After testing Office 365 with Active Directory Federation Services (ADFS) and Single Sign On I’ve decided to Disable ADFS Federation also known as defederation.
The reasons behind the decision are many, but as I’ve explained before; when the lab or internet connection goes down, the shit hits the fan!
This week my power supply in my SuperServer died because of highly unstable energy caused by a coconut tree falling over the power lines (guess you don’t have that problem where you live).
Needless to say, my company email for xenapptraining.com went down (luckily it always works from iOS). Now to be able to Disable ADFS Federation you need the ADFS Server running. What an incredible stupid design is that! Wouldn’t it be much easier to be able to disable straight from the Office 365 Admin Portal?
What if a company completely rely on Office 365 and their data center get’s wiped out because of a natural disaster! Another reason to have backups uploaded to Amazon S3 or other similar storage solutions!
So with a dead SuperServer I spun up ESXi on one of my old Whitebox servers and used my own guide The Fastest Way to VMware vCenter Server Appliance (VCSA) for the VCSA which is required by Nakivo.
After attaching the backup storage used by Nakivo Backup to my temporary ESXi Server I simply browsed that particular DataStore and selected Add to Inventory for that VMX file.
Then I choosed I Copied it.
Start the VM and configure the new VCSA.
Then restore the required VMs from backup.
Disable ADFS Federation
After the required VMs was restored from backup, everything was ready for me to Disable ADFS Federation.
I used the blog post Office 365 – Disable Federation (ADFS) with great success. In a future post I’ll show you the difference with and without Active Directory Federation Services for Office 365 Single Sign On in a Citrix XenApp & XenDesktop environment.
1 2 3 4 5 |
import-module msonline connect-msolservice Set-MsolADFSContext -Computer sts-01.ctxlab.local Convert-MsolDomainToStandard -DomainName xenapptraining.com -SkipUserConversion:$true -PasswordFile C:\userpasswords.txt Set-MsolDomainAuthentication -Authentication Managed -DomainName xenapptraining.com |
Ahhh, in terms of my SuperServer it’s running again with a 3rd party power supply. I’m going to pick up a couple of extras and a new SuperServer + lots of other gadgets. Stay tuned for more after I return from Citrix Synergy 2016.
I wanted to take a few minutes to clarify things here.
Overall your correct, and the steps to disable federation are correct.
First the concept of fault domains, basically don’t put all your eggs in one basket.
Second ADFS full supports a farm concept, you have multiple ADFS servers running, just like domain controllers.
You basically had 1 domain controller running, and the host it was died.
Last I would suggest you have more than one DIRSYNC (OLD NAME), running as well, and if the primary dies, you flip it over, so password sync, and AD object sync keeps happening to O365.
Last a link to that discuss H/A ADFS Design
https://blogs.technet.microsoft.com/ucando365talks/2014/04/14/adfs-high-availability-quick-reference-guide-for-administrators-implement-single-sign-on-for-office-365/
Thanks a lot Peter, comes in handy now that I’m going to rebuild my domain with a public domain name and setup ADFS 4.0
If you still don’t have Internet HA, then you are still F###, with no access to O365.
Outlook cache-mode help, what about the other products in O365?
Make sure you have a local copy of Office 2016, plus one-drive cache/sync is enabled.