Create a Stand-Alone Federation Server
Applies To: Active Directory Federation Services (AD FS) 2.0
After you install the Active Directory Federation Services (AD FS) 2.0 software and configure the required certificates on a computer, you are ready to configure the computer to become a federation server. You can use the following procedure to set up the computer to become a stand-alone federation server. The act of creating a stand-alone federation server also creates a new Federation Service. You do create a federation server with the AD FS 2.0 Federation Server Configuration Wizard.
For the Federated Web Single-Sign-On (SSO) design, you must have at least one federation server in the account partner organization and at least one federation server in the resource partner organization. For more information, see Where to Place a Federation Server.
Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To create a stand-alone federation server
There are two ways to start the AD FS 2.0 Federation Server Configuration Wizard. To start the wizard, do one of the following:
After the AD FS 2.0 software installation is complete, open the AD FS 2.0Management snap-in (Start/Administrative Tools/AD FS 2.0 Management) and click the AD FS 2.0 Federation Server Configuration Wizard link on the Overview page or in the Actions pane.
Anytime after the setup wizard is complete, open Windows Explorer, navigate to the C:\Program Files\Active Directory Federation Services 2.0 folder, and then double-click FsConfigWizard.exe.
On the Welcome page, verify that Create a new Federation Service is selected, and then click Next.
On the Select Stand-Alone or Farm Deployment page, click Stand-alone federation server, and then click Next.
When you select the Stand-alone federation server option in the AD FS 2.0 Federation Server Configuration Wizard, the service account associated with this Federation Service will automatically be assigned to the NETWORK SERVICE account. Using NETWORK SERVICE as the service account is only recommended in situations where you are evaluating AD FS 2.0 in a test lab environment. If you intend to use the Stand-alone federation server option to deploy a federation server in a production environment, it is important that you change this service account to a more appropriate service account that can be dedicated to serving requests for this new Federation Service. Changing the service account to an account other than NETWORK SERVICE will mitigate possible attack vectors that would otherwise make your federation server vulnerable to malicious attacks.
On the Specify the Federation Service Name page, verify that the SSL certificate that is showing is correct. If not, select the appropriate certificate from the SSL certificate list.
This certificate is generated from the Secure Sockets Layer (SSL) settings for the Default Web Site. If the Default Web Site has only one SSL certificate configured, that certificate is presented and automatically selected for use. If multiple SSL certificates are configured for the Default Web Site, all those certificates are listed here and you must select from among them. If there are no SSL settings configured for the Default Web Site, the list is generated from the certificates that are available in the personal certificates store on the local computer.
The wizard will not allow you to override the certificate if an SSL certificate is configured for IIS. This ensures that any intended prior IIS configuration for SSL certificates is preserved. To work around this restriction, you can remove the certificate or reconfigure manually it with the IIS Management Console.
- If the AD FS 2.0 database that you selected already exists, the Existing AD FS Configuration Database Detected page appears. If that occurs, click Delete database, and then click Next.
Select this option only when you are sure that the data in this AD FS 2.0 database is not important or that it is not used in a production federation server farm.
On the Ready to Apply Settings page, review the details. If the settings appear to be correct, click Next to begin configuring AD FS 2.0 with these settings.
On the Configuration Results page, review the results. When all the configuration steps are finished, click Close to exit the wizard.
By default, the federation server proxy service is configured to use TCP port 443 for HTTPS traffic and port 80 for HTTP traffic for communication with the federation server. To configure alternate ports, such as TCP port 444 for HTTPS and port 81 for HTTP, see Configuring an Alternate TCP/IP Port for Proxy Operations.