Account Partner - Resource Accounts
Applies To: Windows Server 2008, Windows Server 2008 R2
In Active Directory Federation Services (AD FS), a resource account is a user account that is stored in one Active Directory forest (the resource partner forest) for the sole purpose of impersonating a user account that is actively used, for example, by an employee and stored in another Active Directory forest (the account partner forest).
Resource accounts must be created in the resource partner forest so that the employee, whose user account is located in the account partner forest, can access Web-based, Windows NT token–based applications through AD FS. Resource accounts and resource groups are also necessary for claims-aware applications.
The Web resource on the resource side is protected with access control lists (ACLs) of user accounts or groups on the resource partner forest. The administrator has to create the resource accounts and add ACLs for any of the resource accounts to the resource.
To reduce administrative overhead, the resource-side administrator may configure one or more security groups, which are created in Active Directory Domain Services (AD DS), that will be used to map to incoming group claims from their account partners. A security group that is mapped to an incoming group claim that is used by AD FS is called a resource group.
You can use the following procedure to configure resource groups.
To configure a resource group
In the Active Directory Users and Computers snap-in on a domain controller in the resource partner forest, create a new security group.
Assign the appropriate access to this security group from the Web resource that is protected by AD FS.
In the Active Directory Federation Services snap-in, create a new group claim, and in the newly created claim's properties page, click the Resource Group tab. Click the … button to map the new security group in AD DS to the new group claim. At this point the new security group is referred to as a "resource group."
Under Federation Service\Trust Policy\Partner Organizations\Account Partners\<accountpartnername>\, create a new incoming group claim mapping to map the new group claim and its associated resource group to any incoming group claims that come from the account partner forest.
When you map an incoming group claim to a resource group, it is no longer necessary for an administrator in the resource partner forest to create a resource account for each user in the account partner forest who needs access to the Windows NT token–based application that is protected by AD FS.
By default, AD FS configures account partner properties so that a resource partner administrator can map incoming group claims to one or more resource groups. However, you can change this default behavior by selecting one of the following resource account options:
Resource accounts exist for all users—Specifies that a resource account is configured for each user from the account partner that needs access to the resource. In this case, incoming group claims are not mapped to resource groups even if resource groups are configured.
Resource accounts exist for some users (prefer resource account)—Specifies whether or not resource groups should be used for some user accounts. This means that some users may have individual resource accounts created, while others may have been configured to use resource groups. When this option is selected, AD FS first looks for resource accounts that match the UPN/E-mail claim that is specified in the incoming token. AD FS uses those resource accounts if they are found. Otherwise, if the token has a group claim that is mapped to a resource group, it uses the resource group.
Resource accounts exist for some users (prefer groups in token)—This is the default setting. Specifies that AD FS can use its logic to determine if each incoming token should map to a resource group or if it should look for a resource account. When this option is selected, AD FS first looks in the token for incoming group claims that can be mapped to a resource group. If they are found, AD FS uses the resource group. If no such incoming group claim exists, AD FS looks for a resource account to use.
No resource accounts exist for this account partner—Specifies that one or more resource groups will be used for all users in this account partner. This means that every token that is issued from this account partner will be required to contain one or more group claims that map to one or more resource groups in the resource partner forest.