Single Sign-on for Office365 with Forefront TMG

In my first contribution to the Forefront Security blog, I will explain how to extend the Office 365 single sign-on experience to remote users by publishing ADFS 2.0 with Forefront TMG.   

(Single sign-on allows users to use their corporate (Active Directory) user ID and password in order to access Office 365 services located in the cloud).

With this advanced deployment option, Forefront TMG is used in preference to a Federation Server Proxy

LAB Overview

 Office 365 Network Map

-          The corporate domain (SUREFRONT.CO.UK) has been added to Office 365.

-          Active Directory Federation Services (ADFS) 2.0 has been deployed on premises and single sign-on enabled.

-          Active Directory information is synchronised to Office 365.

-          Exchange is operating in hybrid-mode (some user mailboxes are in the cloud while others remain on-premises).

-          Two nTMG enterprise appliances are configured as a standalone array. Forefront TMG integrated Network Load Balancing (NLB) is enabled. 


Testing single sign-on

To verify that single sign-on is functioning properly, we access the Microsoft Online portal from a computer located within the corporate network.

Sign In Prompt

Login Prompt

 

The test is successful as the user can login using corporate credentials.

 

Office 365 Portal

 

Now, if we move the computer off-premises and attempt to login, we receive this error: 

Error Code 403

This is expected because, at this point, the remote client has no means of reaching the on-premises ADFS 2.0 Federation service.

  Configure TMG to publish ADFS 2.0

  1. Create a DNS record
  2. Install a server certificate
  3. Configure a Web listener
  4. Configure ADFS publishing rule

Step 1 – Create a DNS record

Add a host (A) record to the public facing DNS zone. This record should match the Federation service name and point to the TMG array’s external IP address:

STS.SUREFRONT.CO.UK    A   172.16.1.5  

 

Step 2 – Install a server certificate

The certificate’s common (or SAN) name must match the DNS record. As our TMG array is used to publish various Web services, a SAN certificate will allow us to use a single listener.

Certificate

 

As part of the ADFS 2.0 service deployment we already assigned a certificate, issued by a commercial certification authority (CA), so we can simply export this from the ADFS server to a file and then import it to each TMG server. On the ADFS server computer, locate the certificate in IIS and select Export from the Action menu.

 

Server Certificates

 

Be sure to include the private key.

 

Certificate Export Wizard

 

Next, import the certificate to each TMG server using the Certificates MMC.

 

Import Certificate

Certificate Import 2

 

Step 3 – Configure a Web Listener

The Web listener should be configured so that pre-authentication is not enforced by TMG. This is achieved either by setting No Authentication as the listener’s client authentication method, or by assigning the ADFS publishing rule to All Users. In our lab scenario, TMG already provides access to other services which require HTML Form Authentication. Therefore, by configuring our ADFS publishing rule for All Users (see Step 4), we will be able to utilise the existing listener.

ListenerFBA Properties

 

Assign the certificate (imported in Step2) to the TMG array’s external virtual IP address.

 

ListenerFBA Certificate Assignment


Step 4 – Configure ADFS publishing rule

In the Forefront TMG management console, select the Firewall Policy node and, on the Tasks tab, select Publish Web Sites to launch the wizard.

New Web Publishing Rule Wizard

Click Next on the Select Rule Action page.

Click Next on the Publishing Type page.

On the Server Connection Security page, select Use SSL to connect to the published server.

Wizard Step 2

 

On the Internal Publishing Details page, type the internal site name for the ADFS server (this name should match that of the SSL certificate assigned to the ADFS service).

 

Wizard Step 3

 

Click Next, type /ADFS/* in the path field and select the checkbox to Forward the original host header….


Wizard Step 4

 

On the Public Name Details page, type in the name used to access ADFS from the Internet.

 

Wizard Step 5

On the Select Web Listener page, either select an existing listener or click New to create a new one. In our example, we’ll use the same listener currently used to publish on-premises Exchange Services.  

Select Web Listener

On the Authentication Delegation page, select the option: No delegation but client may authenticate directly.

Authentication Method

On the User Sets page, select All Users only.

Select Users

 

After completing the Web Publishing Rule wizard, locate the new rule and open its properties. On the Link Translation tab, clear the Apply link translation to this rule checkbox and click OK.


ADFS Properties

 

Access the HTTP security filter by right clicking the rule and selecting Configure HTTP.

 

Configure HTTP

 

On the General tab, clear the Verify normalization and Block high bit characters checkboxes.   

 

Verify Normalization

 

Finally, click the Test Rule button to verify the configuration and, assuming this test is successful, click Apply to write the changes.  


Test Rule


Test single sign-on

Now, if we return to our external client and attempt to access the Microsoft Online portal, the login is successful and we can access all of the Office 365 offerings.

Test Single Sign-on

Category: