Configure a Resource Partner to Use Windows Trust

Applies To: Windows Server 2008

Use the following procedure to enable Windows trust for a resource partner in an Active Directory Federation Services (AD FS) Federated Web SSO with Forest Trust scenario.


When you enable the Windows trust option in the account Federation Service, you are sending actual security identifiers (SIDs) to the resource partner organization over the Internet, which may be a security risk. These SIDs are packaged in the AD FS Security Assertion Markup Language (SAML) token. Therefore, enable this option only when you are using the Federated Web SSO with Forest Trust design. This design is meant to establish secure communication within the same organization.

Perform this procedure on an account federation server.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To configure a resource partner to use Windows trust

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Resource Partners.

  3. Right-click the resource partner for which you want to configure Windows trust, and then click Properties.

  4. On the General tab, click Use Windows trust relationship for this partner, and then click OK.

Additional references

Configure an Account Partner to Use Windows Trust