Trouble setting up AD Federation using DAG


#1

Hi there,

I am currently following the Office 365 guide (Duo Protection for Office 365 | Duo Security) to install Duo auth for 365.

I have setup DAG, AD Azure Sync etc but am having trouble getting the AD Federation portion set up. When I enter the command “Set-MsolDomainAuthentication” with all of the parameters I get the following error message back:

“You cannot remove this domain as the default domain without replacing it with another default domain”

I am unsure why it is bringing up this message as I thought the commands purpose was just to change the authentication type from Managed to Federated and apply the necessary extras.

Any assistance with this would be hugely appreciated.

Kind regards,

IndigoRyan


#2

@IndigoRyan,

Do you have a custom domain defined in your O365 tenant? Is it currently your default domain, or is the onmicrosoft.com domain the default? You may need to set your default domain as described here.


#3

Hi Kristina,

The Custom domain (the one I am trying to federate) is the default domain currently. Do I need to set the default domain to the onmicrosoft.com one to change the custom one from managed to federated?

On thing I am concerned about is it’s mention of “Use the Set-Msoldomain cmdlet to set another domain as the default domain before you delete this domain”. I thought the purpose of Set-MsolDomainAuthentication was to alter the current domain, not delete it?

Any advice would be appreciated!

Kind regards,

Ryan


#4

That is odd to see that message when you have a custom domain set as the default and you aren’t trying to remove it. In the variables used by the set-msoldomainauthentication command, are you setting $dom to the custom domain or the onmicrosoft domain? Is your domain already federated with another service?


#5

Hi Kristina,

$dom is pointing at our custom domain & I have ran a “Get-Msoldomain” on the domain and it is definitely showing as the authentication type “managed”. I’ve read a bit online and I can see numerous articles detailing that it is not possible to federate a default domain so I am unsure how to progress from this step.

Please see below a copy of the exact error message I get for the command “Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -ActiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -Preferre■■■■col SAMLP -SigningCertificate $certData” -

Kind Regards,

Ryan


#6

Hmm, what if you set the default domain back to the onmicrosoft domain and try again?


#7

Hi Kristina,

The only concern I have is what changing to onmicrosoft as the default will have on the user/email accounts for those on the domain. Is there any implications with changing the default domain in Office 365? If AD Sync is active will this stop Office 365 accounts from changing from my custom domain to onmicrosoft addresses?

Kind Regards,

Ryan


#8

I don’t think it should. How are you provisioning new users now? When the domain is federated then the source of new accounts is your regular Active Directory, and new accounts get created in Azure AD/Office via the AAD Connect sync. So you’d specify the mail address in AD.

You might want to confirm this with Microsoft before making any changes, but this is how our test domains are configured.


#9

Morning Kristina,

Now that the AD Sync is in place I’d imagine we’d be creating new Office 365 users through the local AD and applying the correct UPN suffix to match the Office 365 domain.

I have logged a ticket with O365 support so hopefully they’ll be able to confirm that changing default domain doesn’t have an effect and I can go ahead with federating the custom domain.

Kind Regards,

Ryan


#10

Hi Kristina,

I was able to get this working. Changing the default domain to the Onmicrosoft one allowed me to federate my custom domain.

One small further query: Currently, users are unable to login through the duo portion of the portal when authenticating for 365. I have a feeling that this is due to incorrect search attributes listed. In DAG, I have sAMAAccountName and Mail listed as my search attributes but the Duo portal is not accepting users email addresses as a valid username credential.

Kind Regards,

Ryan


#11

Refer to step 2 in the Office 365 “Deploy Duo Access Gateway” instructions where the necessary list of search attributes is mentioned.

Include the AD attributes mail,sAMAccountName,userPrincipalName,objectGUID in the “Attributes” field when configuring the Active Directory authentication source in the DAG admin console.


#12

Hi Kristina,

Turns out I have my DN’s incorrectly listed in the Search Base. I resolved this and immediately the system started functioning correctly.

Thank you for your assistance with getting this up and running!

Ryan


#13

I’m glad this is working. Thanks for trying Duo!