The last couple of months I’ve been working a lot with Office 365, ADFS Federation and the correct integration of Office 365 together with both Citrix XenApp and XenDesktop.
There’re many post on the topic, but it’s the small details that matters. In this post I’m going to share my experience which will hopefully help you a lot. Let’s get started!
Active Directory Domain Name
If you’re starting from scratch PLEASE buy an external domain name and use it internally as well. The old rule of .local domains don’t apply anymore and by using an external one you’ll save TONS OF TIME.
That being said, there’s still millions of customers running with an internal domain like me (ctxlab.local) and since renaming is NOT recommended there’s just some more stuff to learn.
Active Directory Federation Services (ADFS)
Why ADFS? Well you want to provide your users with the best User Experience (UX) and therefore Single Sign On is highly recommended.
I’m not going to cover ADFS setup, there’s already some great posts from Microsoft on the topic – How To Install ADFS 2012 R2 For Office 365 and Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365. Just be aware that if you install ADFS on your Domain Controller e.g. DC-01 DON’T use the same FQDN for your ADFS certificate. Get yourself a wildcard certificate from DigiCert and you’re all good, for everything that requires a SHA256 certificate.
Now, because I have an internal domain I need to configure a Forward Lookup Zone with the address of ADFS, NetScaler Gateway and AutoDiscover. Without AutoDiscover you’ll not be able to connect to your Office 365 mailbox. Again, if you use an external domain name you’ll not get this problem.
For ADFS to work you also NEED to setup a WAP Proxy Server in DMZ for ADFS. I would highly recommend using NetScaler for this task, see the post Setup NetScaler as ADFS Proxy and Getting Started With Microsoft Action Pack if you want Office 365 E3 and lots of licenses at a fraction of the normal cost.
Install Office 365 on Citrix XenApp / XenDesktop
The installation is quite straight forward, but if you want all the dirty details please check the post Office 365 on Terminal Server Done Right from my friend Marius Sandbu.
Now to save you some additional time and headache, I’m running Office 365 version 2013 (15.x). Why? Simply because Citrix doesn’t support Skype for Business 2016 (16.x) at the moment.
Office 365 Installation
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
Write-Verbose "Setting Arguments" -Verbose $StartDTM = (Get-Date) $Vendor = "Microsoft" $Product = "Office 365" $PackageName = "setup" $Version = "15.0.4805.1003" $InstallerType = "exe" $LogPS = "${env:SystemRoot}" + "\Temp\$Vendor $Product $Version PS Wrapper.log" $LogApp = "${env:SystemRoot}" + "\Temp\$PackageName.log" $Destination = "${env:ChocoRepository}" + "\$Vendor\$Product\$Version\$packageName.$installerType" $UnattendedArgs = '/configure RDSH.xml' Start-Transcript $LogPS CD $Version Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose (Start-Process "$PackageName.$InstallerType" $UnattendedArgs -Wait -Passthru).ExitCode Write-Verbose "Customization" -Verbose Write-Verbose "Stop logging" -Verbose $EndDTM = (Get-Date) Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose Stop-Transcript |
Office 365 XML Example for RDSH
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<Configuration> <Add OfficeClientEdition="32"> <Product ID="O365ProPlusRetail"> <Language ID="en-us"/> <ExcludeApp ID="OneNote"/> <ExcludeApp ID="Groove"/> <ExcludeApp ID="InfoPath"/> </Product> </Add> <Updates Enabled="FALSE" AutoUpgrade="TRUE"/> <Display AcceptEULA="TRUE" Level="None" /> <Logging Level="Standard" Path="%temp%" /> <Property Name="SharedComputerLicensing" Value="1" /> <!--Silent install of 32-Bit Office 365 ProPlus with Updates and Logging enabled--> </Configuration> |
HDX RealTime Connector for Skype for Business
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
Write-Verbose "Setting Arguments" -Verbose $StartDTM = (Get-Date) $Vendor = "Citrix" $Product = "HDX RealTime Connector" $PackageName = "HDX_RealTime_Connector_2.0.100_for_Skype_For_Business" $Version = "2.0.100" $InstallerType = "msi" $LogPS = "${env:SystemRoot}" + "\Temp\$Vendor $Product $Version PS Wrapper.log" $LogApp = "${env:SystemRoot}" + "\Temp\$PackageName.log" $Destination = "${env:ChocoRepository}" + "\$Vendor\$Product\$Version\$packageName.$installerType" $UnattendedArgs = "/i $PackageName.$InstallerType ALLUSERS=1 /qn /liewa $LogApp" Start-Transcript $LogPS CD $Version Write-Verbose "Starting Installation of $Vendor $Product $Version" -Verbose (Start-Process msiexec.exe -ArgumentList $UnattendedArgs -Wait -Passthru).ExitCode Write-Verbose "Customization" -Verbose Write-Verbose "Stop logging" -Verbose $EndDTM = (Get-Date) Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalSeconds) Seconds" -Verbose Write-Verbose "Elapsed Time: $(($EndDTM-$StartDTM).TotalMinutes) Minutes" -Verbose Stop-Transcript |
Customize Office 365 for Citrix XenApp / XenDesktop
To provide the best possible User Experience we’ll need to download and configure Office 2013 Administrative Template files (ADMX/ADML).
Unfortunately there’s lots of popups that are not covered by Group Policy so some additional customization is required. This is how it looks Out of the Box!
Here’s my Group Policy Preference tweaking.
The only thing the users sees at first time run (new profile) is Skype for Business asking for the email address.
The sign in process itself is handled by ADFS Single Sign On. For some reason that’s not the case for Outlook. My best advice is to education the users to check “Remember my credentials“.
Office 365 Conclusion
I would HIGHLY RECOMMEND you thinking twice about implementing both Office 365 AND ADFS for Single Sign On.
Why? Simply because if your internet connection goes down your users won’t get access to their email. Heck, they won’t even be able to launch Word or Excel because Office 365 validates the license each time. So is the low cost of Office 365 so lucrative that it’s worth it? Please share your thoughts in the comment below.
Now that being said, my company xenapptraining.com is running completely on Office 365 and it’s the future. So you should start learning it today. Training videos on Office 365 will be added to my course very soon.
Hi,
Great post… as allways.
But I got a Little confused about one thing.
First you write:
“Why ADFS? Well you want to provide your users with the best User Experience (UX) and therefore Single Sign On is highly recommended.”
And then:
“I would HIGHLY RECOMMEND you thinking twice about implementing both Office 365 AND ADFS for Single Sign On.”
Is your conclusion NOT to use ADFS?
In what situations would you use ADFS then?
Thanks Erik, yes there’s pros and cons with Office 365, if you can provide a high up time for your on-prem solution you’re good. Just be aware when you’re without internet or ADFS everything stops to work! Check my latest blog post for details : https://xenappblog.com/2016/disable-adfs-federation/
Hello Eric,
How are you?
Just want to check when we can expect videos regarding Office 365 on your training website?
Thanks,
Pavan
Hi Pavan. I’m rebuilding my lab from ctxlab.local to xenapptraining.com as we speak so I can start creating those videos with a true Best Practice domain.
Thanks for your reply Eric.
Hope to see the videos soon.
Wanted to take a few minutes to clarify things here.
First the concept of fault domains, basically don’t put all your eggs in one basket.
Second ADFS fully supports a farm concept, you have multiple ADFS servers running, just like domain controllers.
You basically had 1 domain controller running, and the host it was on died.
Last I would suggest you have more than one DIRSYNC (OLD NAME), running as well, and if the primary dies, you flip it over, so password sync, and AD object sync keeps happening to O365.
Last a link to that discuss H/A ADFS Design
https://blogs.technet.microsoft.com/ucando365talks/2014/04/14/adfs-high-availability-quick-reference-guide-for-administrators-implement-single-sign-on-for-office-365/
Hello Eric,
How are you?
Just want to check when we can expect videos regarding Office 365 on your training website?
Thanks,
Pavan
Hi, probably around September 2019
“because Citrix doesn’t support Skype for Business 2016 (16.x) at the moment.”
Is this still true?
No they do, this post is way to old.