Configure an Account Partner to Use Windows Trust

Applies To: Windows Server 2008

You must configure the account partner to select the domains that are to be included in the trust relationship. For example, if a Windows Server 2008 forest trust is in place from the resource partner forest to the account partner forest, the trust is transitive to all domains in the trusted account forest.

If you want to grant access to resources in the resource forest to users in only some domains in the account forest, you can specify only those domains. Otherwise, you can allow all trusted domains (all domains in the account forest and any forest that is trusted by the account forest) to be granted access.

Use the following procedure to enable Windows trust for the account partner that will participate in the Federated Web SSO with Forest Trust design scenario.

Perform this procedure on a federation server in the resource partner organization.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To configure an account partner to use Windows trust

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Account Partners.

  3. Right-click the account partner that you want to configure to use Windows trust, and then click Properties.

  4. On the Windows Trust tab, click Use Windows trust relationship.

  5. In Trusted Active Directory Domain Services (AD DS) domains and forests, do one of the following, and then click OK:

    • If you want to allow federated access to users in all trusted domains in the account partner forest and in any forest that is trusted by the account partner forest, click All AD DS domains and forests, and then click OK.

    • If you want to name only the domains where you want to allow federated access, click Specified AD DS domains and forests (press Enter to separate entries). Type a domain name, press ENTER, and then repeat this action to add each domain in the account partner forest and in any other trusted forests for the users that you want to grant access to resources.

Additional references

Configure a Resource Partner to Use Windows Trust