Microsoft Outage affected Federated Domains
-
@DustinB3403 said in Microsoft Outage affected Federated Domains:
And no one in the ADFS team (including managers) is answering calls...
Did something happen where this team is located?
You sure that they have a team?
-
@DustinB3403 said in Microsoft Outage affected Federated Domains:
And no one in the ADFS team (including managers) is answering calls...
Did something happen where this team is located?
I'm not convinced they have a team.
-
@coliver said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
And no one in the ADFS team (including managers) is answering calls...
Did something happen where this team is located?
I'm not convinced they have a team.
I've seen no evidence of one.
-
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@coliver said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
@coliver Do you have a hybrid domain?
Nope, but we do use ADFS for authentication.
Not a good idea. That's why we warn people about that. It's not very useful but carries a lot of risk.
Not very useful? A single username/password for O365 and your local domain isn't useful?
-
@Dashrender said in Microsoft Outage affected Federated Domains:
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@coliver said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
@coliver Do you have a hybrid domain?
Nope, but we do use ADFS for authentication.
Not a good idea. That's why we warn people about that. It's not very useful but carries a lot of risk.
Not very useful? A single username/password for O365 and your local domain isn't useful?
ADFS is not what provides that. ADFS is what creates the co-dependency where if either side fails, everything fails. You are leaping to conclusions that ADFS = single sign on. Since you have that feature without ADFS you can't make such an assumption.
-
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@Dashrender said in Microsoft Outage affected Federated Domains:
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@coliver said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
@coliver Do you have a hybrid domain?
Nope, but we do use ADFS for authentication.
Not a good idea. That's why we warn people about that. It's not very useful but carries a lot of risk.
Not very useful? A single username/password for O365 and your local domain isn't useful?
ADFS is not what provides that. ADFS is what creates the co-dependency where if either side fails, everything fails. You are leaping to conclusions that ADFS = single sign on. Since you have that feature without ADFS you can't make such an assumption.
oh - didn't know that, how does do you get single sign on then?
-
@Dashrender said in Microsoft Outage affected Federated Domains:
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@Dashrender said in Microsoft Outage affected Federated Domains:
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@coliver said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
@coliver Do you have a hybrid domain?
Nope, but we do use ADFS for authentication.
Not a good idea. That's why we warn people about that. It's not very useful but carries a lot of risk.
Not very useful? A single username/password for O365 and your local domain isn't useful?
ADFS is not what provides that. ADFS is what creates the co-dependency where if either side fails, everything fails. You are leaping to conclusions that ADFS = single sign on. Since you have that feature without ADFS you can't make such an assumption.
oh - didn't know that, how does do you get single sign on then?
AD Sync. That's the recommended method. You only use ADFS if you "have to" for certain advanced features. The Sync method is asynchronous and just keeps the two up to date with each other. If either goes down the other doesn't notice.
-
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@Dashrender said in Microsoft Outage affected Federated Domains:
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@Dashrender said in Microsoft Outage affected Federated Domains:
@scottalanmiller said in Microsoft Outage affected Federated Domains:
@coliver said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
@coliver Do you have a hybrid domain?
Nope, but we do use ADFS for authentication.
Not a good idea. That's why we warn people about that. It's not very useful but carries a lot of risk.
Not very useful? A single username/password for O365 and your local domain isn't useful?
ADFS is not what provides that. ADFS is what creates the co-dependency where if either side fails, everything fails. You are leaping to conclusions that ADFS = single sign on. Since you have that feature without ADFS you can't make such an assumption.
oh - didn't know that, how does do you get single sign on then?
AD Sync. That's the recommended method. You only use ADFS if you "have to" for certain advanced features. The Sync method is asynchronous and just keeps the two up to date with each other. If either goes down the other doesn't notice.
We're using it for SSO and some of the advanced features that you mentioned. As well as 20 or so other apps that integrate with it for SSO.
-
the idea of ADFS definitely sounds cool - it would be awesome to not have to call the hospital when we hire a new employee, through ADFS our new employee just works, but the problems like Dustin had really kinda of make it untenable if they are common place.
-
@Dashrender said in Microsoft Outage affected Federated Domains:
the idea of ADFS definitely sounds cool - it would be awesome to not have to call the hospital when we hire a new employee, through ADFS our new employee just works
But you get that without ADFS as well.
-
So the way ADFS works (here) is that when a client attempts to access say, email, they hit microsoft, which forwards the request to our exchange server to confirm the user details, and then our server redirects the request back to microsoft to access email.
This is a long handshake. Just have autodiscover setup and configured that Microsoft is syncing our details from exchange, and allowing people to authenticate against what microsoft has for email is way "cleaner".
And way less of a headache (like the past 4 days)
-
@DustinB3403 said in Microsoft Outage affected Federated Domains:
So the way ADFS works (here) is that when a client attempts to access say, email, they hit microsoft, which forwards the request to our exchange server to confirm the user details, and then our server redirects the request back to microsoft to access email.
This is a long handshake. Just have autodiscover setup and configured that Microsoft is syncing our details from exchange, and allowing people to authenticate against what microsoft has for email is way "cleaner".
And way less of a headache (like the past 4 days)
apparently that is what AD sync is for. why are you using ADFS and not AD sync?
-
@DustinB3403 said in Microsoft Outage affected Federated Domains:
So the way ADFS works (here) is that when a client attempts to access say, email, they hit microsoft, which forwards the request to our exchange server to confirm the user details, and then our server redirects the request back to microsoft to access email.
This is a long handshake. Just have autodiscover setup and configured that Microsoft is syncing our details from exchange, and allowing people to authenticate against what microsoft has for email is way "cleaner".
And way less of a headache (like the past 4 days)
I suppose I see what you're saying AD sync can give you this. So what other features of ADFS is @coliver getting that AD sync doesn't provide?
-
@Dashrender said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
So the way ADFS works (here) is that when a client attempts to access say, email, they hit microsoft, which forwards the request to our exchange server to confirm the user details, and then our server redirects the request back to microsoft to access email.
This is a long handshake. Just have autodiscover setup and configured that Microsoft is syncing our details from exchange, and allowing people to authenticate against what microsoft has for email is way "cleaner".
And way less of a headache (like the past 4 days)
apparently that is what AD sync is for. why are you using ADFS and not AD sync?
I wasn't included in these conversations, I'm just the janitor looking to clean the mess.
-
@Dashrender said in Microsoft Outage affected Federated Domains:
@DustinB3403 said in Microsoft Outage affected Federated Domains:
So the way ADFS works (here) is that when a client attempts to access say, email, they hit microsoft, which forwards the request to our exchange server to confirm the user details, and then our server redirects the request back to microsoft to access email.
This is a long handshake. Just have autodiscover setup and configured that Microsoft is syncing our details from exchange, and allowing people to authenticate against what microsoft has for email is way "cleaner".
And way less of a headache (like the past 4 days)
I suppose I see what you're saying AD sync can give you this. So what other features of ADFS is @coliver getting that AD sync doesn't provide?
I honestly have no clue what features are included. I haven't done anything (besides the work over these past 4 days) to try and find what was broke.
I'm not an exchange guy.