So, we’ve finally initiated our upgrade from Live@Edu to Office 365 this week.
I’ve just finished applying the finishing touches to it now, but it has been quite the journey. Especially as I’m on my 2nd reinstall of my ADFS server, and 3rd of my Dirsync server.
I also found that the documentation and support from Microsoft was rather lacking. I think a lot of it comes down to the amount of components involved in getting a cloud federation set up, but none the less it hasn’t made things easy.
I think one support call sums it up really, Dirsync synced our entire AD to Office 365, but we only use it for students. Not a problem, I set the UPN suffix just for the students in AD, so that it would be nice and easy to run a powershell to single out those users and add the licenses. I know basic powershell and a few of the MSOL cmdlets, but not really any of the automation side, so sent in a support ticket to Microsoft. They then told me that I should just increase our number of licenses and then give everyone a license using the default cmdlets. Which I did, and it does work. However, we now have 5x the amount of licenses than we actually needed, which seems rather excessive.
Anyway, putting that rant aside, I’ve spend a lot of time today looking into getting our ADFS authentication working externally for Office 365. I noticed that on my test machine, it was throwing up a strange error. ADFS was sending the user back to Office 365, and then Office 365 would show an error relating to the UPN containing special characters.
After some investigation, I found it came down to TMG doing some translations during the authentication.
In the end I used the following settings in my rule to publish ADFS using TMG:
- Forward the original host header
- Requests appear to come from the original client
- HTTP settings set to disable ‘Verify normilization’ and ‘Block High bit characters’
- NTLM Authentication turned on
- Disable ‘Apply Link Translation to this rule’
And on the IIS end on the ADFS server:
- Enable the use of Forms and Windows authentication
Hopefully I can take a bit of a rest from setting up Office 365 now, but if any of you hit a similar problem then I hope this helps.