Export (0) Print
Expand All

Checklist: Installing an ADFS-enabled Web server

Updated: December 15, 2006

Applies To: Windows Server 2003 R2

This checklist includes the deployment tasks for preparing a server running Windows Server 2003 R2, Standard Edition, or Windows Server 2003 R2, Enterprise Edition, for the Active Directory Federation Services (ADFS)-enabled Web server role.

noteNote
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist Checklist: Installing an ADFS-enabled Web server

 

  Task Reference
Checkbox

Review information in the ADFS Design Guide about where to place ADFS-enabled Web servers in your organization.

Conceptual topic Planning ADFS-Enabled Web Server Placement

Conceptual topic Where to place an ADFS-enabled Web server

Checkbox

Use the information in the ADFS Design Guide to determine whether a single ADFS-enabled Web server or a Web server farm is appropriate for your deployment.

Conceptual topic When to create an ADFS-enabled Web server

Conceptual topic When to create an ADFS-enabled Web server farm

Checkbox

Review information in the ADFS Design Guide about how ADFS-enabled Web servers require server authentication certificates to authorize client requests securely.

Conceptual topic Certificate requirements for ADFS-enabled Web servers

Checkbox

Review information in the ADFS Design Guide about how to update the perimeter network Domain Name System (DNS) so that successful name resolution between clients and ADFS-enabled Web servers in farms can occur.

Conceptual topic Name resolution requirements for ADFS-enabled Web servers

Checkbox

Join the computer that will become the ADFS-enabled Web server to a domain in the resource partner forest where it will be used to authorize federated clients.

noteNote
If your ADFS-enabled Web server will be hosting a Windows NT token–based application, the server must be joined to a domain in the same forest, or in a trusting forest, where the resource federation server resides.

Procedure topic Join a computer to a domain

Checkbox

Create a new resource record in the perimeter network DNS that points the DNS host name of the ADFS-enabled Web server to the IP address of the ADFS-enabled Web server.

Procedure topic Add a host (A) record to perimeter DNS for an ADFS-enabled Web server

Checkbox

Install prerequisite applications such as, ASP.NET, Internet Information Services (IIS), and Microsoft .NET Framework 2.0 on the computer that will become the ADFS-enabled Web server.

Procedure topic Install prerequisite applications

Checkbox

After you obtain a server authentication certificate (or a private key), install it in IIS on the appropriate Web site or virtual directory where your federated application will reside.

For an example of how to do this using the default Web site, see the link to the right.

noteNote
If you will be adding an ADFS-enabled Web server to an existing ADFS-enabled Web server farm, you must add the same server authentication certificate that you receive from the certification authority (CA) to the appropriate Web site or virtual directory where your federated application will reside on each of the servers that will be participating in the farm.

Procedure topic Import a server authentication certificate to the default Web site

Checkbox

(Optional) In a scenario in which you want to install the Federation Service on your ADFS-enabled Web server so that the same server will play both the ADFS-enabled Web server role and the federation server role, configure certificates in the following way:

  • Install the server authentication certificate on the appropriate Web site or virtual directory where your application will reside, as indicated in the previous step.

  • Install the server authentication certificate for the federation server. This certificate must be installed in the Local Computer certificate store of the ADFS-enabled Web server, and its root certificate or certificates must also be installed in the Trusted Root certificate store.

    noteNote
    Use the Certificate snap-in to install certificates to the appropriate store.

  • Install the token-signing certificate that the federation server will use to sign its tokens. This certificate must be installed in the Local Computer certificate store of the ADFS enabled web server, and its root certificate or certificates must also be installed in the Trusted Root certificate store.

    noteNote
    Use the Certificate snap-in to install certificates to the appropriate store.

N/A

Checkbox

(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use the SelfSSL.exe tool to create a self-signed certificate for your ADFS-enabled Web server.

Because the SelfSSL tool generates a self-signed certificate that does not originate from a trusted source, use the SelfSSL tool only in the following scenarios:

  • When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users

  • When you have to troubleshoot third-party certificate problems

CautionCaution
It is not a security best practice to deploy an ADFS-enabled Web server in a production environment using a self-signed server authentication certificate.

Procedure topic Internet Information Services (IIS) 6.0 Resource Kit Tools (http://go.microsoft.com/fwlink/?LinkId=36285)

Checkbox

Install the ADFS Web Agent component on the computer that will become the ADFS-enabled Web server.

Procedure topic Install the ADFS Web Agent component of ADFS

Checkbox

Install and configure a claims-aware application or a Windows NT token–based application on your new ADFS-enabled Web server.

Checklist topic Checklist: Installing a claims-aware application

Checklist topic Checklist: Installing a Windows NT token-based application

Checkbox

From a client computer, verify that the ADFS-enabled Web server is operational.

Procedure topic Verify that an ADFS-enabled Web server is operational

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft