Sso Adfs