If you’re anything like me then you’re excitedly waiting to find about when you’ll be able to get your Live@edu tenant upgraded to Office 365 for education. Hot on the heels of the upgrade portal I talked about recently, I have some more information to share.

In order to make the upgrade process smooth, and because it’s just a good idea in general, we need every existing Live@edu customer to ensure their institution profile information is accurate and up to date!

Sometimes, especially with more mature deployments, people move on and responsibilities change. Often the service management portal gets forgotten about (poor thing), but it is vital to keep it accurate up to date so that we know who to get in touch with about the upgrade.

It doesn’t take a minute, and you may already be up to date, but it’s worth checking to be sure. If you’ve forgotten the URL you can access the portal at:

http://eduadmin.live.com

Some of you may have heard about Office 365 for education – if not go and read up! One of the most common questions I get asked by existing customers is: how do I upgrade from Live@edu to Office 365 for education?

Well the great news is that we’ve launched a new portal where you can find out more about the process. Upgrades will start in Summer 2012, but you should begin planning now. Use the portal to get the answers to your most frequently asked questions.

There are some steps to take to get ready:

1. Make sure your contact information and institution profile are correct in the Live@edu Service Management Portal. Particularly with more mature deployments, where members of your IT team may have moved on, or responsibilities changed, this information might be out of date. We need this to be correct in order to upgrade smoothly.
2. Make sure your desktops meet the Office 365 software requirements. Remember, the MAP toolkit can help identify devices in your IT estate that aren’t running compatible versions of Microsoft Office or Windows.
3. Read the upgrade questions and answers and develop an upgrade plan for your institution.

Find Out More

AD FS 2.0 offers institutions who are deploying Office 365 for education a really rich and effective way to provide a single sign-on experience to users. With just one set of credentials teachers and pupils can access the full range of resources that Office 365 for education has to offer.

For some institutions there are certain situations where SSO isn’t fully consistent across users and devices. Helpfully, the good folks at the University of Newcastle here in the UK have come up with a workaround.

The following post represents a solution that is not supported by Microsoft.

Background

The ADFS Farm + ADFS Proxy Farm model that we are using for Office 365 requires that the CNAME of the ADFS service has to be the same for both the ADFS proxy server farm and the internal ADFS farm (in our case adfs.ncl.ac.uk). Users ‘inside’ our network need to be directed to the internal farm and external users to the proxy farm.

ADFS supports multiple authentication mechanisms including the ones we are interested in, Windows Integrated Authentication (WIA) and Forms Based Authentication (FBA). It seems however that there is no way to dynamically select which one is used when a request hits the farm based on client properties. Where Office 365 is concerned a farm uses WIA or FBA

The way our network is configured means that we do not have the network model of Internal/DMZ/Internet with the split-brain DNS that the Microsoft documentation seems to expect. Our systems point at a single zone (running on BIND) which resolves both internal and external requests.  As such, private IP addresses such as that of the internal ADFS Farm can be resolved (but obviously not connected to) from the Internet.

Working with our Network team we were able to get around this by creating a work around in BIND so that anyone on the Internet receives the address of the proxy farm and anyone coming from one of our internal IP ranges receives the address of the ADFS farm.

The problem for us is that only around 70% of our internal clients are domain joined and as such able to take part in SSO using WIA. The other devices may be non-Windows machines, non-domain joined Windows machines and mobile devices. Because they are coming from one of our internal address ranges they are directed to the internal WIA enabled ADFS farm and get a non-user friendly ugly pop-up box requesting authentication.

We do not think that this is a good user experience so we sought a solution which would let us provide both authentication methods to internal clients.

Possible Solutions

After discussions internally and with Microsoft we were presented with 3 possible ways to deal with this problem.

1. Our Network team could define every IP range we have and point them at the relevant BIND DNS view. This is obviously an inelegant solution and would not cover all scenarios as many ranges in our environment contain both domain joined and non-domain joined clients. It would however work for wireless guests as they are on specific ranges.
2. Microsoft proposed pushing out a HOSTS file to all domain joined clients pointing them at the internal farm. This not a scalable or suitable option in our environment as we have development work going on all over the University and this would essentially remove people’s ability to use the HOSTS file due to it being overwritten by whatever mechanism we would put in place to the job
3. The third option was suggested by a Microsoft representative on the Office 365 community forums. The ADFS Farm could be configured to read a custom attribute from the browsers User agent string. This value would be parsed server-side and if present the request would be authenticated by WIA. Other requests would be forwarded on to FBA.  This was particularly attractive to us as we already use a custom user agent string value for Shibboleth authentication.

What we lacked was the expertise to implement this solution but thanks to collaboration with our colleagues as well as working with members of the Microsoft TechNet community we were able to implement something that seems to do the job for us. We thought we would share this in the event others are running in to the same problem!

Out Of The Box Authentication With AD FS 2.0

The mechanism that is used by default on an ADFS farm or proxy Farm can be toggled in the <localAuthenticationTypes> element of the ADFS web.config:

   1: <microsoft.identityServer.web>

   2:  <localAuthenticationTypes>

   3:  <add name="Forms" page="FormsSignIn.aspx" />

   4:  <add name="Integrated" page="auth/integrated/" />

   5:  </localAuthenticationTypes>

For WIA ‘Integrated’ is at the top of the list:

   1: <microsoft.identityServer.web>

   2:  <localAuthenticationTypes>

   3:  <add name="Integrated" page="auth/integrated/" />

   4:  <add name="Forms" page="FormsSignIn.aspx" />

   5:  </localAuthenticationTypes>

Implementing Selective Authentication using the User Agent String

Manipulation of the User Agent string on Internet Explorer, Firefox and Chrome

The first thing required is to append the user agent string to browsers. This can be done in Internet explorer using Group Policy:

1. Under User Configuration expand Windows Settings/Internet Explorer Maintenance
2. Select ‘Connection’
3. In the right-hand pane, double-click User Agent String.
4. On the User Agent String tab, select the ‘Customize String To be Appended To User Agent String check box
5. Type in the string (in our case campus-ncl).

We have this value set in the ‘Default Domain Policy’ though it could be set lower down.

For Firefox and Chrome things have to be done in the application deployment package. Obviously people will have to use a managed version of the product as it’s not exactly a user friendly setup!

In Firefox the prefs.js file requires to extra lines:

user_pref("network.negotiate-auth.trusted-uris", "");

user_pref("general.useragent.override", ", ")

So in our environment:

user_pref("network.negotiate-auth.trusted-uris", "adfs.ncl.ac.uk");

user_pref("general.useragent.override", ", campus-ncl")

Chrome needs to be run with some extra switches:

--auth-server-whitelist="ADFS FQDN" --user-agent=" <actual agent string> + <customstring>

So in our environment:

--auth-server-whitelist="adfs.ncl.ac.uk" --user-agent=" <actual agent string> + campus-ncl"

Disable Extended Protection must be disabled on the ADFS Farm in IIS (for Firefox and Chrome only)

In order to get SSO working with Firefox and Chrome Extended Protection must be disabled on the ADFS Farm in IIS. Lots of information on this feature and the consequences of disabling it can be found with a simple search on the Internet.

AD FS Farm Modifications

There are 2 steps required on the ADFS farm.

1. Enable Forms Based Authentication as the default method.
2. Modify the FormsSignIn.aspx.cs source code file

To turn on FBA edit the <localAuthenticationTypes> element of the ADFS web.config file and make sure FBA ‘Forms’ is at the top of the list:

   1: <microsoft.identityServer.web>

   2:  <localAuthenticationTypes>

   3:  <add name="Forms" page="FormsSignIn.aspx" />

   4:  <add name="Integrated" page="auth/integrated/" />

   5:  </localAuthenticationTypes>

Next open the FormsSignIn.aspx.cs Source Code File.

The default out of the box, the code looks like this:

   1: using System;

   2:  

   3: using Microsoft.IdentityServer.Web;

   4: using Microsoft.IdentityServer.Web.UI;

   5:  

   6: public partial class FormsSignIn : FormsLoginPage

   7: {

   8:  protected void Page_Load( object sender, EventArgs e )

   9:  {

  10:  }

  11: …

We need to add some code to the Page_Load event which will forward the request to integrated authentication if the campus-ncl user agent string is present. In order to do this we had to add System.Web to the namespace list.

   1: using System;

   2: using System.Web;

   3: using Microsoft.IdentityServer.Web;

   4: using Microsoft.IdentityServer.Web.UI;

System.Web supplies the classes that enable browser-server communication which are needed to get the user agent string and the query string generated by Microsoft Online Services.

   1: protected void Page_Load( object sender, EventArgs e )

   2:  {

   3:  //Get the raw query String generated by Office 365

   4:  int pos = Request.RawUrl.IndexOf('?');

   5:  int len = Request.RawUrl.Length;

   6:  string rawq = Request.RawUrl.Substring(pos + 1, len - pos - 1);

   7:  

   8:  //Convert query string (qs) to a string

   9:  string qs = HttpUtility.ParseQueryString(rawq).ToString();

  10:  

  11:  //Get the user agent value

  12:  string uagent = Request.UserAgent;

  13:  

  14:  //Check if the string campus-ncl appears in the User Agent

  15:  //If it is there forward to WIA along with the Query String

  16:  

  17:  if(uagent.IndexOf("campus-ncl") > -1)

  18:  {

  19:  Response.Redirect("/adfs/ls/auth/integrated/?" + qs, true);

  20:  }

  21:  else

  22:  {

  23:  //Carry on and do Forms Based Authentication

  24:  }

  25:  }

And that’s it! Anyone using a managed browser with the custom string will be forwarded for WIA and get the SSO experience and all others will get FBA.

Things to note:

1. This method is not officially supported by Microsoft and there are potential issues around future ADFS upgrades (there is no guarantee that the same configuration will be in future versions of ADFS). We are also developing the fall back plan of pointing different clients and the different farms in DNS in case it is needed.
2. There may very well be a better way to do this! If you find one please let us know

Special mention

Although we knew what we wanted to do we were having trouble getting the query string and putting it in a usable form (I’m not a programmer!) This information was provided by another TechNet forum member.

Read Original Post

Are you using AD FS 2.0 for SSO?

What tips would you give any institutions looking to deploy Office 365 for education summer? Do you have a story like that you’d like to share on our blog? Let us know in the comments!

If you’re looking at deploying Office 365 for education this summer a question you need to ask yourself is: is your IT environment ready for Office 365 for education? Are you running compatible operating systems, or versions of Microsoft Office?

The Microsoft Assessment and Planning (MAP) toolkit can help with find out exactly that kind of information! The free tool is an agentless inventory, assessment and reporting tool that can securely assess IT environments for various migrations – including Office 365.

With MAP, you get the following report for migration to Office 365:

• Office 365 Assessment Report: Quickly determine which client computers in your environment are ready to use Office 365. MAP obtains machine level detail about why a given computer is not capable of using Office 365, and identifies whether the Office suites currently being used in your environment are compatible with Office 365.

The generated report looks a little bit like this:

You can download the tool for free, today, over at the toolkit website, or:

Download Now

“Did you get my last email?”

Have you ever sent an email to someone and wondered why you haven’t had a response? Is that distribution group you asked a question to ignoring you? Chances are you’ve encountered people who aren’t making best use of automatic replies and MailTips…

Helpfully, both Live@edu and Office 365 for education, because they both make use of Exchange Online, have the ability to allow users to set little reminder prompts on individual mailboxes and distribution groups to give senders a little pre-warning or useful tip prior to them sending that all important email.

Here are just some situations where an automatic reply or MailTip can really save the day:

• Asking a question to your tutor that needs an urgent response in order to meet a coursework deadline, but the tutor is on holiday for three days.
• Accidentally sending a piece of confidential pupil data to someone outside of your school.
• Attaching a 10MB zip file of photos of your cats to a distribution group containing 1000 recipients.

The great thing about it is that automatic replies don’t just apply to emails; they even translate across to Lync. As you can see below I’ve got Damon in my Lync contacts and at a glance I can see that he’s set his status to “Out of Office” and set an automatic reply, or vacation response, OOF notification, etc. telling me that he’s going to be away until tomorrow. Immediately I know that if I have something urgent I should contact someone else or expect a delayed response.

You can find out more about how to configure MailTips on Outlook Live Help, as well as information on Automatic Replies.

Lastly – have you ever wondered why some people refer to being “out of office” as OOF rather than OOO… Well here’s the answer!

Do you use MailTips and Automatic Replies?

Tell us your best practice tips for avoiding disappointment by using MailTips and Automatic Replies in the comments!