Checklist: Installing an AD FS-Enabled Web Server
Applies To: Windows Server 2008
This checklist includes the deployment tasks for preparing a server running Windows Server 2008 Standard or Windows Server 2008 Enterprise for the Active Directory Federation Services (AD FS)-enabled Web server role.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
.gif)
Checklist: Installing an AD FS-enabled Web server
| Task | Reference | |||
|---|---|---|---|---|
.gif) |
Review important changes to AD FS since the Windows Server 2003 R2 release, including an improved installation process. |
|
||
|
Review information in the Active Directory Federation Services Design Guide about where to place AD FS-enabled Web servers in your organization. |
|||
|
Use the information in the Active Directory Federation Services Design Guide to determine whether a single AD FS-enabled Web server or a Web server farm is appropriate for your deployment. |
|||
|
Review information in the Active Directory Federation Services Design Guide about how AD FS-enabled Web servers require server authentication certificates to authorize client requests securely. |
|||
|
Review information in the Active Directory Federation Services Design Guide about how to update the perimeter network Domain Name System (DNS) so that successful name resolution between clients and AD FS-enabled Web servers in farms can occur. |
|||
|
Join the computer that will become the AD FS-enabled Web server to a domain in the resource partner forest where it will be used to authorize federated clients.
|
|||
|
Create a new resource record in the perimeter network DNS that points the DNS host name of the AD FS-enabled Web server to the IP address of the AD FS-enabled Web server. |
|
||
|
Install prerequisite applications such as, ASP.NET, Internet Information Services (IIS), and Microsoft .NET Framework 2.0 on the computer that will become the AD FS-enabled Web server. |
|||
|
After you obtain a server authentication certificate (or a private key), install it in IIS on the appropriate Web site or virtual directory where your federated application will reside. For an example of how to do this using the default Web site, see the link to the right. Note If you will be adding an AD FS-enabled Web server to an existing AD FS-enabled Web server farm, you must add the same server authentication certificate that you receive from the certification authority (CA) to the appropriate Web site or virtual directory where your federated application will reside on each of the servers that will be participating in the farm.
|
|
||
|
(Optional) In a scenario in which you want to install the Federation Service on your AD FS-enabled Web server so that the same server will play both the AD FS-enabled Web server role and the federation server role, configure certificates in the following way:
|
(Not applicable) |
||
|
(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use IIS 7.0 to create a self-signed certificate for your AD FS-enabled Web server. Because IIS 7.0 generates a self-signed certificate that does not originate from a trusted source, use it to create a self-signed certificate only in the following scenarios:
Warning It is not a security best practice to deploy an AD FS-enabled Web server in a production environment using a self-signed server authentication certificate.
|
|
||
|
Install the AD FS Web Agent component on the computer that will become the AD FS-enabled Web server. |
|||
|
Install and configure a claims-aware application or a Windows NT token–based application on your new AD FS-enabled Web server. |
|||
|
From a client computer, verify that the AD FS-enabled Web server is operational. |
.gif)
What's New in AD FS in Windows Server 2008 (.gif)
Note.gif)
.gif)