How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 1: Introduction and prerequisites

Transcription

1 How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 1: Introduction and prerequisites Introduction In this blog series I m going to show how to setup a basic configuration of Microsoft Intune, integrated with System Center 2012 R2 Configuration Manager, in combination with and on-premises Active Directory Federation Services (AD FS) for a single sign-on experience. After successfully completing this blog series a user will be able to use his on-premises credentials to access the services of Microsoft Intune. As part of setting up single sign-on, it s also required to set up directory synchronization. Together, these features integrate the local and cloud directories. It s only required to set up single sign-on, Active Directory synchronization, and a registered domain on time for a Microsoft Online Service. If Microsoft Office 365 is already used, or any other Microsoft Online Service, then some of the steps, of this blog series, may be completed already. After setting up single sign-on, Active Directory synchronization, or a registered domain for Microsoft Intune, these items will be available for all Microsoft Online services. This information and configurations provided in this blog series are not meant for production environments. It s purely meant for a lab setup to experiment with the possibilities. I divided this blog series in the following four parts. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 1: Introduction and prerequisites; o This first part is about what blog series will deliver and what the prerequisites are that need to be in place. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 2: Install and configure Active Directory Federation Service; o This second part is about installing and configuring AD FS, WAP and single sign-on. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 3: Configure directory synchronization; o This third part is about configuring the synchronization of the on-premises user accounts to the Azure AD. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 4: Integrate ConfigMgr and Microsoft Intune; o This fourth part is about integrate Microsoft Intune with ConfigMgr to leverage the single sign-on experience. After the last part of this series is done the status of the environment will be similar as to what is described by Niall in his first part of his series about How can I manage modern devices using System Center 2012 R2 Configuration Manager? - Part1. Basically the next parts of his series can be used to do the required following configurations. The only difference is that the environment will use an onpremises single sign-on experience. Prerequisites I would like to start this blog series with a small list of prerequisites that need to be in place for various different reasons. Also, these prerequisites will contain the servers that I ll be using during

2 this setup. In the following part I ll be referring to the different server names to indicate were I m performing the actions. Register a public domain name In this blog series I ll be using the public domain name of petervanderwoude.nl. This domain name will be used for the single sign-on configuration. Simply replace every reference to this public domain name with a personal (or company) owned public domain name. Create a Microsoft Intune subscription In this blog series I ll be using the Microsoft Intune subscription myptcloud.onmicrosoft.com. This subscription will be used for the single sign-on configuration. Simply replace every reference to this subscription with a personal (or company) owned subscription. Register a trial Microsoft Intune subscription here: Prepare the required servers In this blog series I will be referring to multiple servers. Even for a lab environment this should be the minimum number of server used. Of course it s possible to user more servers to split more roles. Simply replace every reference to these server names with personal (or company) lab server names. Name Domain Function CLDSRV00 WORKGROUP This server is Internet-facing and will be hosting the Web Application Proxy (WAP). CLDSRV01 PTCLOUD.LOCAL This server is the domain controller and will be hosting Active Directory Federation Services (AD FS). CLDSRV02 PTCLOUD.LOCAL This server is the ConfigMgr server and will be hosting the Azure Active Directory Synchronization Tool. Note: It s not possible to install AD FS and WAP on the same server. Install the required Azure AD PowerShell Module In this blog series the Azure AD PowerShell Module is required on the CLDSRV02 to perform actions to manage the Microsoft Online Services. This module is available for download here: Create the required service accounts In this blog series I m using the following service accounts. Of course the names can be adjusted to fit different naming conventions. Simply replace any reference to these service accounts with personal (or company) lab service accounts. Account Permissions Usage svcad-adfs Domain user Service account for running AD FS svcad-aadss Domain user Service account used for the synchronization between the onpremise AD and the Azure Active Directory

3 Create the required DNS Records In this blog series the following public DNS records are required to be in place. Name Type Referral Usage EnterpriseEnrollment CNAME EnterpriseEnrollment.m anage.microsoft.com Used for the device enrollment of Windows Phone, Windows RT and Windows 8.1 sts A <public> Used to publicly register the AD FS service for access by public services. Create the required certificates In this blog series the following certificates are required to be in place. Certificate The certificate used during the configuration of AD FS can be one of the following: Self-signed certificate; Certificate from internal PKI; Certificate from public CA. Overview I ll use a certificate issued from an internal PKI. In this case it s important to have a common name and to have the appropriate DNS names. This certificate needs to be installed on the CLDSRV00 and the CLDSRV01. Note: A self-signed certificate, or a certificate from an internal PKI will provide problems with devices that can t install the root certificate. Legend Abbreviation Meaning Explanation AD Active Directory AD FS Active Directory Federation Services DNS Dynamic Naming System WAP Web Application Proxy Mos Microsoft Online Services SSO Single Sign-On

4 How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 2: Install and configure Active Directory Federation Services In the first part of this blog series I went through the introduction and the prerequisites. This second part of the blog series will be all about installing and configuring Active Directory Federation Services (AD FS) and the AD FS proxy, which is the Web Application Proxy (WAP) in Server 2012 R2. AD FS will be used to federate with Microsoft Azure AD for the authentication of the user s on-premises. Install Active Directory Federation Services The first thing that s required is to install is AD FS. This installation will be done through PowerShell on the CLDSRV01. 1 To install AD FS use the following PowerShell command. Install-WindowsFeature Adfs-Federation -IncludeManagementTools 2 To verify the success of the PowerShell action, simply look at the output of the action. Configure the federation server After installing AD FS it s required to configure the federation server. This configuration will be done through PowerShell on the CLDSRV01. The first steps will get the required input for the command. 1 Get the certificate thumbprint of the certificate (see prerequisites). To get this information run the command below. This will provide a nice overview of the thumbprints of the different certificates. Simply look for the one that belongs to the mentioned certificate. dir Cert:\LocalMachine\My 2 To provide the credentials of the service account for AD FS run the following command and provide the credentials. $ADFSCred = Get-Credential 3 To configure AD FS run the following command. In this command CertificateThumbprint is the thumbprint of the required certificate (step 2.1) and ServiceAccountCredential is the supplied credentials (step 2.2). Install-AdfsFarm -CertificateThumbprint " C67678B B101B87916C1BC4" -FederationServiceName "sts.petervanderwoude.nl" -ServiceAccountCredential $ADFScred

5 4 To verify the success of the PowerShell action, simply look at the output of the action. Install Web Application Proxy The next component that needs to be installed is WAP. This installation will be done through PowerShell on the CLDSRV00. One important thing to note here is that this server should be able to resolve the public federation service name to the CLDSRV01.PTCLOUD.LOCAL. This can be solved to either add an entry to the host file or by adding the information to DNS. 1 To install WAP use the following PowerShell command. Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools 2 To verify the success of the PowerShell action, simply look at the output of the action. Configure Web Application Proxy After the installation of WAP it s required to configure it to connect to the AD FS server. This will be done through PowerShell on the CLDSRV00. 1 To perform the configuration of WAP run the following command in which CertificateThumbprint is the thumbprint of the required certificate (step 2.1) and FederationServiceName is the name of the configured federantion service Install- WebApplicationProxy CertificateThumbprint " C67678B B 101B87916C1BC4" - FederationServiceName "sts.petervanderwoude.nl" 2 To verify the success of the PowerShell action, simply look at the output of the action.

6 Verify the AD FS Sign-In page After installing and configuring AD FS and WAP it s very important to know for sure that it s working. This testing can be done on any device connected to the Internet. 1 Open the Internet Explorer and browse to adfs/ls/idpinitiatedsignon.htm Click Sign in and provide the required credentials and click Sign in again. This should change the displayed text to You are signed in. Note: Replace the public domain for the company s own public domain name. Create a trust between AD FS and Azure AD The next thing that s required is to configure the federation with the Microsoft Online Services. To do this it s required to add the public domain name to the Microsoft Online Services as a federated domain. This will allow us to use the public domain name for the various Microsoft Online Services. This configuration will be done through PowerShell on the CLDSRV02. 1 First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription. Connect-MsolService Credential $cred 2 After that it s required to also connect with the on-premises AD FS by using the following command. Set-MsolADFSContext -Computer cldsrv01.ptcloud.local 3 Now it s possible to add a new federated domain, by using the following command. New-MsolFederatedDomain DomainName petervanderwoude.nl 4 A message will show that it s required to verify the specified domain name., by adding a TXT record to the domain registar.

7 5 Logon to the domain registar and specify the information about the TXT record. 4 After specifying the TXT record it s required to run the previous command again. This time to verify the domain name. New-MsolFederatedDomain DomainName petervanderwoude.nl 5 To verify the success of the PowerShell action, simply look at the output of the action. 6 Another place to verify a successful configuration is to simply logon to the Account portal and verify the Single sign-on setting by navigating to Management > Users. It should display the following information. Verify the Single Sign-On configuration After installing and configuring AD FS and WAP it s very important to know for sure that it s working. 1 Open the Internet Explorer and browse to com/ Click Use another account and provide the required credentials and click Sign in. After specifying the public UPN of the user the page will redirect to the onpremises AD FS. Note: Replace the public domain for the company s own public domain name.

8 How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 3: Configure directory synchronization In the first part of this blog series I went through the introduction and the prerequisites and in the second part I went through the installation and configuration of AD FS. This third part of the blog series will be all about configuring, configuring and configuring. First it s required to add the public domain name to the Microsoft Online Services, then I ll add the public domain name as a UPN to the users and enable active directory synchronization. Enable Active Directory Synchronization The first thing is that I have to enable Active Directory synchronization in Microsoft Intune. This will allows us to synchronize our on-premises users to the Azure AD. 1 First connect to the Microsoft Online Services by using the following command, which will prompt for credentials. In the credentials dialog box provide the credentials of the Microsoft Intune subscription. Connect-MsolService Credential $cred 2 After that it s possible to enable Active Directory synchronization by using the following command. Set-MsolDirSyncEnabled -EnableDirSync $true 3 After using the command to enable Active Directory synchronization it s required to confirm the action by simply answering with Y. 4 To verify a successful configuration, simply logon to the Account portal and verify the Active Directory synchronization setting by navigating to Management > Users. It should display the following information. Add public User Principal Name to users To enable the user to use the public domain name to logon to their devices, and the Microsoft Online Services, it s necessary to add the public domain name as their primary User Principal Name (UPN). These configurations will be done through PowerShell. 1 To add a UPN for a forest use the following command. In that command the Identity is the forest name and the UPNSuffixes is the public domain name.

9 Set-ADForest -Identity "PTCLOUD" 2 To verify the success of the PowerShell action, simply open the Properties of one of the Active Directory Domains and Trusts and check the UPN Suffixes tab. 3 To set the UPN as a user s primary UPN use the following command. In that command the SearchBase is the OU that contains the required users and the UserPrincipalName is the public domain name. Get-ADUser -Filter * -SearchBase 'OU=NORMAL USERS,OU=USERS,OU=PTCLOUD,DC=PTCLOUD,DC=LOCAL' -Properties userprincipalname foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@petervanderwoude.nl"} 4 To verify the success of the PowerShell action, simply open the Properties of one of the users and check the Account tab.

10 Install and configure Microsoft Azure Active Directory Sync Services The next thing is to install and configure the Microsoft Azure Active Directory Sync Services. This tool will allow us to synchronize the on-premises user with the Azure AD. 1 On the Welcome to Azure AD Sync page, specify an Installation path, select I agree to the License terms and click Install. 2 On the Connect to Azure AD page, specify the credentials of the Microsoft Intune subscription and click Next. 3 On the Connect to AD DS page, specify the information of the onpremises forest (see prerequisites) and click Add Forest.

11 4 After the forest is added click Next. 5 On the Uniquely identifying your user page, click Next. 6 On the Optional features page, click Next. 7 On the Ready to configure page, click Configure. 8 On the Finished page, click Finish. Verify user synchronization After setting up the user synchronization it s important to verify the success. 1 In the Account portal, navigate to Management and click Users. In the Users overview it should start showing the synchronized users. In my overview it shows a user with the public domain name UPN, a user without and the initial administrator.

12 How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On Part 4: Integrate ConfigMgr and Microsoft Intune In the first part of this blog series I went through the introduction and the prerequisites, in the second part I went through the installation and configuration of AD FS and in the third part I went through the directory synchronization. This fourth part of the blog series will finally be about ConfigMgr and Microsoft Intune. During this part the last configurations will be done to get the required UPNs to ConfigMgr and to synchronize this information to Microsoft Intune. Synchronize new UPN to ConfigMgr To correctly synchronize the correct user information via Microsoft Intune, it is required to discover the most recent UPN changes to the users. 1 Open the Configuration Manager console and navigate to Administration > Overview > Hierarchy Configuration > Discovery Methods, right-click Active Directory User Discovery and select Run Full Discovery Now. Create a Microsoft Intune collection To allow user to enroll their mobile device through Microsoft Intune it s required to specify which user are allowed to perform this action. This is done by specifying a collection during the configuration of the Microsoft Intune connector. First we need to create this collection. 1 Open the Configuration Manager console and navigate to Assets and Compliance > Overview, right-click User Collections and select Create User Collection.

13 2 The Create User Collection Wizard will show. Provide a name like All Microsoft Intune Users and limit the collection to the All Users collection. Walk through the wizard and simply add a few users that a required to enroll their devices through Microsoft Intune. Add Windows Intune Subscription To integrate Microsoft Intune with ConfigMgr it s required to add the subscription to ConfigMgr. 1 Open the Configuration Manager console and navigate to Administration > Overview > Cloud Services, right-click Windows Intune Subscriptions and select Add Windows Intune Subscription. 2 The Create Windows Intune Subscription Wizard will show. On the Getting started page, click Next.

14 3 On the Windows Intune Subscription page, click Sign In. 4 In the Set the Mobile Device Management Authority dialog box, select I understand.. and click OK. 5 In the Subscription dialog box, specify the Microsoft Intune subscription details and click Sign In.

15 6 Back on the Windows Intune Subscription page, click Next. 7 On the General Configuration page, select the collection All Microsoft Intune Users (created in the previous step), provide some company details, specify the site code and click Next. 8 On the Platforms page, click Next. 9 On the Company Contact Information page, specify the contact details of the company and click Next.

16 10 On the Company Logo page, click Next. 11 On the Summary page, click Next. 12 On the Completion page, click Close. Add the Windows Intune Connector role To connect Microsoft Intune with ConfigMgr the last step is to install the Windows Intune Connector. 1 Open the Configuration Manager console and navigate to Administration > Overview > Site Configuration > Servers and Site System Roles, right-click \\<PrimairySiteServer> and select Add Site System Roles. 2 On the General page, click Next. 3 On the Proxy page, click Next. 4 On the System Role Selection page, select the Windows Intune Connector and click Next. 5 On the Summary page, click Next. 6 On the Completion page, click Close.

17 Verify the Single Sign-On in Microsoft After integrating Microsoft Intune and ConfigMgr the last step is to verify that it s all working. 1 On a Windows device navigate to PC Settings > Network > Workplace and provide the onpremises credentials of a user that is a member of the All Microsoft Intune Users collection. Notice that this will also redirect to the on-premises AD FS for verifying the credentials 2 Notice after that a successful enrollment with the on-premises credentials.