When to Create an AD FS-Enabled Web Server Farm

Applies To: Windows Server 2008

You create an Active Directory Federation Services (AD FS)-enabled Web server farm when you want to balance the load of incoming federated access requests that are made to one or more protected applications. The obvious benefits that can be obtained from a Web server farm are fault tolerance for the hosted applications and a possible increase in client-side browser performance. To client computers, the Web server farm performs like a single Web server servicing a highly scalable federated application.

If you are thinking about creating a Web server farm solely to increase performance, consider whether it might be better to optimize the hardware or software performance of a single Web server before adding the additional costs and administrative overhead that are associated with synchronizing data between two or more Web servers.

You can use a network load-balancing service, such as the Microsoft Network Load Balancing (NLB) service that is included in Windows Server 2008 operating systems, to create and manage your AD FS-enabled Web server farm. The number of Web servers required to support your federated applications is determined largely by the type and complexity of the applications and their client connection state (stateless as opposed to stateful) requirements.

Guidelines for creating server farms for federated applications using NLB are similar to the guidelines for creating server farms for nonfederated Web applications running on Internet Information Services (IIS). For more information about using nonfederated Web applications with NLB, see Identifying Applications That Benefit from NLB (http://go.microsoft.com/fwlink/?LinkId=74610).

When they are used together, the recommendations in the NLB deployment documentation should provide sufficient data for you to determine whether your federated applications can benefit from the improved scalability and availability that an AD FS-enabled Web server farm environment provides.

Configuring servers in the farm

Creating an AD FS-enabled Web server farm involves more than just placing the Web servers in a resource partner organization and then configuring NLB clustering. The following table provides additional guidance for identically configuring each of the AD FS-enabled Web servers in a farm.

To configure the … To … See …

Claims-aware agent in the web.config file for the protected application

Point to the same Federation Service URL for each AD FS-enabled Web server in the farm

Configure Web.config to Use the Claims-Aware Agent

Windows token–based agent in the properties of IIS

Point to the same Federation Service URL for each AD FS-enabled Web server in the farm

Configure the Windows Token-Based Agent

Server authentication certificate

Export the private key so that the same server authentication certificate can be assigned to each AD FS-enabled Web server in the farm

Most certificates that are issued by certification authorities (CAs) can be used on multiple computers without first being exported because they are already preconfigured as exportable. If this is the case in your scenario, you do not have to perform this procedure.

There is no requirement to use the same certificate on all AD FS-enabled Web servers as long as all Web servers in the farm have a certificate that is issued by the same CA and each of the certificates has a matching “subject name” field.

Export the Private Key Portion of a Server Authentication Certificate

Server authentication certificate

Install on the appropriate Web site or virtual directory where your federated application will reside

(For an example of how to do this using the default Web site, see the following link.)

Import a Server Authentication Certificate to the Default Web Site

For additional details about how to configure an AD FS-enabled Web server farm, see Checklist: Installing an AD FS-Enabled Web Server.