Microsoft Sso Setup

  

Azure Active Directory Seamless Single Sign-On: Quick start.; 9 minutes to read +8; In this article Deploy Seamless Single Sign-On. Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network.

-->
  1. This completes the setup for federation to Office 365. Keep in mind that before you can successfully use single sign-on with Office 365, you will need to setup and configure Directory Synchronization. After Directory Synchronization is setup, you will have to license the synchronized user in Office 365. This will provision the services for the.
  2. The process of setting up a directory and claiming a domain within it on your Admin Console are both described on the page Set up identity.Once added, a directory can be configured for single sign-on before a domain is claimed, but to create Federated ID users, you must claim the domain name in which they exist.
  3. This article discusses how to troubleshoot single sign-on setup issues in a Microsoft cloud service such as Office 365, Microsoft Intune, or Microsoft Azure. Detailed implementation guidance for single sign-on (SSO) is available in the Azure Active Directory (Azure AD) Help documentation.

Deploy Seamless Single Sign-On

Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.

Azure Ad Sso Setup

To deploy Seamless SSO, follow these steps.

Step 1: Check the prerequisites

Ensure that the following prerequisites are in place:

  • Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:

    • You use version 1.1.644.0 or later of Azure AD Connect.

    • If your firewall or proxy allows DNS whitelisting, whitelist the connections to the *.msappproxy.net URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.

      Note

      Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you don't intend to use password hash synchronization in conjunction with Pass-through Authentication, read the Azure AD Connect release notes to learn more.

  • Use a supported Azure AD Connect topology: Ensure that you are using one of Azure AD Connect's supported topologies described here.

    Note

    Seamless SSO supports multiple AD forests, whether there are AD trusts between them or not.

  • Set up domain administrator credentials: You need to have domain administrator credentials for each Active Directory forest that:

    • You synchronize to Azure AD through Azure AD Connect.
    • Contains users you want to enable for Seamless SSO.

  • Enable modern authentication: You need to enable modern authentication on your tenant for this feature to work.

  • Use the latest versions of Office 365 clients: To get a silent sign-on experience with Office 365 clients (Outlook, Word, Excel, and others), your users need to use versions 16.0.8730.xxxx or above.

Step 2: Enable the feature

Azure ad sso

Enable Seamless SSO through Azure AD Connect.

Note

You can also enable Seamless SSO using PowerShell if Azure AD Connect doesn't meet your requirements. Use this option if you have more than one domain per Active Directory forest, and you want to be more targeted about the domain you want to enable Seamless SSO for.

If you're doing a fresh installation of Azure AD Connect, choose the custom installation path. At the User sign-in page, select the Enable single sign on option.

Note

The option will be available for selection only if the Sign On method is Password Hash Synchronization or Pass-through Authentication.

If you already have an installation of Azure AD Connect, select the Change user sign-in page in Azure AD Connect, and then select Next. If you are using Azure AD Connect versions 1.1.880.0 or above, the Enable single sign on option will be selected by default. If you are using older versions of Azure AD Connect, select the Enable single sign on option.

Continue through the wizard until you get to the Enable single sign on page. Provide domain administrator credentials for each Active Directory forest that:

  • You synchronize to Azure AD through Azure AD Connect.
  • Contains users you want to enable for Seamless SSO.

After completion of the wizard, Seamless SSO is enabled on your tenant.

Note

The domain administrator credentials are not stored in Azure AD Connect or in Azure AD. They're used only to enable the feature.

Follow these instructions to verify that you have enabled Seamless SSO correctly:

  1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
  2. Select Azure Active Directory in the left pane.
  3. Select Azure AD Connect.
  4. Verify that the Seamless single sign-on feature appears as Enabled.

Important

Seamless SSO creates a computer account named AZUREADSSOACC in your on-premises Active Directory (AD) in each AD forest. The AZUREADSSOACC computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled, and that no other account in Active Directory has delegation permissions on the AZUREADSSOACC computer account. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access.

Note

If you are using Pass-the-Hash and Credential Theft Mitigation architectures in your on-premises environment, make appropriate changes to ensure that the AZUREADSSOACC computer account doesn't end up in the Quarantine container.

Step 3: Roll out the feature

You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:

Microsoft Sso Setup Free

  • https://autologon.microsoftazuread-sso.com

In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.

Note

Super mario flash 2 hacked edition. The following instructions work only for Internet Explorer and Google Chrome on Windows (if it shares a set of trusted site URLs with Internet Explorer). Read the next section for instructions on how to set up Mozilla Firefox and Google Chrome on macOS.

Why do you need to modify users' Intranet zone settings?

By default, the browser automatically calculates the correct zone, either Internet or Intranet, from a specific URL. For example, http://contoso/ maps to the Intranet zone, whereas http://intranet.contoso.com/ maps to the Internet zone (because the URL contains a period). Browsers will not send Kerberos tickets to a cloud endpoint, like the Azure AD URL, unless you explicitly add the URL to the browser's Intranet zone.

There are two ways to modify users' Intranet zone settings:

OptionAdmin considerationUser experience
Group policyAdmin locks down editing of Intranet zone settingsUsers cannot modify their own settings
Group policy preferenceAdmin allows editing on Intranet zone settingsUsers can modify their own settings

'Group policy' option - Detailed steps

  1. Open the Group Policy Management Editor tool.

  2. Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.

  3. Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Then select Site to Zone Assignment List.

  4. Enable the policy, and then enter the following values in the dialog box:

    • Value name: The Azure AD URL where the Kerberos tickets are forwarded.

    • Value (Data): 1 indicates the Intranet zone.

      The result looks like this:

      Value name: https://autologon.microsoftazuread-sso.com

      Value (Data): 1

    Note

    If you want to disallow some users from using Seamless SSO (for instance, if these users sign in on shared kiosks), set the preceding values to 4. This action adds the Azure AD URL to the Restricted zone, and fails Seamless SSO all the time.

  5. Select OK, and then select OK again.

  6. Browse to User Configuration > Policy > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone. Then select Allow updates to status bar via script.

  7. Enable the policy setting, and then select OK.

'Group policy preference' option - Detailed steps

  1. Open the Group Policy Management Editor tool.

  2. Edit the group policy that's applied to some or all your users. This example uses Default Domain Policy.

  3. Browse to User Configuration > Preferences > Windows Settings > Registry > New > Registry item.

  4. Enter the following values in appropriate fields and click OK.

    • Key Path: SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmicrosoftazuread-sso.comautologon

    • Value name: https.

    • Value type: REG_DWORD.

    • Value data: 00000001.

Browser considerations

Mozilla Firefox (all platforms)

Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:

  1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
  2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication.
  3. Right-click and select Modify.
  4. Enter https://autologon.microsoftazuread-sso.com in the field.
  5. Select OK and then reopen the browser.

Safari (macOS)

Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.

Google Chrome (all platforms)

If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoftazuread-sso.com) to them as well.

Google Chrome (macOS and other non-Windows platforms)

For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.

The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.

Known browser limitations

Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode.

Step 4: Test the feature

Microsoft Sso Setup Download

To test the feature for a specific user, ensure that all the following conditions are in place:

  • The user signs in on a corporate device.
  • The device is joined to your Active Directory domain. The device doesn't need to be Azure AD Joined.
  • The device has a direct connection to your domain controller (DC), either on the corporate wired or wireless network or via a remote access connection, such as a VPN connection.
  • You have rolled out the feature to this user through Group Policy.

To test the scenario where the user enters only the username, but not the password:

  • Sign in to https://myapps.microsoft.com/ in a new private browser session.

To test the scenario where the user doesn't have to enter the username or the password, use one of these steps:

  • Sign in to https://myapps.microsoft.com/contoso.onmicrosoft.com in a new private browser session. Replace contoso with your tenant's name.
  • Sign in to https://myapps.microsoft.com/contoso.com in a new private browser session. Replace contoso.com with a verified domain (not a federated domain) on your tenant.

Step 5: Roll over keys

8x8 Single Sign On Setup

In Step 2, Azure AD Connect creates computer accounts (representing Azure AD) in all the Active Directory forests on which you have enabled Seamless SSO. To learn more, see Azure Active Directory Seamless Single Sign-On: Technical deep dive.

Important

The Kerberos decryption key on a computer account, if leaked, can be used to generate Kerberos tickets for any user in its AD forest. Malicious actors can then impersonate Azure AD sign-ins for compromised users. We highly recommend that you periodically roll over these Kerberos decryption keys - at least once every 30 days.

For instructions on how to roll over keys, see Azure Active Directory Seamless Single Sign-On: Frequently asked questions. We are working on a capability to introduce automated roll over of keys.

Important

You don't need to do this step immediately after you have enabled the feature. Roll over the Kerberos decryption keys at least once every 30 days.

Next steps

  • Technical deep dive: Understand how the Seamless Single Sign-On feature works.
  • Frequently asked questions: Get answers to frequently asked questions about Seamless Single Sign-On.
  • Troubleshoot: Learn how to resolve common problems with the Seamless Single Sign-On feature.
  • UserVoice: Use the Azure Active Directory Forum to file new feature requests.

This is a typical highly available setup into Office 365. Ideally this server will be installed as virtual servers on multiple Hyper-V hosts. Think about redundancy, not only in the virtual servers, but in the Hyper-V servers as well. Install one AD FS and one AD FS Proxy on one Hyper-V host and the other AD FS and AD FS Proxy on another Hyper-V host. This prevents loss of service from a hardware failure. Keep in mind that once you are using Single Sign-on with Office 365, you rely on your local Active Directory for authentication. Both video and printed steps have provided to ease your implementation of AD FS and SSO.


Prerequisite

  1. Should you not have access to a lab, follow this Step-By-Step to setup your own lab
Sso

Prepare the Base Servers

AD FS Server

  1. Base build the AD FS server with Windows Server 2012
  2. Setup a connection to the internal network
  3. Add the server to the local domain
  4. Update the server with all Windows Updates

AD FS Proxy Server

  1. Base Build the AD FS Proxy server with Windows Server 2012
  2. Setup a connection to the DMZ network (verify connectivity to the AD FS server on port 443)
  3. DO NOT add the server to the local domain
  4. Update the server with all Windows Updates

Directory Sync Server

  1. Base build the Directory Synchronization server with Windows Server 2012
  2. Setup a connection to the internal network
  3. Add the server to the local domain
  4. Update the server with all Windows Updates

Prepare Active Directory

Add UPN Suffix

If you are using and internal domain name that doesn’t match the domain that you want to federate with Office 365 you will have to add a custom UPN suffix that matches that external name space. If you need to add the UPN suffix, please follow these instructions, http://support.microsoft.com/kb/243629

Example

Internal Domain Name – contoso.local

Desired Federated Domain – contoso.com

Clean up Active Directory

This makes sense for so many reasons, but the most for Directory Sync. I generally make an OU for all the Office 365 Services; then create more OUs within that one for all the user accounts, services accounts, groups, servers and computers. This will allow us to filter on user accounts and groups when we enable Directory Synchronization with Office 365. The less number of objects that you sync with Office 365 is better. If you have thousands of objects replicating, that don’t need to be, things will get messy really quick. Keep it clean and neat. This will prevent mistakes and keep you head ache free.

Setting up AD FS requires the use of a third party SSL certificate. In a production situation, I would recommend that a single name SSL certificate. Wildcard and multi-name certificates will work, but I like to keep things simple and use a standard SSL certificate in a production situation. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name, STS (secure token service). In the example below, I have used the value sts.domain.com.

Create the SSL Certificate Request (CSR)

  1. Click Tools
  2. Select the local server
  3. Click Open Feature (actions pane)
  4. Fill out the certificate request properties. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name STS (secure token service). In the example below, I have used the value sts.domain.com.
  5. Leave the Cryptographic service provider at the default
  6. Click Next
  7. Click Finish

Fulfill the Certificate Signing Request (CSR)

We need to take the CSR generated in the last step to a third party SSL certificate provider. I choose to use GoDaddy. Here are GoDaddy’s instructions to fulfill the CSR at their site – Requesting a Standard or Wildcard SSL Certificate. Once the certificate is issued, download the completed CSR to the AD FS server.

Complete the Certificate Request (CSR)

  1. Click Tools
  2. Select the local server
  3. Click Open Feature (actions pane)
  4. Select the path to the complete CSR file that you competed and downloaded from the third party certificate provider
  5. Select Personal as the certificate store
  6. The certificate will be added

***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. When your certificate is added, it should show sts.domain.com, which matches the request.

Assign the Completed SSL Certificate

Now that we have the third party certificate completed on the server, we need to assign and bind it to the default website (HTTPS port 443).

  1. Expand Sites
  2. Click Bindings (actions pane)
  3. Change the type to HTTPS

  4. ***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. When you select your certificate, it should show sts.domain.com, which matches the competed certificate.

  5. Click OK
  6. Close IIS Manager

Now that we have the required software installed and the certificate in place, we can finally configure the AD FS role and federate with Microsoft.

Configure Local AD FS Federation Server

  1. Open Server Manager
  2. Click AD FS Management
  3. Click AD FS Federation Server Configuration Wizard
  4. New Federation Server FarmChoose this option all the time, even if you only plan on deploying one server. If you choose Stand-alone federation server, then you won’t be able to add more servers.
  5. SSL Certificate – This should be pre-populated. If it isn’t, go back and assign/bind the third party certificate to the default web site
  6. Federation Service Name – This should match the SSL certificate name

    *** NOTE *** Since I am using a multi-name certificate in a lab environment, my SSL certificate name and Federation Service name don’t match. This is not recommended for production environments. Use best practices always; a single name certificate.

  7. Enter the AD FS service account name and password
  8. Click Next
  9. All green check marks mean everything is setup correctly

Configure Federation Trust with Office 365

Now that we have our side of the federation setup, we can complete the federation with Office 365

  • Open the Desktop on the AD FS server
  • Windows Azure Active Directory Module for Windows PowerShell
  • Set the credential variable
    • $cred=Get-Credential
  • Enter a Global Administrator account from Office 365. I have a dedicated tenant (@domain.onmicrosoft.com) service account setup for AD FS and Directory Syncronization.
  • Connect to Microsoft Online Services with the credential variable set previously
    • Connect-MsolService –Credential $cred
  • Set the MSOL ADFS Context server, to the ADFS server
    • Set-MsolADFSContext –Computer adfs_servername.domain_name.com
    • Convert-MsolDomainToFederated –DomainName domain_name.com

Windows 10 Sso Not Working

  • Successful Federation
    • Successfully updated ‘domain_name.com‘ domain.

Microsoft Adfs Sso Setup

    • Get-MsolFederationProperty –DomainName domain_name.com

This completes the setup for federation to Office 365. Keep in mind that before you can successfully use single sign-on with Office 365, you will need to setup and configure Directory Synchronization. After Directory Synchronization is setup, you will have to license the synchronized user in Office 365. This will provision the services for the user. If they want to access Office 365 from outside the internal network, the AD FS Proxy server needs to be setup and configured.