Share via

Adding a New Federation Server Proxy

  • Article
  • 06/06/2011

Applies To: Windows Server 2003 R2

When you have an existing Active Directory Federation Services (ADFS) deployment and you want to add a new federation server proxy, you must configure the server as an application server, install and configure certificates, and then install the Federation Server Proxy component of ADFS. You can also set event logging according to server needs.

Unlike farmed federation servers, farmed sets of federation server proxies are not required to share certificate private keys, but must share the certificate public key with the Federation Service that they protect.

However, you must export the public key from each federation server proxy and add this key to the shared trust policy of the Federation Service as an FSP verification certificate.

During installation, you configure the federation server proxy with the DNS host name of the protected Federation Service. This name is added automatically to create the FS URL, which the federation service proxy uses to communicate with the Federation Service.

Task requirements

You need the following to perform the procedures for this task:

  • An installed Secure Sockets Layer (SSL) certificate. For information about how to acquire SSL certificates, see Obtaining Server Certificates (https://go.microsoft.com/fwlink/?linkid=62479).

  • An existing Federation Service.

  • The Domain Name System (DNS) host name of the Federation Service that this federation server proxy will protect.

  • An installed client authentication certificate for the Federation Service Proxy. For information about installing client authentication certificates when using Microsoft Certificate Services as your enterprise certification authority (CA), see Submit an advanced certificate request via the Web to a Windows Server 2003 CA (https://go.microsoft.com/fwlink/?linkid=64020).

To complete this task, perform the following procedures:

  1. Install prerequisite applications

  2. Install the Federation Service Proxy on an additional federation server proxy

  3. Export the public key portion of a client authentication certificate

  4. Add a Federation Service Proxy certificate to the trust policy

  5. Configure event logging on a federation server proxy

See Also

Concepts

Rolling Over a Client Authentication Certificate