Configure an account partner to use Windows trust

  • Article

Applies To: Windows Server 2003 R2

You must configure the account partner to select the domains that are to be included in the trust relationship. For example, if a Windows Server 2003 forest trust is in place from the resource partner forest to the account partner forest, the trust is transitive to all domains in the trusted account forest.

If you want to grant access to resources in the resource forest to users in only some domains in the account forest, you can specify only those domains. Otherwise, you can allow all trusted domains (all domains in the account forest and any forest that is trusted by the account forest) to be granted access.

Use the following procedure to enable Windows trust for the account partner that will participate in the Federated Web SSO with Forest Trust design scenario.

Perform this procedure on a federation server in the resource partner organization.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To configure an account partner to use Windows trust

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Account Partners.

  3. Right-click the account partner that you want to configure to use Windows trust, and then click Properties.

  4. On the Windows Trust tab, click Use Windows trust relationship.

  5. In Trusted Active Directory domains and forests, do one of the following, and then click OK:

    • Click All Active Directory domains and forests if you want to allow users in all trusted domains in the account partner forest and in any forest that is trusted by the account partner forest, and then click OK.

    • Click Specified Active Directory domains and forests (press Enter to separate entries) if you want to name only the domains where you want to allow federated access. Type a domain name, press ENTER, and then repeat this action to add each domain in the account partner forest and in any other trusted forests for the users that you want to grant access to resources.

See Also

Concepts

Configure a resource partner to use Windows trust
Discontinue Windows trust for an account partner