Active Directory Federation Services Role
Applies To: Windows Server 2008
Active Directory® Federation Services (AD FS) is a server role in the Windows Server® 2008 operating system that you can use to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. The following sections provide information about AD FS in Windows Server 2008, including information about the additional functionality in AD FS in Windows Server 2008 compared to the version of AD FS in the Windows Server 2003 R2 operating system.
For additional information about AD FS, see Active Directory Federation Services Overview (http://go.microsoft.com/fwlink/?LinkId=87272). For more information about how to set up an AD FS test lab environment, see Step-by-Step Guide for AD FS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=85685).
Who will be interested in this feature?
AD FS is designed to be deployed in medium to large organizations that have the following:
At least one directory service: either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) (formerly known as Active Directory Application Mode (ADAM))
Computers running various operating system platforms
Computers that are connected to the Internet
One or more Web-based applications
Review this information, along with additional documentation about AD FS, if you are any of the following:
An information technology (IT) professional who is responsible for supporting an existing AD FS infrastructure
An IT planner, analyst, or architect who is evaluating identity federation products
Are there any special considerations?
If you have an existing AD FS infrastructure, there are some special considerations to be aware of before you begin upgrading federation servers, federation server proxies, and AD FS-enabled Web servers running Windows Server 2003 R2 to Windows Server 2008. These considerations apply only when you have AD FS servers that have been manually configured to use unique service accounts.
AD FS uses the Network Service account as the default account for both the AD FS Web Agent Authentication Service and the identity of the ADFSAppPool application pool. If you manually configured one or more AD FS servers in your existing AD FS deployment to use a service account other than the default Network Service account, track which of the AD FS servers use these unique service accounts and record the user name and password for each service account.
When you upgrade a server to Windows Server 2008, the upgrade process automatically restores all service accounts to their original default values. Therefore, you must enter service account information again manually for each applicable server after Windows Server 2008 is fully installed.
What new functionality does this feature provide?
For Windows Server 2008, AD FS includes new functionality that was not available in Windows Server 2003 R2. This new functionality is designed to ease administrative overhead and to further extend support for key applications:
Improved installation—AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.
Improved application support—AD FS is more tightly integrated with Microsoft Office SharePoint® Server 2007 and Active Directory Rights Management Services (AD RMS).
A better administrative experience when you establish federated trusts—Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.
AD FS in Windows Server 2008 brings several improvements to the installation experience. To install AD FS in Windows Server 2003 R2, you had to use Add or Remove Programs to find and install the AD FS component. However, in Windows Server 2008, you can install AD FS as a server role using Server Manager.
You can use improved AD FS configuration wizard pages to perform server validation checks before you continue with the AD FS server role installation. In addition, Server Manager automatically lists and installs all the services that AD FS depends on during the AD FS server role installation. These services include Microsoft ASP.NET 2.0 and other services that are part of the Web Server (IIS) server role.
Improved application support
AD FS in Windows Server 2008 includes enhancements that increase its ability to integrate with other applications, such as Office SharePoint Server 2007 and AD RMS.
Integration with Office SharePoint Server 2007
Office SharePoint Server 2007 takes full advantage of the SSO capabilities that are integrated into this version of AD FS. AD FS in Windows Server 2008 includes functionality to support Office SharePoint Server 2007 membership and role providers. This means that you can effectively configure Office SharePoint Server 2007 as a claims-aware application in AD FS, and you can administer any Office SharePoint Server 2007 sites using membership and role-based access control. The membership and role providers that are included in this version of AD FS are for consumption only by Office SharePoint Server 2007.
Integration with AD RMS
AD RMS and AD FS have been integrated in such a way that organizations can take advantage of existing federated trust relationships to collaborate with external partners and share rights-protected content. For example, an organization that has deployed AD RMS can set up federation with an external organization by using AD FS. The organization can then use this relationship to share rights-protected content across the two organizations without requiring a deployment of AD RMS in both organizations.
Better administrative experience when establishing federated trusts
In both Windows Server 2003 R2 and Windows Server 2008, AD FS administrators can create a federated trust between two organizations using either a process of importing and exporting policy files or a manual process that involves the mutual exchange of partner values, such as Uniform Resource Indicators (URIs), claim types, claim mappings, display names, and so on. The manual process requires the administrator who receives this data to type all the received data into the appropriate pages in the Add Partner Wizard, which can result in typographical errors. In addition, the manual process requires the account partner administrator to send a copy of the verification certificate for the federation server to the resource partner administrator so that the certificate can be added through the wizard.
Although the ability to import and export policy files was available in Windows Server 2003 R2, creating federated trusts between partner organizations is easier in Windows Server 2008 as a result of enhanced policy-based export and import functionality. These enhancements were made to improve the administrative experience by permitting more flexibility for the import functionality in the Add Partner Wizard. For example, when a partner policy is imported, the administrator can use the Add Partner Wizard to modify any values that are imported before the wizard process is completed. This includes the ability to specify a different account partner verification certificate and the ability to map incoming or outgoing claims between partners.
By using the export and import features that are included with AD FS in Windows Server 2008, administrators can simply export their trust policy settings to an .xml file and then send that file to the partner administrator. This exchange of partner policy files provides all of the URIs, claim types, claim mappings, and other values and the verification certificates that are necessary to create a federated trust between the two partner organizations.
The following illustration and accompanying instructions show how a successful exchange of policies between partners—in this case, initiated by the administrator in the account partner organization—can help streamline the process for establishing a federated trust between two fictional organizations: A. Datum Corporation and Trey Research.
The account partner administrator specifies the Export Basic Partner Policy option by right-clicking the Trust Policy folder and exports a partner policy file that contains the URI, display name, federation server proxy Uniform Resource Locator (URL), and verification certificate for A. Datum Corporation. The account partner administrator then sends the partner policy file (by e-mail or other means) to the resource partner administrator.
The resource partner administrator creates a new account partner using the Add Account Partner Wizard and selects the option to import an account partner policy file. The resource partner administrator proceeds to specify the location of the partner policy file and to verify that all of the values that are presented in each of the wizard pages—which are prepopulated as a result of the policy import—are accurate. The administrator then completes the wizard.
The resource partner administrator can now configure additional claims or trust policy settings that are specific to that account partner. After this configuration is complete, the administrator specifies the Export Policy option by right-clicking the A. Datum Corporation account partner. The resource partner administrator exports a partner policy file that contains values such as the URI, federation server proxy URL, display name, claim types, and claim mappings for the Trey Research organization. The resource partner administrator then sends the partner policy file to the account partner administrator.
The account partner administrator creates a new resource partner using the Add Resource Partner Wizard and selects the option to import a resource partner policy file. The account partner administrator specifies the location of the resource partner policy file and verifies that all of the values that are presented in each of the wizard pages—which are prepopulated as a result of the policy import—are accurate. The administrator then completes the wizard.
When this process is complete, a successful federation trust between both partners is established. Resource partner administrators can also initiate the import and export policy process, although that process is not described here.
What settings have been added or changed?
You configure Windows NT token-based Web Agent settings with the IIS Manager snap-in. To support the new functionality that is provided with Internet Information Services (IIS) 7.0, Windows Server 2008 AD FS includes user interface (UI) updates for the AD FS Web Agent role service. The following table lists the different locations in IIS Manager for IIS 6.0 or IIS 7.0 for each of the AD FS Web Agent property pages, depending on the version of IIS that is used.
|IIS 6.0 property page||Old location||IIS 7.0 property page||New location|
AD FS Web Agent tab
Federation Service URL
<COMPUTERNAME> (in the Other section of the center pane)
AD FS Web Agent tab
<COMPUTERNAME>\Web Sites\<Site or Virtual Directory>
AD FS Web Agent
<COMPUTERNAME>\Web Sites\<Site or Virtual Directory> (in the IIS\Authentication section of the center pane)
There are no significant UI differences between the Active Directory Federation Services snap-in in Windows Server 2008 and the Active Directory Federation Services snap-in in Windows Server 2003 R2.