Introduction to Administering ADFS

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) is a component in Microsoft® Windows Server™ 2003 R2 that provides Web single-sign-on (SSO) technologies that allow the authentication of a user to multiple Web applications over the life of a single online session. ADFS accomplishes SSO by securely sharing digital identity and entitlement rights, or claims, across security and enterprise boundaries.

ADFS provides a robust environment that requires few frequent maintenance tasks. However, in operating a federation environment, you might have to perform certain tasks on a regular basis and others only as needed. This guide provides information and instructions for performing such tasks.

Planning for ADFS Operations

Operating Active Directory Federation Services (ADFS) consists of tasks and procedures for updating configurations for ADFS components as well as the installed applications and Windows components, including Windows Certificate Services, Internet Information Services (IIS), Active Directory directory service, and Active Directory Application Mode (ADAM).

When managing ADFS operations, you will need to update configurations for the ADFS components, including the ADFS servers (including federation servers and federation server proxies), ADFS Trust Policy, ADFS Web Agents, ADFS partnerships, ADFS account stores, and ADFS claims.

Before you begin, prepare a plan that establishes a baseline operating environment and addresses operational needs and actions.

To plan your ADFS operations environment, perform the following tasks:

• Assess your IT environment and establish a baseline.

• Determine your operational needs.

Assess Your IT Environment and Establish a Baseline

• Understand the details of the federated Web sites and partners that the ADFS deployment must support to effectively and securely operate ADFS servers. For information about planning for specific ADFS scenarios, see the Active Directory Federation Services Design Guide (https://go.microsoft.com/fwlink/?LinkId=63486).

• Review any service specifications that were produced during the planning and deployment process, along with any service-level requirements defined in service level agreements between partner IT organizations.

You will need to understand the following environmental conditions and requirements when you establish your operations baseline and to accommodate growth and modifications to your IT environment:

• Supported partners: When using ADFS, you are usually working with partner organizations. When establishing identity federation, determine the organizations with which you want to form a partnership. After a baseline ADFS deployment is in place, operating with partners involves adding partners, deleting partners, and updating partner information. Changes to partnerships can be required for a variety of reasons. For example, your ADFS deployment might require partnership updates if your partner changes its business significantly, your organization becomes part of a larger organization or a federation of organizations, or your organization is acquired by a different company. In any scenario where you are federating identities from multiple domains, you will need to be aware of the domains (partners) that you are currently supporting and all additional domains that represent potential partners.

• Supported application types: Some ADFS applications require access to operating system resources, while others are "claims aware." It is important to understand the type of applications that ADFS will support so that administration requirements can be formulated.

• Logical and physical architectural diagrams or deployment topology: You will need to know whether ADFS is working in a set of farmed servers or a single server. You must understand where your network deploys firewalls and proxies. You must also be aware of the location of resources and whether the users are accessing resources from within your organization or from outside the organization, or both.

• Certificate and trust information: You should understand how the certificates in the environment have been acquired and used. For example, it is important to understand whether the certificates follow a chain up to a root certification authority (CA) and how your certificates are obtained so that you can address certificate renewals. It is important to understand how certificate revocation works in your environment.

• User account management requirements: You must understand how users gain access to resources in your environment, whether external users have access to resources in your domain, and whether you have enabled fine-grained control or are leveraging groups to dictate access control.

Data for these conditions provide a starting point for establishing a baseline for the operations environment and for setting the proper level of service.

Determine Operational Needs

Performing operations require that tasks are assigned to the appropriate server administrators on the teams that support the ADFS deployment. The ADFS operations team must establish processes for managing the following ADFS components and their related configurations:

• Federation Service:

  • If you find that the federation server or server farm is not meeting scalability, performance, or reliability requirements, you can add an additional federation server.

  • If you want to monitor access or diagnose failures, you can modify certain logging settings at the federation server.

  • Many federation server tasks encompass establishing and managing partnerships, resources, and accounts, as explained later in this topic.

• Federation Service Proxy (optional):

  • If you find that the federation server proxy or server farm is not meeting scalability, performance, or reliability requirements, you can add an additional federation server proxy.

  • You might add a proxy to an existing deployment as part of enabling Internet access to your existing resources.

  • If the client authentication model changes, you can change the federation server proxy to handle this authentication model.

• Federated application(s):

  • When you add a new Web application that is protected by ADFS--for example, if your organization has a new Web site for purchase order management--you will need to add the application to the ADFS deployment.

  • When the type of user information that the application requires to make its decisions changes, you will need to update claims in your ADFS deployment.

  • When the URL for the application changes, you will need to update URLs in your ADFS deployment.

• Partnerships:

  • When establishing a new relationship due to acquisitions, mergers, business contracts, and so on, you will need to add and remove partnerships in your ADFS deployment.

  • When changing an existing business relationship, you might need to update properties in your ADFS partnership.

• Accounts:

  • In federated scenarios where the application is a Windows NT token-based application, you will need to manage resource groups in the resource partner.

  • When you establish a new relationship, you will need to add additional accounts to your account store.

  • When additional users and groups need access to an existing application, you will need to add these accounts to your account store.

When to Use This Guide

You should use this guide when:

• You have ADFS deployed in a test or production environment.

• You want to add or remove ADFS components.

• You want to make changes to the configuration of ADFS components.

• You want to add or remove Web applications that authenticate through ADFS.

This guide assumes a basic understanding of ADFS, how it works, and why your organization uses it to federate Web applications. You should also have a thorough understanding of how ADFS is deployed and managed in your organization, including an understanding of the mechanism your organization uses to configure and manage ADFS settings. To learn about ADFS concepts and scenarios, see the following ADFS documentation:

• Overview of ADFS (https://go.microsoft.com/fwlink/?LinkId=63491)

• Active Directory Federation Services (ADFS) (https://go.microsoft.com/fwlink/?LinkId=57765)

• Active Directory Federation Services Design Guide (https://go.microsoft.com/fwlink/?LinkId=63486)

This guide can be used by organizations that have deployed Microsoft Windows Server 2003 R2. It includes information that is relevant to different roles within an IT organization, including IT operations management and administrators. It contains high-level information that is required to plan an ADFS operations environment. This information provides management-level knowledge of ADFS and the IT processes required to operate it.

In addition, this guide contains more detailed procedures that are designed for operators who have varied levels of expertise and experience. Although the procedures provide operator guidance from start to finish, operators must have a basic proficiency with the Microsoft Management Console (MMC) and snap-ins and know how to start administrative programs and access the command line. If operators are not familiar with ADFS, it might be necessary for IT planners or IT managers to review the relevant operations in this guide and provide the operators with parameters or data that must be entered when the operation is performed.

How to Use This Guide

The operations areas are divided into the following types of content:

• Tasks pertain to group-related procedures and provide general guidance for achieving the goals of an objective. In this guide, "Managing ADFS Web Agents and Applications" is an example of a task.

• Procedures provide step-by-step instructions for completing tasks. In this guide, "Add an ADAM account store" is an example of a procedure topic.

If you are an IT manager who will be delegating tasks to operators within your organization, you will want to:

• Read through the tasks to determine whether you need to install tools before operators perform the procedures for each task.

• Before assigning tasks to individual operators, ensure that you have all the tools installed where operators can use them.

• When necessary, create “tear sheets” for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate document, and then either print these documents or store them online, depending on the preference of your organization.

Technologies and Terminology Used in This Guide

Active Directory Federation Services (ADFS) uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory, Active Directory Application Mode (ADAM), and Web Services (WS*).

For more information about these technologies, see:

• Certificate services: Public Key Infrastructure for Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=19936) and Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkId=54917).

• IIS: Windows Server Internet Information Services (IIS) (https://go.microsoft.com/fwlink/?LinkId=63492).

• Active Directory: Active Directory Collection in the Microsoft Windows Server 2003 Technical Reference on (https://go.microsoft.com/fwlink/?LinkId=63494).

• ADAM: Active Directory Application Mode Technical Reference (https://go.microsoft.com/fwlink/?LinkId=63506).

• Web Services: Security Specifications (https://go.microsoft.com/fwlink/?LinkId=44191).

For a list of ADFS terms and definitions, see Terminology used in ADFS (https://go.microsoft.com/fwlink/?LinkId=63507).

See Also

Other Resources

Active Directory Federation Services (ADFS) Overview of ADFS Active Directory Federation Services Design Guide ADFS Step-by-Step Guide Public Key Infrastructure for Windows Server 2003 Public Key Infrastructure Certificate Services Technical Reference Windows Server Internet Information Services (IIS)