Configure an account partner to use Windows trust
Updated: September 13, 2007
Applies To: Windows Server 2003 R2
You must configure the account partner to select the domains that are to be included in the trust relationship. For example, if a Windows Server 2003 forest trust is in place from the resource partner forest to the account partner forest, the trust is transitive to all domains in the trusted account forest.
If you want to grant access to resources in the resource forest to users in only some domains in the account forest, you can specify only those domains. Otherwise, you can allow all trusted domains (all domains in the account forest and any forest that is trusted by the account forest) to be granted access.
Use the following procedure to enable Windows trust for the account partner that will participate in the Federated Web SSO with Forest Trust design scenario.
Perform this procedure on a federation server in the resource partner organization.
To complete this procedure, you must be a member of the Administrators group on the local computer.
To configure an account partner to use Windows trust
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Account Partners.
Right-click the account partner that you want to configure to use Windows trust, and then click Properties.
On the Windows Trust tab, click Use Windows trust relationship.
In Trusted Active Directory domains and forests, do one of the following, and then click OK:
Click All Active Directory domains and forests if you want to allow users in all trusted domains in the account partner forest and in any forest that is trusted by the account partner forest, and then click OK.
Click Specified Active Directory domains and forests (press Enter to separate entries) if you want to name only the domains where you want to allow federated access. Type a domain name, press ENTER, and then repeat this action to add each domain in the account partner forest and in any other trusted forests for the users that you want to grant access to resources.
- Click All Active Directory domains and forests if you want to allow users in all trusted domains in the account partner forest and in any forest that is trusted by the account partner forest, and then click OK.