Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Server
 Automatically Distribute Informatio...

  Switch on low bandwidth view
Automatically Distribute Information Cards by Using Group Policy

Updated: September 3, 2010

Applies To: 'Geneva' Identity Server

Active Directory Federation Services (AD FS) 2.0 software provides Card Provisioning Group Policy templates that you can configure to automatically distribute managed Information Cards from a specific issuer to corporate client computers on an Active Directory network. These templates can also help you manage how often Information Cards that are stored on client computers should be refreshed and which relying parties are authorized to accept the Information Cards.

noteNote
To watch a four-minute click-through video of the Federated Identity Documentation Team demonstrating the steps in this procedure, click Video: Automatically Distribute Information Cards by Using Group Policy (http://go.microsoft.com/fwlink/?LinkId=154260) to open the video in a new window.

You can use the following steps or optional video to configure a federation server and domain controller in your organization to use these templates and provision Information Cards:

  • Step 1: Save Group Policy template files to the SYSVOL folder.

  • Step 2: Configure the Auto Card Provisioning template.

  • Step 3: Configure the Auto Card Provisioning Polling Interval template.

  • Step 4: Configure the Information Card Usage Policy template.

To complete the following procedure, you must be a member of the Administrators security group, or equivalent, on the local federation server and have permission to write to the SYSVOL folder on a domain controller. By default, members of Domain Administrators, Enterprise Administrators have permission to write to the SYSVOL folder. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Step 1: Save Group Policy template files to the SYSVOL folder

  1. Click Start, point to Programs, point to Microsoft “Geneva” Server, and then click Microsoft “Geneva” Server Management.

  2. In the console tree, under the “Geneva” Server folder, click Information Card, and then click Save Group Policy Template Files.

  3. In the Browse for Folder dialog box, select the \sysvol\domain\policies\PolicyDefinitions folder of a domain controller where you want to store the Group Policy templates, and then click OK.

    ImportantImportant
    Because these templates will be applied to a domain in your Active Directory environment, you must copy the ADM/ADMX template files and the EN-US folder that contain the ADML files to the \sysvol\domain\policies\PolicyDefinitions folder on any domain controller in the domain where you want to apply the templates. Copying the template files and the EN-US folder directly to the PolicyDefinitions folder on a domain controller is the only way that the Information Card administrative templates will appear in the Group Policy Management snap-in. If the PolicyDefinitions folder does not exist, you must first create it and then copy the template files and the EN-US folder there before you can see them in the Group Policy Management snap-in. For more information about how to add ADMX template files to a domain controller, see Managing Group Policy ADMX Files Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=60363).

  4. In the “Geneva” Server Policy Administration dialog box, confirm that the files were copied successfully, and then click OK.

To complete the following procedures, you must have permission to edit a Group Policy object (GPO). By default, members of Domain Administrators, Enterprise Administrators, and Group Policy Creator Owners have permission to edit a GPO. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Step 2: Configure the Auto Card Provisioning template

  1. Click Start, point to Administrative Tools, click Group Policy Management, right-click the GPO where you want to configure this template, and then click Edit.

  2. In the console tree, under User Configuration, double-click Policies, double-click Administrative Templates, and then click Microsoft Identity Selector.

  3. In the details pane, double-click the Auto Card Provisioning template.

  4. On the Auto Card Provisioning dialog box, click Enabled.

  5. In Issuer URI, type the Uniform Resource Identifier (URI) for the federation server where your managed Information Cards are stored, for example, http://sts1.contoso.com/Trust.

  6. In Provisioning MEX endpoint address, type the URL for the federation server where your managed Information Cards are stored, for example, http://sts1.contoso.com/provisioning/mex.

Step 3: Configure the Auto Card Provisioning Polling Interval template

  1. Click Start, point to Administrative Tools, click Group Policy Management, right-click the GPO where you want to configure this template, and then click Edit.

  2. In the console tree, under User Configuration, double-click Administrative Templates, and then click Microsoft Identity Selector.

  3. In the details pane, double-click the Auto Card Provisioning Polling Interval template.

  4. On the Auto Card Provisioning Polling Interval dialog box, click Enabled.

  5. In Auto Card Provisioning polling interval in minutes, select a new time interval or leave it at the default setting of 2,880 minutes (48 hours).

Step 4: Configure the Information Card Usage Policy template

  1. Click Start, point to Administrative Tools, click Group Policy Management, right-click the GPO where you want to configure this template, and then click Edit.

  2. In the console tree, under User Configuration, double-click Administrative Templates, and then click Microsoft Identity Selector.

  3. In the details pane, double-click the Information Card Usage Policy template.

  4. In the Information Card Usage Policy dialog box, click Enabled.

  5. In This policy applies to Information Cards with the following CardType, type the globally unique identifier (GUID) for the managed Information Card that you want this policy to apply to, for example, urn:GUID:e6aa3780-2f34-de11-ba52-00155d558852.

    noteNote
    You can locate the Information Card GUID by starting the AD FS 2.0 Management snap-in, clicking the Information Card folder, and then viewing the value Type in the details pane.

  6. Click the Show button.

  7. In the Show Contents dialog box, click Add.

  8. In the Add Item dialog box, under Enter the item to be added, type the new relying party URL (add additional URLs as needed), and then click OK three times to save your changes.

    noteNote
    In cases where you have multiple host prefix names for a single Internet domain (for example, sales.contoso.com/app, support.contoso.com/app), you can use a wildcard symbol (for example, *.contoso.com/app) to include all possible prefix host names for that Internet domain name.

Additional references

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker