Configure client computers to trust the account federation server

  • Article

Applies To: Windows Server 2003 R2

So that client computers can successfully access federated applications, you must first configure each client's Internet Explorer settings so that the browser trusts the account federation server. You can do this manually or through Group Policy, depending on your administrative preference, by completing one of the following tasks.

Configuring Internet Explorer settings manually

Use the following task to manually configure each user's Internet Explorer settings to support federation. If multiple users use a single computer, complete this task multiple times—once for each user profile.

Administrative credentials

To perform this task, log on as the user who will be accessing federated applications. This is a profile-specific setting. Therefore, it requires that you manually add this setting for each profile that exists on a specific computer.

To manually configure client computers to trust the account federation server

  1. On the client computer, start Internet Explorer.

  2. On the Tools menu, click Internet Options.

  3. On the Security tab, click the Local intranet icon, and then click Sites.

  4. Click Advanced, and in Add this Web site to the zone, type the full Domain Name System (DNS) name of the account federation server (for example, https://adfsaccount.adatum.com), and then click Add.

  5. Click OK three times.

Configuring Internet Explorer settings using Group Policy

For most deployments, we recommend that you use Group Policy to push the appropriate Internet Explorer settings to each client computer.

Administrative credentials

To perform this task, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.

To configure client computers to trust the account federation server using Group Policy

  1. Edit the appropriate Group Policy object (GPO) with either the Active Directory User and Computers snap-in or the Group Policy Manager Console snap-in.

  2. In Group Policy, click User Configuration, click Windows Settings, click Internet Explorer Maintenance, and then click Security.

  3. In the details pane, double-click Security Zones and Content Ratings.

  4. Under Security Zones and Privacy, click Import the current security zones and privacy settings, and then click Modify Settings.

  5. Select Local intranet, click Sites.

  6. Click Advanced, and in Add this Web site to the zone, type the full DNS name of the account federation server (for example, https://adfsaccount.adatum.com), click Add, and then click Close.

  7. Click OK three times to apply these changes to Group Policy.