Deploying ADFS-Enabled Web Servers

  • Article

Applies To: Windows Server 2003 R2

To deploy Active Directory Federation Services (ADFS)-enabled Web servers, complete each of the tasks in Checklist: Installing an ADFS-enabled Web server. After you complete the tasks in this checklist, you can set up the Web server to host claims-aware applications or Windows NT token–based applications in the resource partner organization.

Note

When you use this checklist, we strongly recommend that you first read the references to Web server planning in the ADFS Design Guide before continuing to the procedures for configuring the servers. Following the checklist in this way helps provide an understanding of the full ADFS design and deployment story for Web servers.

About ADFS-enabled Web servers

In ADFS, Web servers in the resource partner forest host the ADFS Web Agent component to provide secure access to federated Web applications that are hosted on those Web servers. The ADFS Web Agent receives security tokens and authentication cookies that are sent to the Web server from the resource Federation Service. The Web server requires a relationship with a Federation Service in the resource partner, where the forest that the Web server resides in trusts the forest where the resource federation server resides, so that all trusted authentication tokens come from that Federation Service.

The ADFS Web Agent supports two types of applications: claims-aware applications and Windows NT token–based applications. A claims-aware application is a Microsoft ASP.NET 2.0 application that is fully capable of using ADFS claims to make authorization decisions. A Windows NT token–based application is an Internet Information Services (IIS) application that is written to use Windows native authorization mechanisms and that is not capable of consuming ADFS claims.

The type of Web-based applications that your Web server will be hosting determines the type of ADFS Web Agent that you install on the Web server. That is, if your Web server will host only claims-aware applications, you install only the assemblies of the ADFS Web Agent that are used for claims-aware applications. If you have an existing application that uses Windows Integrated authentication, you install only the assemblies of the ADFS Web Agent that are used for Windows NT token–based applications so that the application can use ADFS for authentication.