Changing ADFS 2.0 Endpoint URL for Office 365


If you are configuring single sign-on for Office 365 then you will need a server running Active Directory Federation Services 2.0 (ADFS 2.0). When you install this you are asked for a URL that acts as an endpoint for the ADFS service, which if you are publishing that endpoint through a firewall such as TMG needs to be on a mutually trusted certificate as either the subject name or alternative subject name.

The documentation uses sts.yourdomain.com which means you need to have this as a valid name of the certificate. I use StartCom SSL, which provide cheap certificates (approx. $100 for as many certificates as you like), but to change a certificate to add an additional alternative subject name requires revoking the current cert, and that comes at additional cost.

So I have a certificate with lots of name on it for my domain, just not sts.mydomain.com so I set about changing the endpoint in ADFS 2.0

Firstly open the ADFS 2.0 administrative console and select the root note:

image

Click Edit Federation Service Properties in the Action Pane and modify the three values on the General tab:

image

After clicking OK, restart the AD FS 2.0 Windows Service.

After the restart, create a new Token-Signing Certificate and Token-Decrypting Certificate. These are self signed certificates. To allow you to add these you need to turn off automatic certificate rollover if enabled. This can be done from PowerShell using Set-ADFSProperties –AutoCertificateRollover $false and this cmdlet is available in Windows PowerShell Modules in the Administrative Tools menu.

To update Office 365 start the Microsoft Online Services Module for Windows PowerShell, installed as part of the Office 365 rich co-existence process. In this PowerShell window type Update-MsolFederatedDomain –DomainName yourFederatedDomain.com. You will also need to login to Office 365 in this window first (Connect-MsolService) and set PowerShell with the name of the ADFS server (Set-MsolADFSContext –Computer ADFS_ServerName). Type Get-MsolFederatedDomain –DomainName yourFederatedDomain.com to ensure that the returned URL’s and certificates are correct.

Now its time to update the TMG rule, or create a new one. The listener in TMG must have the same third party certificate and be for HTTPS with the Public Name matching the certificate subject/subject alternative name and the Path value set to /adfs/*. The To page needs to be set with the same URL and internal IP address of the ADFS 2.0 server.

image

And that should be it – after the Update-MsolFederatedDomain –DomainName yourFederatedDomain.com has completed both sides of the federation trust are aware of the certificate change and automatic login to http://outlook.com/yourFederatedDomain.com should work.


Tags:

Comments

3 responses to “Changing ADFS 2.0 Endpoint URL for Office 365”

  1. David Ruth avatar
    David Ruth

    I used this procedure when I changed ours also. A couple obvious things to add.
    1. Use a global admin with a tenant upn. (someone@somewhere.onmicrosoft.com) If you’re re-configuring ADFS and you’re logged in with a federated account half way through you might run into a brick wall. Obvious.
    2. If you have multiple domains (or one domain with users with a couple possible UPN namespaces) you need to append -SupportMultiDomain to the Update-MSOLFederatedDomain cmdlet so it looks something like this:
    Update-MSOLFederatedDomain -DomainName %yourdomainname% -SupportMultiDomain
    Less obvious but there is a clear error message! 🙂
    3. Office 365 has a lot of servers. Plan accordingly for the necessary replication. It shouldn’t take long but it might not be immediately effective. Be patient and re-check the way you have published adfs to the internet! That seems to be the most likely place to run into issues with this.

    Good luck!

  2. Rob K avatar
    Rob K

    Hi there,
    It looks fairly straight-forward; I’m going to follow this process, but I have 2 questions:
    1) “After the restart, create a new Token-Signing Certificate and Token-Decrypting Certificate. These are self signed certificates.” What is the best way to do this?
    2) My new ADFS server is ADFS 3.0 and uses a different service communications certificate than the existing server. Will either of these change the process at all, or cause me difficulties by following this doc?

    1. Brian Reid avatar

      So this doc covers changing the endpoint uri on the same ADFS farm. If changing farms I would move the domain back to managed and then in a new Ppwershell.session, connect to the new farm and change the domain back to federated. Use DirSync Password Hash Sync to cover users ability to login during the change over. No impact to end users.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.