Configure the Security Token Protection Method for a Federated Application

Applies To: Windows Server 2008

Security tokens that are received by Active Directory Federation Services (AD FS) federation servers are protected during transit by one of two methods:

  • Public key infrastructure (PKI): A PKI is implemented as a hierarchy of certification authorities (CAs) that verify identities. When a PKI is in place, a signature is embedded into the token that protects the token from tampering.

  • Domain service account: A domain service account, which is identified by a service principal name (SPN), runs under an account that is trusted for delegation and can impersonate a client to gain access to resources. By default, this account is the Internet Information Services (IIS) application pool identity that hosts a claims-aware application and the identity of the AD FS Web Agent Authentication Service that hosts a Windows NT token–based application. When a token is transferred in a domain service account with this setting, the token contains a binary Kerberos V5 signature for the configured SPN. This signature protects the token from tampering.

You can use the following procedure to change the security token protection method for a federated application on a resource federation server.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To change the security token protection method for a federated application

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Trust Policy, double-click My Organization, and then double-click Applications.

  3. Right-click the application whose security token protection method you want to change, and then click Properties.

  4. On the General tab, under Security token protection method, do one of the following, and then click OK:

    • If your deployment uses certificates that are issued by a CA, select Public Key Infrastructure (PKI).

    • If your deployment does not use certificates that are issued by a CA, select Domain service account and then, in service principal name (SPN) of service account, type the SPN of the account.

Additional references

Determine Your Security Token Protection Method