RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service) Last Modified: April 17, 2017 RSA SecurID Access offers two methods to integrate with Microsoft Office 365. Both solutions integrate with your organization s Microsoft Azure AD to provide your users with a more consistent sign-in experience. Configuring either the Microsoft Office 365 or Microsoft Office 365 STS connectors provide for single sign-on (SSO) enabled users to use their Active Directory corporate credentials to access their services in the cloud and their existing on-premises resources. For guidelines to help determine which connector to use for the Office 365 applications in your deployment, see the topic Microsoft Office 365 - RSA SecurID Access Application Connector Overview on RSA Link. Complete the following procedure to configure the Microsoft Office 365 STS connector. Before You Begin Acquire an administrator account to both RSA SecurID Access and Office 365 Enterprise. Acquire a public trusted SSL certificate. Self-signed SSL certificates are not supported. Note: Refer to Microsoft s guides: http://technet.microsoft.com/en-us/library/hh373144.aspx https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/ http://www.microsoft.com/en-us/download/details.aspx?id=39366 http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplusmodern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx https://support.microsoft.com/en-au/help/2913639/office-applications-periodically-prompt-forcredentials-to-sharepoint-online,-onedrive,-and-lync-online Enable your tenant for Modern Authentication (ADAL) 1. Use PowerShell to enable your Exchange Online service for modern authentication as described here and Skype for Business Online as described here. SharePoint Online is already enabled. 2. Enable any Office 2013 users to use modern authentication if step-up policy is to be enforced as described here. Overview of steps 1. Configure Office 365 with a federated domain. 2. Setup Active Directory (AD). 3. Setup directory synchronization.(components: Microsoft Online Services, Window Azure Active Directory Module for Window PowerShell, Azure AD Connect, Skype for Business Online Windows Power Shell Module) 4. Configure RSA SecurID Access Microsoft Office 365 STS connector. 5. Configure federation partnership using PowerShell. 6. Download Microsoft Office rich clients on your desktop. 1 Copyright 2017 EMC Corporation. All Rights Reserved.
Configure Office 365 with a federated domain 1. Login into the Office 365 portal using an enterprise admin account. https://portal.office.com 2. Select the Admin app. 3. From the left hand menu select Settings > Domains. 4. Select Add a domain. Note: Access to domain registrar is required to set the TXT flag in the host file to allow Microsoft to validate the domain. 2 Copyright 2017 EMC Corporation. All Rights Reserved.
5. Verify that the required DNS records have been added to your DNS server. 6. Select Verify. 3 Copyright 2017 EMC Corporation. All Rights Reserved.
Setup Active Directory If your AD is already installed proceed to page 5. Install Active Directory 1. Open the Server Manager from the task bar. 2. From the Server Manager Dashboard, select Add roles and features. This will launch the Roles and Features Wizard. 3. Select Role-based or features-based installation from the Installation Type screen and click Next. 4. The current server is selected by default. Click Next to proceed to the Server Roles tab. 5. From the Server Roles page, place a check mark in the check box next to Active Directory Domain Services. A notice will appear explaining additional roles services or features are also required to install domain services, click Add Features. 6. Review and select optional features to install during the AD DS installation by placing a check in the box next to any desired features, and then click Next. 7. Review the information on the AD DS screen and click Next. 8. On the Confirmation screen, review the installation and then click Install. Start Remote Registry Service Before promoting the server to domain controller, the remote registry service must be started. 1. Click Start > Control Panel. 2. Under Services, right-click Remote Registry and open the Properties menu. 3. From the *Startup type:** drop-down menu, select Automatic. 4. Under Service Status, select Start. The remote registry service will start. 4 Copyright 2017 EMC Corporation. All Rights Reserved.
Configure Active Directory Once the AD DS role is installed the server will need to be configured for your domain. 1. If you have not done so already, open the Server Manager from the task bar. 2. Open the Notifications Pane by selecting the Notifications icon from the top of the Server Manager. From the notification regarding configuring AD DS, click Promote this server to a domain controller. 3. From the Deployment Configuration tab select Add a new forest from the radial options menu. 4. Insert your root domain name into the Root domain name field, and then click Next. The domain name should match the domain name added to Office 365. 5 Copyright 2017 EMC Corporation. All Rights Reserved.
5. Select a Domain and Forest functional level, and then input a password for the Directory Services Restore Mode (DSRM) in the provided password fields. 6. Review the warning on the DNS Options tab and select Next. 7. Confirm or enter a NetBIOS name and click Next. 8. Specify the location of the Database, Log files, and SYSVOL folders and then click Next. 9. Review the configuration options and click Next. 10. The system checks to ensure all necessary prerequisites are installed on the system prior to moving forward. If the system passes these checks, proceed by clicking Install. Setup Directory Synchronization 1. On a domain join server other than your Domain Controller install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. You will need to restart your server. 2. Next, install the appropriate version of the WindowsAzure Active Directory Module for Windows PowerShell. 3. Click Next and Finish. 6 Copyright 2017 EMC Corporation. All Rights Reserved.
4. Now, install Azure AD Connect. (successor to DirSync tool) https://www.microsoft.com/en-us/download/details.aspx?id=47594 5. During the install leave the optional configuration section unchecked or select what is appropriate for your environment. 6. On the User sign-in screen, select your users single sign-on method. For a full description of the sign-in methods, see User sign-in. 7 Copyright 2017 EMC Corporation. All Rights Reserved.
7. On the Connect to Azure AD screen, enter a global admin account and password. 8. On the Connect Directories enter your credentials to connect to your Active Directory Domain Service. Azure AD Connect needs the credentials of an account with sufficient permissions. 8 Copyright 2017 EMC Corporation. All Rights Reserved.
Enter the domain part in either NetBios or FQDN format, i.e. FABRIKAM\syncuser or fabrikam.com\syncuser. 9. Configure the attribute to use for the userprincipalname. 9 Copyright 2017 EMC Corporation. All Rights Reserved.
10. On the Domain/OU Filtering screen, you can select to sync all OUs to Azure AD, or unselect all and select specific OUs. 11. Uniquely identifying users allows you to define how users from your AD DS forests are represented in Azure AD. A user might either be represented only once across all forests or have a combination of enabled and disabled accounts. The user might also be represented as a contact in some forests. Note: SOURCE ANCHOR - The attribute sourceanchor is an attribute that is immutable during the lifetime of a user object. It is the primary key linking the on-premises user with the user in Azure AD. Since the attribute cannot be changed, you must plan for a good attribute to use. A good candidate is objectguid. This attribute is not changed, unless the user account is moved between domains. 10 Copyright 2017 EMC Corporation. All Rights Reserved.
12. The filtering on groups feature allows you to sync only a small subset of objects for a pilot. Warning: This feature is only intended to support a pilot deployment. Do not use it in a full-blown production deployment. 13. Select Next on the Optional Features page 11 Copyright 2017 EMC Corporation. All Rights Reserved.
14. Select Next on the Azure AD apps page. 15. Select Next on the Azure AD attributes page. 12 Copyright 2017 EMC Corporation. All Rights Reserved.
16. Select samaccountname, UserPrincipalName, ObjectGUID(user), ObjectGUID(group), mail and displayname to be synced. 17. Select Next. 13 Copyright 2017 EMC Corporation. All Rights Reserved.
18. Verify your federation configuration and select Verify. 14 Copyright 2017 EMC Corporation. All Rights Reserved.
Configure RSA SecurID Access for Microsoft Office 365 STS Note: Only 1 instance of the Office 365 STS connector can be configured in your tenant. Add an Identity Source In order to use any clients that use the active endpoint, such as mail clients that use the ActiveSync protocol, or other clients that simply use a username & password, then an Identity Source that uses the mail attribute as the User Tag is required. 1. In the RSA SecurID Access Administration Console, click User > Identity Sources. 2. Select Add an Identity Source or select Edit to view an existing Identity Source. 3. On the Identity Source Details page under Connection Settings, verify the value of usertag field. If the usertag field is set to samaccountname, then add a second Identity source with duplicate AD details but the usertag field set to mail(this configuration step is needed if you need users to login via Microsoft office rich clients). 4. Click Next Step. 15 Copyright 2017 EMC Corporation. All Rights Reserved.
5. On the User Attributes page, select the Policies and Apps checkboxes for attributes objectguid and userprincipalname. 6. Click Next Step. 7. Verify the Additional Authentication settings and click Next Step. 8. Click Save and Finish. 16 Copyright 2017 EMC Corporation. All Rights Reserved.
Add the Application 1. From the top tabs, select Applications > Application Catalog. 2. Search the list and select +Add next to Microsoft Office 365 STS. 3. On the Basic Information page, specify the application name and click Next Step. 17 Copyright 2017 EMC Corporation. All Rights Reserved.
4. On the Connection Profile screen take note of the WS-Federation Identity Provider settings. 5. Scroll down to the WS-Federation Response Signature section and upload your private key and public certificate. This should not be a self-signed certificate. 18 Copyright 2017 EMC Corporation. All Rights Reserved.
6. Scroll down to the Claims section. 7. Verify the Claim Name Immutable ID is mapped to objectguid and UPN is mapped to userprincipalname. Use the Identity Source pulldown and select the correct AD. If you configured two AD to support both User Tag formats then add the claim options for both AD sources. This would give you a total of 4 claims. 8. Click Next Step. 9. On the User Access page, select the desired user policy from the drop down list. Note: Refer to page 26 for more policies details. 10. Click Next Step. 19 Copyright 2017 EMC Corporation. All Rights Reserved.
11. On the Portal Display page, select Display in Portal. 12. Click Save and Finish. 13. Click Publish Changes. Configure federation partnership using PowerShell 1. Install the latest version of Azure PowerShell on your AD. https://docs.microsoft.com/en-us/powershell/azureps-cmdlets-docs/ 2. Launch Windows Azure Active Directory Module for Windows PowerShell. 3. Right click and Run As Administrator. 4. Set the credential variable $cred=get-credential. 5. Connect to Microsoft Online Services with the credential variable set previously Connect-MsolService Credential $cred 6. Using PowerShell to convert the standard domain to a federated domain. Convert-MsolDomainToFederated -DomainName singlepoint08.com 7. Use the command Get-MsolDomainFederationSettings or Get-MsolDomainAuthentication command to view the federated attributes. 20 Copyright 2017 EMC Corporation. All Rights Reserved.
8. First obtain the cert.pem file you used to configure the RSA SecurID Access connector. From this file you will create $certdata, by following the 2 step procedure below. Step 1: $cert =New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\saml.crt") where, c:\temp\saml.crt is the path to the RSA SecurID Access certificate. Step 2: $certdata = [system.convert]::tobase64string($cert.rawdata) 9. Next, set your federated variables to the values found on page 24. $ActiveLogOnUri = https://portal.singlepoint08.com/trust/10/singlepoint08.com/stsservicetransportut $IssuerUri = http://portal.singlepoint08.com/ $LogOffUri = https://portal.singlepoint08.com/logoutservlet $PassiveLogOnUri = https://portal.singlepoint08.com/federation $MetadataExchangeUri = https://portal.singlepoint08.com/metadata/5z3qvc6m0r3c/federationmetadata/2007-06/federationmetadata.xml 10. Configure your federation settings. Set-MsolDomainAuthentication -DomainName singlepoint08.com Authentication Federated -ActiveLogOnUri $ActiveLogOnUri IssuerUri $IssuerUri LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $certdata Or Set-MsolDomainFederationSettings -DomainName singlepoint08.com -ActiveLogOnUri $ActiveLogOnUri IssuerUri $IssuerUri LogOffUri $LogOffUri -PassiveLogOnUri $PassiveLogOnUri MetadataExchangeUri $MetadataExchangeUri -SigningCertificate $certdata 21 Copyright 2017 EMC Corporation. All Rights Reserved.
11. Verify your setting. Get-MsolDomainFederationSettings -DomainName singlepoint08.com fl * Note: To set the domain back to standard run the command: Set-MsolDomainAuthentication-DomainName domain Authentication Managed or Convert-MsolDomainTo Standard -DomainName 22 Copyright 2017 EMC Corporation. All Rights Reserved.
Known Issues and Workarounds Rich Clients and Step up Applications, such as the ios and Android mail apps that connect to Microsoft resources using the ActiveSync protocol and rich clients with ADAL disabled will not support step up. This will prevent end users from logging in to clients when a policy is configured to require additional authentication. Resolution: Administrators can configure policies based on the user agent header to identify whether the request is from a rich client which does not support additional authentication, or from one that does, and allow access/deny access based on their requirement. Create a new policy under Access > Policies and apply the policy to the Microsoft O365 STS application. o If User Agent Contains "MSOIDCRL", then specify an action ie., Allow/Deny (Applicable for Word, Excel, PowerPoint, Skype, non active sync clients) o If User Agent is NULL, then specify an action ( Applicable for Outlook, Active sync clients ) Note: Contact RSA support for additional Rich Client header options. 23 Copyright 2017 EMC Corporation. All Rights Reserved.
Office 2013 Rich Clients not prompting for credentials A domain-joined user using a rich client will initially login, but if the user signs out of the rich client, they won t get prompt to sign-in. Resolution: Add a new DWORD value to the registry NoDomainUser and set the value to 1. For full details refer to Microsoft link https://support.microsoft.com/en-au/help/2913639/office-applications-periodically-prompt-forcredentials-to-sharepoint-online,-onedrive,-and-lync-online How to get re-prompt for Outlook Password on a Mac Removing the keychain entries for your configured e-mail accounts, and have Outlook recreate them. 1. Quit Outlook before going into the Keychain. 2. Open the Keychain Access utility (in the Applications > Utilities folder). 3. Select the login keychain. 4. Search for the e-mail service (ie, the server name) of the account you have configured in Outlook. 5. Select the displayed keychain entry, and press the Delete key to remove it. 6. Then LogOut or restart your Mac. 24 Copyright 2017 EMC Corporation. All Rights Reserved. GLS