Review the Role of the Federation Server Proxy in the Account Partner Organization

Applies To: Windows Server 2008

The role of the federation server proxy in the perimeter network of the account partner is to collect authentication credentials from a client that logs on over the Internet and to pass those credentials to the federation server, which is located inside the corporate network of the account partner. (The account for the client is stored in the account partner.) The federation server issues a security token to the federation server proxy, which then sends the token to the client. The security token is used to provide access for that client to a specific resource partner.

The federation server proxy uses a default client logon Web form (clientlogon.aspx) to collect password-based credentials through forms-based authentication. However, you can customize this form to accept other supported types of authentication, such as Secure Socket Layer (SSL) client authentication. For more information about how to customize this page, see Customizing Client Logon and Home Realm Discovery Pages ( A federation server proxy does not accept credentials through Windows Integrated authentication.


Exposing a federation server proxy on the account partner extranet will make the client logon Web form accessible by anyone with Internet access. This can potentially leave your organization vulnerable to some password-based attacks, such as dictionary or brute force attacks that can trigger account lockouts for those user accounts that are stored in the corporate Active Directory Domain Services (AD DS).

To summarize, a federation server proxy in the account partner acts as a proxy for client logons to a federation server that is located in the corporate network. The federation server proxy also facilitates the distribution of security tokens to Internet clients that are destined for resource partners.