Active Directory Federation Setup for Server 2012 R2

Good Morning and Happy Thursday. I generally like to write my own post for things I have done. Sometimes I simple find someone who simple made a de-facto article which is much better then I could put together with the time constraints I have. That said, the blog.auth360.net blog is a breath of fresh air on the subject of 2012 ADFS. Why would anyone care or worse, read about ADFS? Well here’s the thing; Its a really solid proxy for Lync 2013. Many of you know this, lets I state the obvious.

Ok sidetrack- I feel like a haiku for some reason~

the birds they fly yes
cover their ears if they can
I’m singing their song.

Ok really that was spontaneous, as exhibited by the low quality of the content. Ok back to business. So here is a full article with deployment and setup info on ADFS. There is another article on my blog for setting up ADFS with Lync. However, this link below chronicles a lot of the crap I had to go through, which I did not document. I would really like to have something like this next time I set ADFS up. Why? because once you set up the ADFS proxy for Lync, you will not likely have to mess with anything again. It is that solid. That said. I have had to re install rolls several times on the proxy. However that is a 5 minute job with the script to rebuild the settings. The ADFS portion is the one you only want to do once.

Enjoy-

blog.auth360.net ADFS

Lou

This article provides information on how to Setup Reverse Proxy for Lync 2013 using Windows 2012 R2 Active Directory Federation Proxy.

This article provides information on how to Setup Reverse Proxy for Lync 2013 using Windows 2012 R2 Active Directory  Federation Proxy.

Lync 2013 PROXY

Hello, I wanted to send you my early results  on setting up the Lync Proxy using Active Directory Federation Services for Windows 2012 R2. I have discussed writhing about this, so here is my first analysis on the new proxy method. Please let me know your feedback as you come across this beast in setup form.

First I must say Writhing was not a mis-print. There were some difficulties getting this completely working and I’m not holding back here. If you have an F5 Device or something of that nature, It should be your first line of use. I’m including the F5 Documentation as an aid to illustrate to what degree some of the UTM folks are going to support Lync. F5 has full whitepaper, setup guides, and templates that distill the setup to answering some questions- In honor of My Friend James Nelson who is a scholar of Lync and Exchange, who taught me a few things about F5:

http://www.f5.com/products/technology/microsoft/lync-server/

If you must use a a non UTM device, the IISARR and ADFS methods work and are simpler then TMG to setup. Before you start reading, I’m going to say I think ISS ARR may be the same function with less effort. However from the support stand point, the more moving parts becomes the most popular in our world. Below depicts my best effort to make your experience much simpler then mine was.

Step 1 Plan – Needed Items

1. Adfs server on 2012 R2, domain joined named (x)
2.  Remote access (Rev Proxy) installed on 2012 R2 (non domain joined) named (y)
3. Federation services name (z) (step 7)
4. Federation services certificate which includes the federation name (z) step 7
5. I will concede my cert was internal CA and had all names for Lync web services and the FQDN of both 2012 boxes. This was overkill (thank you Hugh for helping me simplify my thinking). You only need the Federation Proxy name on the certificate
6. The public cert for Lync which should include all your published names like dialin, meet, lyncdiscover, wac, and lyncextwebservices. (a)
7. Z will be used to Lync x to y.  (A) is not part of the equation and only comes into play when you define your external connection on (y)
8. The federation service name is the same as the certificate name but the service acount is a unique name and cannot be the host name or the federation service name.

Step 2 Setup your ADFS server.

1. Install 2012 R2 Server and Join to domain- (x)
2. Add ADDS tools (x)
3. Install SQL or the Windows internal database. if you Install the Windows internal database, follow TechNet 2832204
3. import-module active directory (x)
4. Add-KDSRootKey –EffectiveImmediately (x)
5. Wait 10 hours – seriously http://technet.microsoft.com/en-us/library/jj128430.aspx
6. Install Federation services Role on X. Once installed, Please stop and make sure you have the right Managed Services Account folder in your Forrest. See- Lync ADFS issues Accounts Group
7. Once your Managed Service Accounts group is functional, Go ahead and run this to create your Managed Service account

New-ADServiceAccount adfstest -DNSHostName center.1reeves.com -ServicePrincipalNames http/center.1reeves.com -Path “CN=Managed Service Accounts, DC=1reeves,DC=com”
Ideally you run thought the configuration wizard and all completes well –

1

Now we have the ADFS server complete.

Step 3. Setup the Remote Proxy Server connection

1. Go to the Proxy server y

2 Install the Remote Access role- choose reverse proxy.

2

 

3. Post configuration job will exist to enter the federation certificate and federation service name (they should match), however, the name should be different then the host name. Do not make the federation service name the same as any server. The federation service gets a DNS A record, point to the ADFS server. Clear Screen shots are available at The MS blog site

4. Once the Remote proxy service is set up, it only took 10 minutes to get the URL’s working for Lync. However, when I manually added them, they didn’t work for some reason. I’m leaning on this script to make the entire setup in one PS1 script:

Replace your domain name and your external web services name and save the file as a .ps1. Set-executionpolicy -executionpolicy unrestricted and run as needed- This script came from Blog.Kloud.com so thank you for helping me get this working- on (y)

$domain = “1reeves.com”
$webServices = “webext.”
$certificate = “84a5950fb7cd71d3bb59ad9aa0ce26badb23b124”

Add-WebApplicationProxyApplication -Name ‘Lync Web Services’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://$webServices$domain/” -BackendServerUrl (“https://”+$webServices+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Lync Lyncdiscover’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://lyncdiscover.$domain/” -BackendServerUrl (“https://lyncdiscover.”+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Lync Dialin’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://dialin.$domain/” -BackendServerUrl (“https://dialin.”+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Lync Meet’ -ExternalPreAuthentication PassThrough -ExternalUrl “https://meet.$domain/” -BackendServerUrl (“https://meet.”+$domain+”:4443/”) -ExternalCertificateThumbprint $certificate
Add-WebApplicationProxyApplication -Name ‘Office Web Apps Server’ -ExternalPreAuthentication PassThrough -ExternalUrl ‘https://owas.marc.kloud.com.au/’ -BackendServerUrl ‘https://owas.1reeves.com/’ -ExternalCertificateThumbprint $certificate

You should now wee something like this-

Image1

 

 

5. Once I ran this I found the web services still did not work. an additional script is required to make the mobile devices work- Once again thank you to Blog.Kloud.com for this help. Distilling his steps down to the basics of what I ran (still recommend you read his very detailed post) (on y):

1. netsh http show sslcert ( this will give you the hash and ID you need for step 2)

2. netsh http add sslcert ipport=0.0.0.0:443 certhash=f7f6b300fe4d569fd598e1c9722571cf9ad780dd appid={f955c070-e044-456c-ac00-e9e4275b3f04}

3. TO delete this run netsh http delete sslcert ipport=0.0.0.0:443

4. Blog.Kloud.com  Also has a script to automate this if you are doing multiple IP URL combinations.

That It. In conclusion, This is how you would set your Reverse proxy for Lync 2013 and External Web Services, Sadly at this writing, the Lync Mobility client is not working for sign in. Since everything else works, Including connections to port 4443 and 443, I conceder this solution successful. At the time of this writing, Lync, Exchange, and Remote Gateway can all work through this proxy connection. I will update this post once I determine why mobility is not working.

Final Thoughts

1. Do not use SQL 2014 Beta version. I don’t know why at this point but I had no luck
2. If you have no Managed service account folder in ADUC, Do not create an OU. I did this and suffered for days. The object you need to create is a Group container. This is documented in this post I contributed to-Technet
3. I didn’t go into to it, but I also had trouble using the Windows Internal Database, I actually reinstalled the 2012 R2 OS at one point, and just decided to go with a named instance of 2012 SQL. It was successful on the install, as long as you install .net 3.5 role feature before you make your SQL install. (this was apparently the Internal database issue- http://support.microsoft.com/kb/2832204)

References

dodeitte
goodworkwround
Group Managed Service Accounts
jj128431
Windowsitpro
heyscriptingguy