Share via

Adding a New Federation Server

  • Article

Applies To: Windows Server 2003 R2

When you want to add a new federation server to an existing Active Directory Federation Services (ADFS) deployment, you must configure the server as an application server, install and configure certificates, and install the Federation Server component of ADFS according to the method of implementing a server farm that you are using. You can also set event logging according to server needs.

Task requirements

You need the following to perform the procedures for this task:

Note

If an existing server image is being used to prepare the additional federation server, procedures in this task are not required. Use your imaging software to create a new federation server.

  • An installed Secure Sockets Layer (SSL) certificate. For information about how to acquire SSL certificates, see Obtaining Server Certificates (https://go.microsoft.com/fwlink/?LinkId=62479).

  • If the token-signing certificate is shared among servers in the server farm, an existing token-signing certificate for the Federation Service.

  • An existing Federation Service.

  • The location of the shared Trustpolicy.xml file for the Federation Service.

To complete this task, perform the following procedures:

  1. Install prerequisite applications.

  2. If an existing token-signing certificate private key is shared among the servers in the server farm, go to step 3.

    If a new token-signing certificate is to be installed into the local certificate store on the new server, install a token-signing certificate on the new server, as follows:

    • If you are using Microsoft Certificate Services as an enterprise certification authority (CA), obtain a new client authentication certificate. For more information about obtaining a client authentication certificate, see Submit an advanced certificate request via the Web to a Windows Server 2003 CA (https://go.microsoft.com/fwlink/?LinkId=64020). Specify installing the certificate into the local certificate store.

    • If you are using a different enterprise CA or a public CA, follow the instructions provided by the CA.

    • Alternatively, Create a self-signed, token-signing certificate.

  3. Configure the token-signing certificate according to the method of server farm implementation you are using:

    • If you installed a separate token-signing certificate into the local certificate store and are not sharing the private key, no other certificate configuration is required prior to Federation Service installation.

    • If you are sharing the public and private portions of the same certificate that has been provided by a public certification authority (CA), import the certificate to the local certificate store prior to Federation Service installation. For instructions to import the certificate, see Import a certificate (https://go.microsoft.com/fwlink/?linkid=20040).

    • If you are sharing the public and private portions of the same exportable certificate that has been provided by an enterprise CA, import the private key into the local certificate store by performing the following procedures prior to Federation Service installation:

      Export the private key portion of a token-signing certificate.

      Import a certificate from the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=20040).

  4. Install the Federation Service on an additional federation server

  5. Configure event logging on a federation server

See Also

Concepts

Implementing a Server Farm of Federation Servers Removing a Federation Server Adding a New Federation Server Proxy