Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 5

Objective: Configure Single Sign-On with KCD and synchronization with Azure AD Connect

Reference: Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy

To support single sign-on, configure with Integrated Windows Authentication mode

In the Azure Portal, go to Azure AD > Enterprise Applications > click on your Enterprise Application > click Single sign-on > Select Mode Integrated Windows Authentication

For Internal Application SPN, enter http/rksp.eastus.cloudapp.azure.com (Go to blog Part 2 for KCD setup)azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.1pngClick Save

By visiting the SharePoint application again and attempting to login, the browser displays the error message:azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.2pngThis is because the user does not exist in on-premises AD.

Let’s install Azure AD Connect in the on-premises environment to synchronize users from on-premises AD to Azure AD.

azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.3

Download Azure AD Connect. For my lab environment and for simplicity, I installed it on the SP server. It is recommended to install on a dedicated server.
In the Azure AD Directory, add a domain that is the same as your on-premises environment that you own and can verify. azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.4azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.5azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.6azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.7

In my case, contoso.com is the default domain that was provisioned with the SharePoint Non-HA Azure ARM template, I cannot own this public domain from any domain registrar, such as GoDaddy. Therefore I cannot verify in my Azure AD. Therefore, I will resort to the UPN as spb2b.onmicrosoft.com in my Azure AD. This will be sufficient for the purposes of this demo.

azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.8azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.9azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.10

As a result of the Azure AD Sync, we can see users from the AD server. However, note that the on-premises AD user accounts end with @spb2b.onmicrosoft.com rather than @contoso.com.

azure-ad-azure-application-proxy-with-share-point-server-2013-2016-blog-part-5.11

Now you are one step closer to login with these accounts given that they have permissions to the SharePoint site. The next blog will finish the configuration and test a successful login scenario to the published SharePoint site.

Next: Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 6
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s