Requirements for AD FS

Applies To: Windows Server 2008

Active Directory Federation Services (AD FS) has the following hardware and software requirements.

Hardware requirements

  • Processor speed: 133 megahertz (MHz) for x86-based computers

  • Recommended minimum RAM: 256 megabytes (MB)

  • Free disk space for setup: 10 MB

Software requirements

AD FS relies on server functionality that is built into Windows Server 2003 R2 and Windows Server 2008. The Federation Service, Federation Service Proxy, and AD FS Web Agent role services cannot run on earlier operating systems. This section describes the software requirements for each AD FS role service. It also describes the overall software configurations that are necessary for AD FS in your network environment.

Note

The Federation Service and Federation Service Proxy role services cannot coexist on the same computer.

Federation Service

Computers running the Federation Service must have the following software installed:

  • Windows Server 2003 R2, Enterprise Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2008 Enterprise; or Windows Server 2008 Datacenter

  • Internet Information Services (IIS)

  • Microsoft ASP.NET 2.0

  • Microsoft .NET Framework 2.0

Note

After the Federation Service installation is completed, a default Web site in IIS must be configured with Transport Layer Security / Secure Sockets Layer (TLS/SSL).

AD DS and AD LDS account store requirements

AD FS requires the presence of user accounts in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) for the account Federation Service. AD DS domain controllers or computers hosting the account stores must have one of the following operating systems installed:

  • Windows Server 2008

  • Windows Server 2003 R2

  • Windows Server 2003

  • Windows 2000 with Service Pack 4 (SP4) with critical updates

AD FS does not require schema changes or functional-level modifications to AD DS. To ensure that AD LDS works with AD FS, install the version of AD LDS that comes with Windows Server 2008.

Federation Service Proxy

Computers running the Federation Service Proxy must have the following software installed:

  • Windows Server 2003 R2, Enterprise Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2008 Enterprise; or Windows Server 2008 Datacenter

  • IIS

  • ASP.NET 2.0

  • Microsoft .NET Framework 2.0

Note

After the Federation Service Proxy installation is completed, a default Web site in IIS must be configured with TLS/SSL.

AD FS Web Agent

Computers running the AD FS Web Agent—either the claims-aware agent or the Windows token-based agent—must have the following software installed:

  • Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Enterprise Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2008 Standard; Windows Server 2008 Enterprise; or Windows Server 2008 Datacenter

  • IIS

  • ASP.NET 2.0

  • Microsoft .NET Framework 2.0

Note

After the AD FS Web Agent installation is completed, at least one Web site in IIS must be configured with TLS/SSL so that federated users can access Web-based applications that are hosted on the AD FS-enabled Web server.

Trusted certification authorities

Because both TLS/SSL and token signing rely on digital certificates, certification authorities (CAs) are an important part of AD FS. Public CAs, such as VeriSign, Inc., represent a mutually trusted third party that allows the identity of the bearer of a certificate to be identified. You can use enterprise CAs, such as Microsoft Certificate Services, for providing token signing and other internal certificate services.

If a client is presented with a server’s authentication certificate, the client computer verifies that the CA that issued the certificate is in the client’s list of trusted CAs and that the CA has not revoked that certificate. This verification ensures that the client has reached the intended server. When a certificate is used for verifying signed tokens, the client uses the certificate to verify that the token was issued by the correct federation server and that the token has not been tampered with.

TCP/IP network connectivity

For AD FS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the computers that host the Federation Service, the Federation Service Proxy (when it is used), and the AD FS Web Agent.

DNS

For the purpose of authenticating users in the intranet, internal Domain Name System (DNS) servers in the intranet forest must be configured to return the canonical name (CNAME) of the internal server that is running the Federation Service. For best results, do not use host files with DNS.

Web browser

Although any current Web browser with JScript enabled should work as an AD FS client, only Internet Explorer 7, Internet Explorer 6, Internet Explorer 5 or 5.5, Mozilla Firefox, and Safari on Apple Macintosh have been tested by Microsoft. For performance reasons, it is highly recommended that JScript be enabled. Cookies must be enabled—or at least trusted—for the federation servers and Web applications that are being accessed.