03 O365 SMB Js Dirsync Sso Adfs

Office 365 for SMB Jump Start
Published: 9/10/2012
Mod 3: Office 365 DirSync,

Single Sign-On & ADFS
Chris Oakman | Managing Partner Infrastructure Team | Eastridge Technology
Stephen Hall | CEO & SMB Technologist | District Computers
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Azure, System Center, Hyper-V and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Jump Start Schedule Target Agenda

Day 1
Administering Office 365
Day 2
Administering Exchange Online
Office 365 Overview & Infrastructure
Exchange Online Deployment & Migration
Office 365 User Management
Exchange Online FOPE
Office 365 DirSync, Single Sign-On & ADFS
Exchange Online Archiving & Compliance
MEAL BREAK
Administering Lync Online
Administering SharePoint Online
Exchange Online Overview & User Management
Module 3: Office 365 DirSync,

Reviewing Identities
Understanding DirSync
DirSync Requirements
Understanding Single Sign-On & ADFS
Reviewing Identity Types

Cloud Identity
Separate credential from
corporate credential
Authentication occurs via cloud
directory service
Password policy stored in
Office 365
Federated Identity
Same credential as corporate
credential
Authentication occurs via onpremises Active Directory
service
Password policy is stored onpremises
Requires Directory
Synchronization
Reviewing Identity Usage Scenarios

Cloud Identity
Scenario
Pros
Cons
Cloud Identity +
DirSync
Smaller organizations
without on-premises Active
Directory
Medium to Large organizations

with Active Directory onpremises
Does not require onpremises server

deployment
Source of Authority is onpremises

Enables coexistence
Federated Identity*
Large enterprise organizations
with Active Directory on-premises
Requires DirSync
Single Sign-On experience
Source of Authority is onpremises
2 Factor Authentication options
No Single Sign-On
No Single Sign-On
No 2 Factor Authentication
options
No 2 Factor Authentication
options
2 sets of credentials to
manage with, potentially,
different password policies
2 sets of credentials to manage

with, potentially, different
password policies
Enables coexistence
Requires on-premises server
deployment in high availability
scenario
Requires on-premises server

deployment

What is DirSync?
Application that synchronizes on-premises Active
Directory with Office 365
x64 version based on FIM
Previous x86 versions based upon ILM 2007
Bundled with SQL 2008 R2 Express Edition

Designed as an appliance
Set it and forget it
DirSync | Enables Coexistence

Provisions objects in Office 365 with same email
addresses as the objects in the on-premises environment
Provides unified Global Address List experience between
on-premises and Office 365
Objects hidden from GAL on-premises also hidden from Office 365
GAL
Enables mail routing between on-premises and Office 365

with a shared domain namespace
Enables application coexistence for Microsoft Lync
Enables Exchange coexistence scenarios
simple and hybrid scenarios
DirSync | Enables Single Sign-On

Enables run state administration and management of
users, groups, and contacts
Synchronizes adds/deletes/modifications of users, groups, and
contacts from on-premise to Office 365
Not intended as a single use bulk upload tool
DirSync Synchronization
Entire Active Directory forest scoped for synchronization
What is synchronized?
All user objects

All group objects
Mail-enabled contact objects
Passwords are not synchronized
Synchronization is from on-premises to Office 365 only (unless writeback is enabled)
Synchronization occurs every 3 hours

Use Start-OnlineCoexistenceSync cmdlet to force a sync
10
DirSync Synchronization | User Objects

Mail-enabled/mailbox-enabled users are synchronized
as mail-enabled users (not mailbox-enabled users)
Visible in the Office 365 GAL (unless explicitly hidden from GAL)
Logon enabled, but not automatically licensed to use services
Target address is synchronized for mail-enabled users
Regular NT users are synchronized as regular NT users

Not automatically provisioned as mail-enabled in Office 365
Resource mailboxes are synchronized as resource

mailboxes
Synchronized users are not automatically assigned a
license
11
Group Objects
Mail-enabled groups are synchronized as mail-enabled
Group memberships are synchronized
Security groups are synchronized as security groups
Contacts Objects
Only mail-enabled contacts are synchronized
Target address is synchronized to Office 365
12
New user, group, and contact objects that are added to
on-premises are added to Office 365
Existing user, group, and contact objects that are deleted
from on-premises are deleted from Office 365
Existing user objects that are disabled on-premises are
disabled in Office 365
Existing user, group, or contact objects attributes (those
that are synchronized) that are modified on-premises are
modified in Office 365
13
On-premises
Exchange
Server
Sync Cycle Step 1:
Sync Cycle Step 2:

Imports Users, Groups, and
Contacts from Microsoft
Online Services via AWS
Import Users, Groups,

and Contacts from source
Active Directory forest
Active
Directory
User Object
Mailbox-Enabled
ProxyAddresses:
SMTP: John.Doe@contoso.com
DirSync
(client side)
Sync Cycle Step 3:

Export Users, Groups, and
Contacts that do not already
exist in Microsoft Online
Services
Microsoft Online Services

AWS
(DirSync Web
Service)
Online
Directory
Live ID
Exchange
Online
SharePoint
Online
Logon Enabled User Object (Unlicensed)

Mail-Enabled User (not Mailbox-Enabled)
Lync Online
ProxyAddresses:
SMTP: John.Doe@contoso.com
smtp: John.Doe@contoso.onmicrosoft.com
TargetAddress:
John.Doe@contoso.com
14
First synchronization cycle after installation is a full
synchronization
Time-consuming process relative to number of objects synchronized
~5000 objects per hour
Subsequent synchronization cycles are deltas only

Much faster
Not all on-premises attributes synchronized for each

object type, but 100+ attributes are synchronized
15
Once implemented, on-premises AD becomes the
source of authority for synchronized objects
Modifications to synchronized objects must occur in the on-premises
AD
Synchronized objects cannot be modified or deleted via the portal
unless DirSync is disabled for the tenant
Scoping/Filtering
Custom scoping or filtering is officially unsupported (guidance
coming soon)
V1 DirSync filter XML file no longer an available option for filtering
16
On-premises objectGuid AD attribute assigned value for
sourceAnchor attribute during initial object synchronization
Referred to as a hard match
DirSync knows which Office 365 objects it is the source of authority
for by examining sourceAnchor attribute
DirSync can also match user objects created via the

portal with on-premises objects if there is a match using
the primary SMTP address
Referred to as a soft match
17
Synchronization errors are emailed to the Technical
Contact for the subscription
Recommend using distribution group as Technical Contact email
address
Example errors include:

Synchronization health status
Sent once a day if a synchronization cycle has not registered 24 hours

after last successful synchronization
Objects whose attributes contain invalid characters

Objects with duplicate/conflicting email addresses
Sync quota limit exceeded
18

19
DirSync | Computer Requirements

Must be joined to an Active Directory domain within the
same forest that will be synchronized with Office 365
Does not have to be joined to the root domain
Cannot be a domain controller

Must be able to communicate with any/all domain
controllers forest wide
Should be located in an access controlled environment
Should be limited to those with access to domain controllers and
other security sensitive systems
20
DirSync | AD Requirements
Only routable domains can be used with DirSync
deployment
Non-routable domains include .local OR .loc OR .internal.
If organization has AD w/ only internal namespace,

must:
Add a routable UPN suffix in Active Directory Forests and Trusts.

Configure each user with that routable UserPrincipalName suffix
user@domain.local must be changed do user@domain.com
If this is not done, once DirSync runs, users will appear in Office365
as user@domain.onmicrosoft.com instead of user@domain.com
21
DirSync | Software Requirements
Windows Installer 4.5 or later

Windows PowerShell version 2.0
Microsoft .NET Framework version 3.5 or later.
Windows Server 2003/R2 x86 with Service Pack 2 or
later, or Windows Server 2008 x86 with the latest
service pack installed.
x64 is supported
Microsoft Online Services Sign-In Assistant

Not a prerequisite for installation, but required when connecting to
Office 365
22
DirSync | Hardware Requirements

Minimum of 1GB hard drive space
600 MB for a complete installation of all Directory Synchronization
Tool components
400 MB required to create the initial database file
Additional hard drive space most likely required for mid-size or larger
companies
Server hardware should meet minimum requirements

For SQL Server 2008 R2 Express Edition and FIM (x64) or Identity
Lifecycle Manager 2007 Feature Pack 1 (x86 - legacy)
23
DirSync | Network Requirements

Synchronization with Office
365 occurs over SSL
Internal network
communication will use typical
Active Directory related ports
Service
Protocol
Port
LDAP
TCP/UDP
389
Kerberos
TCP/UDP
88
DNS
Kerberos
Change
Password
RPC
RPC randomly
allocated high
TCP ports
SMB
TCP/UDP
53
TCP/UDP
464
TCP
135
TCP
1024 - 65535
49152 - 655351
TCP
445
SSL
TCP
443
SQL
TCP
1433
This is the range in Windows Server 2008 and in Windows Vista.
24
DirSync | Permission Requirements

Account used to install DirSync must have
1.
2.
local machine administrator permissions

If using full SQL, rights within SQL to create the DirSync database,
and to setup the SQL service account with the role of db_owner
Account used to configure DirSync must reside in the

local machine MIISAdmins group
1.
Account used to install DirSync is automatically added
Administrator permission in the Office 365 tenant

1.
DirSync uses an administrator account in the tenant to provision

and update/modify objects
25
DirSync | Permission Requirements

Enterprise Administrator permission in the on-premise
Active Directory
Credential is not stored/saved by the configuration wizard
Used to create the MSOL_AD_Sync domain account in the
CN=Users container of the root domain of the forest
Used to delegate the following permissions on each domain
partition in the forest
Replicating Directory Changes

Replicating Directory Changes all
Replication Synchronization
26

27
Single Sign-On | Purpose

Enables users to access both the on-premises and
cloud-based organizations with a single user name and
password
Provides users with a familiar sign-on experience
Allows administrators to easily control account policies
for cloud-based organization mailboxes by using onpremises Active Directory management tools.
28
Single Sign-On | Benefits
Policy Control
Access Control
Reduced Support Calls
Security
29
Single Sign-On | Server Requirements
Windows Server 2008 or Windows Server 2008 R2

Active Directory Federation Services 2.0 (ADFS 2.0)
PowerShell
Web Server (IIS)
.NET 3.5 SP1
Windows Identity Foundation
Publicly registered domain name
SSL Certificates
Microsoft Online Services Module for Windows PowerShell
Microsoft Online Sign In Assistant
High availability design
30
Single Sign-On | Client Requirements
Internet Explorer 7.0 or later

Firefox 3.0
Chrome 6.0 or later
Safari 4.0 or later
Microsoft Office 2010/2007SP2
Microsoft Office for Mac 2011 SP1
Microsoft Office 2008 for Mac version 12.2.9
Office 365 Desktop Setup
Microsoft Online Sign In Assistant
31
Single Sign-On | Requirements

Office 365 Desktop Setup
Automatically detects necessary updates for a computer
Installs Microsoft Online Sign In Assistant
Installs operating system and client software updates required for
connectivity with Office 365
Automatically configures Internet Explorer and rich

clients for use with Office 365
Office 365 Desktop Setup is not an authentication or
sign-in service and should not be confused with single
sign-on
32
Single Sign-On | Requirements

Microsoft Online Sign-In Assistant
Can be installed automatically by Office 365 Desktop
Setup or manually
Enables authentication support by obtaining a service
token from Office 365 and returning it to a rich client
(e.g. Lync)
Not required for web kiosk scenarios (e.g. OWA)
Required for on-premises computers connecting to
Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)
33
ADFS 2.0 Components

ADFS 2.0 Server
Default topology for Office 365 is an AD
FS 2.0 federation server farm that
consists of multiple servers hosting your
organizations Federation Service.
Recommend using at least two
federation servers in a load-balanced
configuration.
ADFS 2.0 Proxy Server

Federation server proxies are used to
redirect client authentication requests
coming from outside your corporate
network to the federation server farm.
A Federation server proxies should be
deployed in the DMZ
34
AD FS 2.0 Deployment Options

1. Single server configuration
2. AD FS 2.0 Server Farm and load-balancer
3. AD FS 2.0 Proxy Server or UAG/TMG
i.
(External Users, Active Sync, Down-level Clients with Outlook)

Active
Directory
AD FS 2.0
Server
Internal
user
AD FS 2.0
Server
AD FS 2.0
Server
Proxy
AD FS 2.0
Server
Proxy
Enterprise
Perimeter
External
user
35
Deployment Architecture
Number of users
Minimum number of servers
Fewer than 1,000 users
0 dedicated federation servers

0 dedicated federation server proxies
1 dedicated NLB server
1,000 to 15,000 users
2 dedicated federation servers

2 dedicated federation server proxies
15,000 to 60,000 users
Between 3 and 5 dedicated federation servers

At least 2 dedicated federation server proxies
36
Identity Federation | Authentication Flow

Web Profile
Customer
Active Directory
Microsoft Online Services

User
Source
ID
Logon (SAML 1.1) Token

UPN:user@contoso.com
Source User ID: ABC123
AD FS 2.0 Server
Authentication platform
Auth Token
UPN:user@contoso.com
Unique ID: 254729
Client
(joined to CorpNet)
Exchange Online or
SharePoint Online
37
Recommended Resources
ADFS 2.0 Deployment
http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx
http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start08-exchange-online-hybrid-scenarios-part-1
More information on DirSync

http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx
http://technet.microsoft.com/en-us/video/deploying-office-365-jump-start02-deploying-sso-part-1.aspx
Check out the course appendix
38
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is
for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. Some information relates to pre-released product which may be substantially
modified before its commercially released. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39

03 O365 SMB Js Dirsync Sso Adfs

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

03 O365 SMB Js Dirsync Sso Adfs

Transféré par

Droits d'auteur :

Formats disponibles

Office 365 for SMB Jump Start

Office 365 for SMB Jump Start

Mod 3: Office 365 DirSync,

Office 365 for SMB Jump Start

Jump Start Schedule Target Agenda

Office 365 Overview & Infrastructure

Exchange Online Deployment & Migration

Office 365 User Management

Exchange Online FOPE

Office 365 DirSync, Single Sign-On & ADFS

Exchange Online Archiving & Compliance

Office 365 for SMB Jump Start

Module 3: Office 365 DirSync,

Office 365 for SMB Jump Start

Reviewing Identity Types

Office 365 for SMB Jump Start

Reviewing Identity Usage Scenarios

Medium to Large organizations

Does not require onpremises server

Source of Authority is onpremises

2 sets of credentials to manage

Requires on-premises server

Office 365 for SMB Jump Start

Module 3: Office 365 DirSync,

Office 365 for SMB Jump Start

Bundled with SQL 2008 R2 Express Edition

Office 365 for SMB Jump Start

DirSync | Enables Coexistence

Enables mail routing between on-premises and Office 365

Office 365 for SMB Jump Start

DirSync | Enables Single Sign-On

Not intended as a single use bulk upload tool

Office 365 for SMB Jump Start

All user objects

Synchronization occurs every 3 hours

Office 365 for SMB Jump Start

DirSync Synchronization | User Objects

Regular NT users are synchronized as regular NT users

Resource mailboxes are synchronized as resource

Office 365 for SMB Jump Start

Office 365 for SMB Jump Start

Office 365 for SMB Jump Start

Sync Cycle Step 2:

Import Users, Groups,

Sync Cycle Step 3:

Microsoft Online Services

Logon Enabled User Object (Unlicensed)

Office 365 for SMB Jump Start

Subsequent synchronization cycles are deltas only

Not all on-premises attributes synchronized for each

Office 365 for SMB Jump Start

Office 365 for SMB Jump Start

DirSync can also match user objects created via the

Office 365 for SMB Jump Start

Example errors include:

Sent once a day if a synchronization cycle has not registered 24 hours

Objects whose attributes contain invalid characters

Office 365 for SMB Jump Start

Module 3: Office 365 DirSync,

Office 365 for SMB Jump Start

DirSync | Computer Requirements

Cannot be a domain controller

Office 365 for SMB Jump Start