Configuring Windows Trust for Account and Resource Partners

Applies To: Windows Server 2003 R2

An Active Directory Federation Services (ADFS) deployment in a federated scenario can be configured with or without a Windows trust relationship. In a Federated Web single sign-on (SSO) scenario, a federation trust is created between the two partners, but a Windows trust relationship, if one exists between the two partners, is not used. In a Federated Web SSO with Forest Trust scenario, an organization that has a Windows trust relationship between the two Active Directory forests (the resource forest trusts the account forest) configures ADFS partners to use the Windows trust relationship.

The Windows trust between the forests of the two partners (either a forest trust between two Windows Server 2003 forests or an external trust between Windows Server 2003 or Windows 2000 Server domains in each forest) must be enabled for ADFS by both the resource partner and the account partner. The account partner must be configured to select the domains that are to be included in the trust relationship. You must also configure the resource partner in the account Federation Service.

Task requirements

You need the following to perform the procedures for this task:

• A Windows trust between the two partners (two Windows Server 2003 forests or an external trust between Windows Server 2003 or Windows 2000 Server domains in each forest), where the resource forest or domain has a trust relationship with the account forest or domain.

• A federation server in each partner organization.

• The Active Directory Federation Services snap-in.

This task provides procedures to begin using or discontinue Windows trust in both partners:

• Configure an account partner to use Windows trust

• Configure a resource partner to use Windows trust

• Discontinue Windows trust for an account partner

• Discontinue Windows trust for a resource partner

See Also

Other Resources

Administering Domain and Forest Trusts