Peter van der Woude Posted November 2, 2014 Report post Posted November 2, 2014 IntroductionIn this blog series I’m going to show how to setup a basic configuration of Microsoft Intune, integrated with System Center 2012 R2 Configuration Manager, in combination with and on-premises Active Directory Federation Services (AD FS) for a single sign-on experience. After successfully completing this blog series a user will be able to use his on-premises credentials to access the services of Microsoft Intune. As part of setting up single sign-on, it’s also required to set up directory synchronization. Together, these features integrate the local and cloud directories.It’s only required to set up single sign-on, Active Directory synchronization, and a registered domain on time for a Microsoft Online Service. If Microsoft Office 365 is already used, or any other Microsoft Online Service, then some of the steps, of this blog series, may be completed already. After setting up single sign-on, Active Directory synchronization, or a registered domain for Microsoft Intune, these items will be available for all Microsoft Online services.This information and configurations provided in this blog series are not meant for production environments. It’s purely meant for a lab setup to experiment with the possibilities.I divided this blog series in the following four parts. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 1: Introduction and prerequisites;This first part is about what blog series will deliver and what the prerequisites are that need to be in place. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 2: Install and configure Active Directory Federation Service;This second part is about installing and configuring AD FS, WAP and single sign-on. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 3: Configure directory synchronization;This third part is about configuring the synchronization of the on-premises user accounts to the Azure AD. How to integrate Microsoft Intune and System Center 2012 R2 Configuration Manager with Single Sign-On – Part 4: Integrate ConfigMgr and Microsoft Intune;This fourth part is about integrate Microsoft Intune with ConfigMgr to leverage the single sign-on experience. After the last part of this series is done the status of the environment will be similar as to what is described by Niall in his first part of his series about How can I manage modern devices using System Center 2012 R2 Configuration Manager? - Part1. Basically the next parts of his series can be used to do the required following configurations. The only difference is that the environment will use an on-premises single sign-on experience.PrerequisitesI would like to start this blog series with a small list of prerequisites that need to be in place for various different reasons. Also, these prerequisites will contain the servers that I’ll be using during this setup. In the following part I’ll be referring to the different server names to indicate were I’m performing the actions.Register a public domain nameIn this blog series I’ll be using the public domain name of petervanderwoude.nl. This domain name will be used for the single sign-on configuration. Simply replace every reference to this public domain name with a personal (or company) owned public domain name.Create a Microsoft Intune subscriptionIn this blog series I’ll be using the Microsoft Intune subscription myptcloud.onmicrosoft.com. This subscription will be used for the single sign-on configuration. Simply replace every reference to this subscription with a personal (or company) owned subscription.Register a trial Microsoft Intune subscription here: http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/try.aspxPrepare the required serversIn this blog series I will be referring to multiple servers. Even for a lab environment this should be the minimum number of server used. Of course it’s possible to user more servers to split more roles. Simply replace every reference to these server names with personal (or company) lab server names. CLDSRV00 (WORKGROUP)This server is Internet-facing and will be hosting the Web Application Proxy (WAP). CLDSRV01 (PTCLOUD.LOCAL)This server is the domain controller and will be hosting Active Directory Federation Services (AD FS). CLDSRV02 (PTCLOUD.LOCAL)This server is the ConfigMgr server and will be hosting the Azure Active Directory Synchronization Tool. Install the required Azure AD PowerShell ModuleIn this blog series the Azure AD PowerShell Module is required on the CLDSRV02 to perform actions to manage the Microsoft Online Services. This module is available for download here: http://go.microsoft.com/fwlink/p/?linkid=236297Create the required service accountsIn this blog series I’m using the following service accounts. Of course the names can be adjusted to fit different naming conventions. Simply replace any reference to these service accounts with personal (or company) lab service accounts. svcAD-ADFS (domain user)This service account is used for running AD FS. svcAD-AADSS (domain user)This service account is used for the synchronization between the on-premise AD and the Azure Active Directory. Create the required DNS RecordsIn this blog series the following public DNS records are required to be in place. EnterpriseEnrollment (CNAME);This record has to point to EnterpriseEnrollment.manage.microsoft.com and is used for the device enrollment of Windows Phone, Windows RT and Windows 8.1. STS (A);This record has to point to a personal (or company) owned public ip that is directed to WAP and is used to publicly register the AD FS service for access by public services. Create the required certificatesIn this blog series the following certificates are required to be in place. Web server certificate;This certificate is used during the configuration of AD FS (and WAP).I’ll use a certificate issued from an internal PKI. In this case it’s important to have a common name and to have the appropriate DNS names. This certificate needs to be installed on the CLDSRV00 and the CLDSRV01. Note: A self-signed certificate, or a certificate from an internal PKI will provide problems with devices that can’t install the root certificate. Quote Share this post Link to post Share on other sites More sharing options...
