Windows Server 2008 : Active Directory Federation Services

2/5/2011 5:36:26 PM
Active Directory Federation Services (AD FS) provides for Single Sign-On (SSO) capabilities across multiple platforms, including non-Microsoft environments. By managing web-based logon identities and tying them together, through Windows logon authentication, organizations can more easily manage customer access to web-based applications without compromising internal security infrastructure.

AD FS is managed from an MMC administrative tool, shown in Figure 1, which can be installed on a Windows Server 2008 R2 Enterprise Edition or Datacenter Edition system.

Figure 1. Viewing the AD FS MMC administrative tool.

AD FS is not a replacement for technologies such as Forefront Identity Manager (FIM). Instead of synchronizing identities across various directories as FIM does, AD FS manages logon attempts to web applications made from disparate directories. It is important to understand this concept because AD FS and FIM perform different roles in an organization’s environment.

Understanding the Key Components of AD FS

AD FS is composed of three different server components, as follows:

  • Federation server— A federation server is the main AD FS component, which holds the Federation Service role. These servers route authentication requests between connected directories.

  • Federation proxy server— A federation proxy server acts as a reverse proxy for AD FS authentication requests. This type of server normally resides in the demilitarized zone (DMZ) of a firewall, and is used to protect the back-end AD FS server from direct exposure to the untrusted Internet.

  • AD FS Web Agents— The Web Agents component of AD FS hosts the claims-aware agent and the Windows token-based agent components that manage authentication cookies sent to web server applications.

Each one of these components can be individually installed in an AD FS structure, or they can be all installed on the same system.

Installing AD FS with Windows Server 2008 R2

Installation of the AD FS role on a server can be performed via the following process:

From the server, open the Server Manager Application (Start, All Programs, Administrative Tools, Server Manager).

Navigate to the Roles node, and then click the Add Roles link.

On the Before You Begin page, review the notes provided, and click Next to continue.

From the list of server roles, choose Active Directory Federation Services by checking the box next to it. Click Next to continue.

On the Introduction to Active Directory Federations Services page, review the information provided, and click Next to continue.

On the Select Role Services page, select which roles to install, as shown in Figure 2. By clicking on the roles, you might be prompted to install additional components to make those roles work. For example, IIS and a few other components are required for the Federation Service role. If necessary, click to install those items as well. After you have selected the appropriate check boxes, click Next to continue.

Figure 2. Installing the Active Directory Federation Services role.

Select whether to create a server authentication certificate or to choose an existing certificate installed on the server. Because SSL encryption is required for AD FS, a certificate from either a trusted internal Certificate Authority or an external trusted authority (most common scenario) must be used to install ADFS. Click Import if a certificate is available, but it must be installed locally on the server. After making your selection, click Next. If you are only installing AD FS for testing purposes, select to create a self-signed certificate, and click Next to continue.

On the subsequent page, choose a token-signing certificate, using the same process outlined in the previous step. This certificate can be created from an internal CA (if available) or imported from an external certificate provider. If using AD FS for testing, you can select to create a self-signed token-signing certificate. Click Next to continue.

On the Select Trust Policy page, select to either create a new trust policy for the type of claims used by your organization or to use an existing one, as shown in Figure 3. Click Next to continue.

Figure 3. Selecting a trust policy for AD FS.

If additional components such as IIS were selected for installation, the Add Roles Wizard will continue with selections for those roles. Follow through the wizard for these roles, if necessary, until the Install button becomes available in the wizard. Click the Install button to begin configuration of AD FS.

Click Close when the Add Roles Wizard is complete.

Working with AD FS

AD FS works by inputting information about connected partners, such as AD forests or AD LDS organizations, and inputting specific partner and application information. Each set of information can be inputted by running the various wizards installed by AD FS, as follows:

  • Add Resource Partner Wizard— This wizard allows for resource partners to be manually created or automatically imported by using an Extensible Markup Language (XML) file. Resource partners contain information about the specific web-based applications that users can access.

  • Add Account Partner Wizard— This wizard adds the information about specific account partners, which are connected security token issuers, such as domain controllers.

  • Add Applications Wizard— This wizard adds specific claims-aware applications to AD FS.

By entering in the information about the various web-based applications, and which directories and identities are to be granted access, AD FS can provide for seamless sign-on capabilities between various directories. It can be a valuable asset for an organization that wants to share corporate information with trusted partners, but without exposing their valuable internal assets to unnecessary exposure.

  •  Windows Server 2008 : Keeping a Distributed Environment in Sync
  •  Windows 7: Getting into Your Multimedia (part 2) - Navigating Windows Media Player Menus and Toolbars
  •  Windows 7: Getting into Your Multimedia (part 1) - Configuring Windows Media Player for the First Use
  •  Windows Server 2008: Active Directory Infrastructure - Deploying Read-Only Domain Controllers (RODCs)
  •  Windows Server 2008: Active Directory Infrastructure - Detailing Real-World Replication Designs
  •  Outlining Windows Server 2008 R2 IPv6 Support
  •  Windows Server 2008 : Active Directory Infrastructure - Planning Replication Topology
  •  Windows 7 : Protecting Your Computer While Browsing (part 5)
  •  Windows 7 : Protecting Your Computer While Browsing (part 4) - Restricting Permissions Using Security Zones
  •  Windows 7 : Protecting Your Computer While Browsing (part 3)
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us