Managing Federation Services–Creating a GPO to support ADFS Single Sign-on

Share this:

In this Tutorial we are going over the process to create a Group Policy to be applied to user objects, and this policy will add the Federation Servers in the Local Intranet in Internet Explorer.

There are several ways to configure Internet Explorer settings and we are going to use the registry to add the required information, this method it may seem a little bit complicated however it works with all versions of Internet Explorer and it doesn’t create issues with the existent information that the user may have added to his profile.

Solution


In order to have the single sign-on between the on-premises and the Microsoft Azure we need to configure the internal Active Directory Federation Services (ADFS) in the Local Intranet in the Internet Explorer settings for the internal clients. It makes a lot of sense because in the Local Intranet settings by default we have the option Automatic logon only in Intranet zone which means if we have a site there (and we will be adding our Federation Server) then the local credentials will be used which makes the single sign-on happen!

image

We can do that manually for each of our clients, and to configure manually we can open Internet Options, then click on Security tab, select Local Intranet and click on Sites. In the new window, click on Advanced, and finally add the FQDN of the Federation Server (in our Tutorial the name that we defined during the configuration is adfs.apatricio.info). In the figure below you can follow the entire process to configure manually.

image52_thumb

Creating a new Group Policy

Well, manual process is good for testing and validation but a Group Policy will make all the difference. In order to create a new Group Policy for the domain, logged on a Domain Controller open the Group Policy Management Console, and right click at the domain level or OU level and then click on Create a GPO in this domain, and Link it here…

image17

We will label this policy as GLOBAL-Microsoft Azure Integration and then click OK.

image5

Let’s Edit the newly created Group Policy. Expand User Configuration, Preferences, Windows Settings, and select Registry item. Right click on the right side, click on New and finally Registry Item.

image8

Based on our steps so far this Group Policy will be applied to users objects, so make sure that you associate this Group Policy to an OU that has users on it, or at the domain level.

Since we are using the registry to add the site to the Local Intranet area of Internet Explorer we need to understand how to build the string that we will be adding in the new window. As mentioned earlier our Federation Server is adfs.apatricio.info. The value of Key Path is where we define the address, and it is formed of 3 variables. The first piece of information is static and we just need to copy and paste the information listed below.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains

After that we need to add to the same string, the portion of the domain (just the domain), in our case we will be adding apatricio.info and finally the host itself which in our case is adfs

The final string will be like this one:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsapatricio.infoadfs

The other fields that must be filled out are easier to understand. The Value name could have the values: http or https; in our case must be https. The last field is Value Data and that can have the value of 1 which means that is Local Intranet or 2 which means Trusted Sites.

Adding all pieces together we will end up with something like the figure below.

image14

Conclusion


In this Tutorial we went over the process to create a Group Policy that will be applied to user objects and this Group Policy will add the Federation Server in the Local Intranet area of Internet Explorer and that will make the single sign-on process a breeze for your end-users.

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Managing Federation Services–Preparing for the int... How to install the additional components to support the integration between Federation Services and Microsoft Azure. For a company having the integrat...
How to assign a public name to your Microsoft Azur... How to assign a public name to your website hosted at Microsoft Azure. Solution In order to assign a public name to a Microsoft Azure website,...
PowerShell and logon Scripts In this Tutorial we are going over the process to create a logon script using PowerShell and that will work for all systems running at least Windows S...
Adding a domain in Azure Active Directory Adding and validating a domain in Microsoft Azure using the new portal based on Azure Resource Manager (ARM). The new portal has been out there for a ...