Enable Enhanced Identity Privacy

Applies To: Windows Server 2008

Enhanced identity privacy is an optional setting that you can configure on a resource partner in the account Federation Service in an Active Directory Federation Services (AD FS) deployment. This setting hashes the user-name portion of outgoing user principal name (UPN) claims and e-mail claims. It substitutes the common name with a random value. If you select the Enable enhanced identity privacy option in AD FS, the resource partner will not be able to correlate identity claims to personally identifiable user information.

The enhanced identity privacy setting affects the information that is sent in identity claims, based on the claim type that is being used to transfer the user identity, as follows:

  • UPN and e-mail claim types: The user component of the UPN and e-mail name is hashed, replacing the user component in the identity claim of the security token. In this way, each resource partner can uniquely identify each user without revealing their true identity.

  • Common name claim types: The common name identity claim is populated with a randomly generated, globally unique identifier (GUID), which ensures that the identity claim is unique per session with the resource partner and that multiple sessions by the same user cannot be tracked.

Enable this setting if you want to:

  • Prevent collusion between partners in correlating identity claims to personally identifiable user information.

  • Prevent simple dictionary attacks against the user-name hash.

For more information about the effects of enhanced identity privacy, see Review How AD FS May Affect Privacy.

Perform this procedure on an account federation server.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To enable enhanced identity privacy on a resource partner

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Resource Partners.

  3. Right-click the resource partner that will begin using enhanced identity privacy, and then click Properties.

  4. On the General tab, click Enable enhanced identity privacy, and then click OK.