With Windows 2012 R2 and Windows 8.1, Microsoft starts to simplify the BYOD – Bring Your Own Device.

Indeed, on Windows 8.1 (this is not available with Windows 8, so upgrade for free your Windows 8 device Smile), a new feature called Join Workspace allow end-users to connect and use corporate resources without being obliged to join the domain.

image 

Prerequisites

To be able to use this feature, the following is required:

  • Windows 8.1 client (off course) – all editions have this feature available
  • Windows Server 2012 R2; this will be needed to host the ADFS service with the new ADFS feature
  • DNS record that point to your ADFS server
  • Certificate for SSL using the DNS record as common name

ADFS Installation and Configuration

  • You must have a certificate available to configure ADFS – if you are using internal certificate authority you have to deployed as Trusted or Enterprise Trust the certificate of this CA. It is off course recommended to use a certificate issued by a public authority, like Digicert http://digicert.com/
    • You must define 2 entries for the certificate: adfs.corporatedomain.com and enterpriseregistration.corporatedomain.com – off course, replace corporatedomain.com by your own public domain as well as the host name (adfs or enterpriseregistration); I’m using these ones for better understanding
  • Deploy Windows Server 2012 R2 and enable ADFS – I would recommend to first enable the .Net Framework manually as you may have errors during the installation using Server Manager – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=358 to enable the .Net Framework
  • Enable ADFS

image 

  • Configure ADFS and follow the wizard

image 

  • As this server is the first ADFS server, I’m choosing Create the first federation server; off course if you already have ADFS server deployed on Windows Server 2012 R2 – always use the same version of ADFS across an ADFS farm, choose the second option Add federation to a federation farm

image 

  • Ensure the user account used for connecting to your AD has appropriate permission

image 

  • Select the certificate to use and define the display name – Federation name will be automatically field based on the name used when generating the certificate

image 

  • Define the managed service account to use for running ADFS – you can choose an existing one or create a new one. In my case, I already created an MSA with the PowerShell command below; you may want to create manually the managed service account, if so open a Windows PowerShell windows (always run as administrator) and execute the following commands
    • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
    • New-ADServiceAccount FsGmsa –DNSHostName <ADFS URL used when generating the certificate; same than the one defined in the wizard> -ServicePrincipalNames http/<ADFS URL used when generating the certificate; same than the one defined in the wizard>

image 

image 

  • Review the configuration summary to ensure you set all settings accordingly

image 

  • And after validating the configuration, finalize the process

imageimage 

Enable Device Registration

Once ADFS has been installed and configured, you must enable the feature called Device Registration.

To do so, open a Windows PowerShell window (run as administrator) and execute the following commands

  • Initialize-ADDeviceRegistration; when prompted enter the managed service account defined during the ADFS configuration step – here <your domain>\fsgmsa$

image 

  • Enab
    le-AdfsDeviceRegistration

image 

  • Finally open the ADFS console and enable the Enable Device Authentication option available below the Authentication Policies

imageimage 

Verify ADFS is working

  • Open your web browser and enter the following URL https://<ADFS URLS>/federationmetadata/2007-06/federationmetadata.xml
  • If ADFS is working fine you should get an XML results like this one

image 

  • or the following URL to display the ADFS login page https://<ADFS URLS>//adfs/ls/idpinitiatedsignon.htm

image 

Enable HTTPS binding on IIS

  • Open the IIS console manage and browse to the default website
  • Click on the Binding link below the Edit Site section on the right side

image 

  • Click on the Add button

image 

  • Select https as binding type and the associated certificate

image 

If you don’t configure this binding, you will have an error stating that the workplace is not working: Confirm you are using the correct sign-in info, and that your workplace uses this feature. Also, the connection to your workplace might not be working right now. Please wait and try again.

image 

Connect your device using Join Workplace

My Windows 8.1 device is not member of the Active Directory domain

image 

  • Open the Settings from the Charms bar – this is not available through the Windows control panel – and click on Change PC settings

imageimage 

  • Go to the Network options and choose Workspace

imageimage 

  • Enter your Active Directory Credentials (ensure you are using a public UPN – like @microsoft.com) and choose Join

imageimage 

  • You will get the ADFS authentication form

imageimage 

You should also see the following event in the Event viewer of the ADFS server, below the Application and Services Logs\Device Registration Service\DRS/Admin tree

Log Name:      DRS/Admin
Source:        Device Registration Service
Date:          11/18/2013 4:37:58 PM
Event ID:      149
Task Category: None
Level:         Information
Keywords:      Device Enrollment
User:         FsGmsa$
Computer:      <ADFS Server>
Description:
Successfully enrolled device for user <user logon>.