When to Create an AD FS-Enabled Web Server

Applies To: Windows Server 2008

Create at least one Active Directory Federation Services (AD FS)–enabled Web server in the resource partner organization when you deploy any of the following AD FS designs:

The quickest way to get your federated applications up and running is to install and configure them on a single AD FS-enabled Web server. This way, you can set up a small-scale installation without performing the additional steps necessary to set up an AD FS-enabled Web server farm.

For more information about deploying federated applications, see Designing a Federated Application Strategy.

Why an AD FS-enabled Web server is required

An AD FS-enabled Web server provides the appropriate AD FS Web Agent software—either claims-aware agents or Windows token-based agents—that are necessary for authenticating and authorizing federated access to locally hosted, Web-based applications. AD FS-enabled Web servers use these web agents to consume security tokens and authentication cookies (to either allow or deny a user access to the protected application), taking into consideration application-specific access control settings. Web agents enforce application-based access control requirements by creating a security context in which the application can make the appropriate authorization decision.

For the AD FS-enabled Web server to know what tokens to accept, it must have a relationship with a federation server. This relationship is necessary so that all security tokens that are presented to the web agent (and destined for the application) are signed by that federation server (or any of the federation servers that represent that Federation Service). A signed security token indicates that the federation server has successfully verified the authenticity of the federated user.

To summarize, AD FS-enabled Web servers are a critical component of the AD FS infrastructure. AD FS Web Agents on these servers confirm that the incoming security tokens are signed by a valid federation server before they send federated access requests to the protected application.