Federation Service

Applies To: Windows Server 2008

The Federation Service is a component of Active Directory Federation Services (AD FS) that can be installed independently from other AD FS components. The Federation Service functions as a security token service (STS).


The following is a list of all aspects that are part of this managed entity:

Name Description

AD FS Access Over Windows Trusts

When a Windows trust exists between two Active Directory forests, the user accounts in one forest can access a Windows NT token-based application in another forest, which eliminates the need for resource accounts. Windows trusts enable service administrators to create or extend collaborative relationships between two or more domains or forests.

AD FS Claim Transform Module

You can use a claim transform module when existing claim rules are not sufficient to generate claims that meet user requirements. You configure a claim transform module in the custom module settings in the trust policy.

Client Certificate Authentication

Clients must authenticate to a federation server by presenting a client authentication certificate. Authentication is granted when the federation server accepts a client authentication certificate from a federation server proxy.

Federation Service Auditing

The Federation Service uses auditing to record success and failure audits, such as audits that are written when tokens are created and received.

Federation Service Authentication Web Pages

The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.

Federation Service Malformed Requests

Federation Service Malformed Requests logs information about incorrectly configured or missing data values that reside in the trust policy, along with information about client cookie issues and sign-on issues.

Federation Service Proxy Communication

Successful communication between federation servers and federation server proxies can depend largely on whether client authentication certificates are valid or are configured correctly.

Trust Policy and Configuration

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Active Directory Federation Services