Welcome!

Microsoft Cloud Authors: Srinivasan Sundara Rajan, Pat Romanski, Glenn Rossman, Janakiram MSV, Steven Mandel

Related Topics: Microsoft Cloud, Mobile IoT, Microservices Expo, Containers Expo Blog, Silverlight, Agile Computing

Microsoft Cloud: Blog Post

Why Windows Server 2012 R2: Step-by-Step Workplace Join

Bringing Peace of Mind for BYOD

In Kevin Remde's post this week he talked about many new features for Windows Server 2012 R2 Active directory.  You can find his great post here: What’s New for Active Directory in Server 2012 R2.  One of the new functionalities he mentioned was Workplace Join.  Workplace join allows you to deal with the explosion of devices (Windows and Non-Windows (like iOS) connecting to your organization.  This has you constantly trying to maintain your organizations compliance and security.  Especially with users located all around the world across multiple platforms and devices this is a challenge.

imageIf this sounds like you currently or is soon going to be you then you will want to check out Workplace join.  Workplace join allows users to register devices (including IOS) for single sign-on and access to corporate data.  In today’s article I am going to take a look at how to set this feature up step by step.

This feature does require Windows Server 2012 R2, and you will need to configure Active Directory and Active Directory Federation Services to make this work.  Additionally you will need to create an Enterprise Certificate Authority for the certificates you will need for this service to work properly.  Overall the process is straight forward, but you will need to make sure you dot all your I’s and cross your T’s.  For my environment, I created 4 separate virtual machines to test this out.  I created an AD DC, AD FS server, a Web Server (for testing) and a Windows 8,1 client.  The full configuration and the test application for this configuration can be found here, it is an excellent article: Set up the lab environment for AD FS in Windows Server 2012 R2

Configure the Domain Controller
On the DC you will need to make a Globally Managed Service Account (GMSA).  The GMSA account is required during the AD FS installation and configuration.

  1. Open a PowerShell command window and type:
    Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

    New-ADServiceAccount FsGmsa -DNSHostName adfs1.contoso.com -ServicePrincipalNames http/adfs1.contoso.com

Note:  This command is for a domain name contoso.com and if your ADFS server is named adfs1.

Configure Your Certificate
When you configure your domain controller you will also want to add and configure the certificate authority services.  Here is a great article for this process here: Configure SSL/TLS  on a Web site in the domain with an Enterprise CA.  However, when you create the certificate you will want to allow for…Also check John’s video out below for a little more detail on how the certificates work.  This is also something you want to make sure you follow closely.

cert

Configure Active Directory Federation Services
On the AD FS server you will need to enroll the certificate from the article above on configuring your Enterprise CA.  When you bring the cert in you will want to make sure you configure it with the follow attributes

  • Subject Name (CN): adfs1.contoso.com
  • Subject Alternative Name (DNS): adfs1.contoso.com
  • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

After you have configure your certificate you need to add the ADFS role

  1. Log onto the server using the domain administrator account ([email protected]).
  2. Open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Role-based or feature-based installation, and click Next.
  5. On the Select destination server page, click Select a server from the server pool, verify that the target computer is highlighted, and then click Next.
  6. On the Select server roles page, click Active Directory Federation Services, and then click Next.
  7. On the Select features page, click Next.
  8. On the Active Directory Federation Service (AD FS) page, click Next.
  9. After you verify the information on the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.
  10. On the Installation progress page, verify that everything installed correctly, and then click Close.

After the role is installed you will need to configure the service.  On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server This is for a domain name confoso,com and an ADFS server named adfs1.

  1. The Active Directory Federation Service Configuration Wizard is launched.1.On the Welcome page, select Create the first federation server in a federation server farm and click Next.
  2. On the Connect to AD DS page, specify an account with domain administrator permissions for the contoso.com AD domain that this computer is joined to and then click Next.
  3. On the Specify Service Properties page, do the following and then click Next:
    • Import the SSL certificate that you have obtained earlier. This is the required service authentication certificate. Browse to the location of your SSL certificate.
    • Provide a name for your federation service, type adfs1.contoso.com. This is the same value you provided when enrolling an SSL certificated in AD CS.
    • Provide a display name for your federation service, type, Contoso Corporation.
  4. On the Specify Service Account page, select Use an existing domain user account or group Managed Service Account and then specify the GMSA account (fsgmsa) you created when setting up the domain controller.
  5. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and then click Next.
  6. On the Review Options page, verify your configuration selections and click Next.
  7. On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure.
  8. On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment.

You will also need to run some PowerShell commands and configurations to finish the ADFS configuration.  In a PowerShell command window run the following commands:

Initialize-ADDeviceRegistration

When prompted for a service account, type contoso\fsgmsa$ (Or whatever account you created)

Enable-AdfsDeviceRegistration

device

NEXT STEP IMPORTANT: After you have run the PowerShell command on your ADFS server open the AD FS Management console.  Navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the checkbox next to Enable Device Authentication and then click OK.

Lastly, you will need to make sure you have the following DNS records for the Device Registration Services.

Entry

Type

Address

adfs1

A

IP address of the AD FS server

enterpriseregistration

Alias (CNAME)

adfs1.contoso.com

You can use the following procedure to add a host (A) resource records to corporate DNS for federation server and the device registration service.

  1. On DC1, from Server Manager, from the Tools menu, click DNS to open the DNS snap-in.
  2. In the console tree, expand DC1, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA).
  3. In Name, type the name you will use for your AD FS farm, for this walkthrough, type adfs1.
  4. In IP address, type the IP address of the ADFS1 server. Click Add Host.
  5. Right-click contoso.com, and then click New Alias (CNAME).
  6. In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.
  7. In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs1.contoso.com and click OK.

Configure Windows Client

  1. Log on to your Windows 8 Client with your Microsoft account.
  2. On the Start screen, open the Charms bar and then select the Settings charm. Select Change PC Settings.
  3. On the PC Settings page, select Network and then click Workplace.
  4. In the Enter your UserID to get workplace access or turn on device management box, type <login name>@<domain.com> and then click Join.
  5. When prompted for credentials, type your domain credentials and Click OK.
  6. You should now see the message: This device has joined your workplace network.

If you want to learn how to set this up for your iOS devices check out this article: Walkthrough Guide- Workplace Join with an iOS Device

As you can see there a lot of moving parts to get this in working, and from my experience you want to make sure you get the certificates correct or you will be troubleshooting into the late evening.  Smile

If you want to see this in action, check out this great video by John Savill:

For the full list in the series:  Windows Server 2012 R2 Launch Blog Series Index #WhyWin2012R2

More Stories By Matt Hester

Matt Hester is a Senior Information Technology Professional Evangelist for Microsoft. Matt has been involved in the IT Pro community for over 20 years. Matt is a skilled and experienced evangelist presenting to audiences nationally and internationally. Prior to joining Microsoft Matt was a highly successful Microsoft Certified Trainer for over 8 years. After joining Microsoft, Matt has continued to be heavily involved in IT Pro community as an IT Pro Evangelist. In his role at Microsoft Matt has presented to audiences in excess of 5000 and as small as 10. Matt has written 4 articles for TechNet magazine. In addition Matt has published 3 books:

You can contact Matt off his blog at http://aka.ms/matthester

@ThingsExpo Stories
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management solutions, helping companies worldwide activate their data to drive more value and business insight and to transform moder...
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business in 2016. However, IoT is far more complex than most firms expected. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, a renowned visionary and thought leader, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology and business models to adopt and leverage IoT. He will drill down to the components in this fra...
The vision of a connected smart home is becoming reality with the application of integrated wireless technologies in devices and appliances. The use of standardized and TCP/IP networked wireless technologies in line-powered and battery operated sensors and controls has led to the adoption of radios in the 2.4GHz band, including Wi-Fi, BT/BLE and 802.15.4 applied ZigBee and Thread. This is driving the need for robust wireless coexistence for multiple radios to ensure throughput performance and th...
SYS-CON Events announced today that Pulzze Systems will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems, Inc. provides infrastructure products for the Internet of Things to enable any connected device and system to carry out matched operations without programming. For more information, visit http://www.pulzzesystems.com.
Enterprise IT has been in the era of Hybrid Cloud for some time now. But it seems most conversations about Hybrid are focused on integrating AWS, Microsoft Azure, or Google ECM into existing on-premises systems. Where is all the Private Cloud? What do technology providers need to do to make their offerings more compelling? How should enterprise IT executives and buyers define their focus, needs, and roadmap, and communicate that clearly to the providers?
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
There is little doubt that Big Data solutions will have an increasing role in the Enterprise IT mainstream over time. Big Data at Cloud Expo - to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA - has announced its Call for Papers is open. Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is...
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Digital innovation is the next big wave of business transformation based on digital technologies of which IoT and Big Data are key components, For example: Business boundary innovation is a challenge to excavate third-party business value using IoT and BigData, like Nest Business structure innovation may propose re-building business structure from scratch, as Uber does in the taxicab industry The social model innovation is also a big challenge to the new social architecture with the design fr...
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at EMC, will introduce a methodology for capturing, enriching and sharing data (and analytics) across the organizati...
IoT is fundamentally transforming the auto industry, turning the vehicle into a hub for connected services, including safety, infotainment and usage-based insurance. Auto manufacturers – and businesses across all verticals – have built an entire ecosystem around the Connected Car, creating new customer touch points and revenue streams. In his session at @ThingsExpo, Macario Namie, Head of IoT Strategy at Cisco Jasper, will share real-world examples of how IoT transforms the car from a static p...
The many IoT deployments around the world are busy integrating smart devices and sensors into their enterprise IT infrastructures. Yet all of this technology – and there are an amazing number of choices – is of no use without the software to gather, communicate, and analyze the new data flows. Without software, there is no IT. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the protocols that communicate data and the emerging data analy...
SYS-CON Events announced today that China Unicom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. China United Network Communications Group Co. Ltd ("China Unicom") was officially established in 2009 on the basis of the merger of former China Netcom and former China Unicom. China Unicom mainly operates a full range of telecommunications services including mobile broadband (GSM, WCDMA, LTE F...
The Transparent Cloud-computing Consortium (abbreviation: T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data processing High speed and high quality networks, and dramatic improvements in computer processing capabilities, have greatly changed the nature of applications and made the storing and processing of data on the network commonplace.
Video experiences should be unique and exciting! But that doesn’t mean you need to patch all the pieces yourself. Users demand rich and engaging experiences and new ways to connect with you. But creating robust video applications at scale can be complicated, time-consuming and expensive. In his session at @ThingsExpo, Zohar Babin, Vice President of Platform, Ecosystem and Community at Kaltura, will discuss how VPaaS enables you to move fast, creating scalable video experiences that reach your...
Big Data has been changing the world. IoT fuels the further transformation recently. How are Big Data and IoT related? In his session at @BigDataExpo, Tony Shan, a renowned visionary and thought leader, will explore the interplay of Big Data and IoT. He will anatomize Big Data and IoT separately in terms of what, which, why, where, when, who, how and how much. He will then analyze the relationship between IoT and Big Data, specifically the drilldown of how the 4Vs of Big Data (Volume, Variety,...
If you’re responsible for an application that depends on the data or functionality of various IoT endpoints – either sensors or devices – your brand reputation depends on the security, reliability, and compliance of its many integrated parts. If your application fails to deliver the expected business results, your customers and partners won't care if that failure stems from the code you developed or from a component that you integrated. What can you do to ensure that the endpoints work as expect...
WebRTC adoption has generated a wave of creative uses of communications and collaboration through websites, sales apps, customer care and business applications. As WebRTC has become more mainstream it has evolved to use cases beyond the original peer-to-peer case, which has led to a repeating requirement for interoperability with existing infrastructures. In his session at @ThingsExpo, Graham Holt, Executive Vice President of Daitan Group, will cover implementation examples that have enabled ea...