Active Directory Related Services and Resulting Internet Communication in Windows Server 2008

Applies To: Windows Server 2008

In This Section

Benefits and Purposes of AD FS and AD RMS

Overview of AD FS, Federated Applications, and Resulting Communication Across the Internet

Port Configurations for AD FS

Additional References for AD FS and Federated Web Application Design

Additional References for AD RMS

This section provides overview information about how Active Directory Federation Services (AD FS) communicates across the Internet. It also provides brief overview information about Active Directory Rights Management Services (AD RMS), which your organization might use in connection with sending information across the Internet.

For information about Active Directory Certificate Services (AD CS), which focuses on the handling of certificates in your organization, see Certificate Support and Resulting Internet Communication in Windows Server 2008 in this white paper.

Note that it is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that support users who are communicating across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about using AD FS. You can use AD FS as part of a strategy for balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.

Benefits and Purposes of AD FS and AD RMS

Active Directory Federation Services (AD FS) is a server role in Windows Server 2008 that you can use to create a highly extensible, security-enhancing, and Internet-scalable identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. AD FS provides browser-based clients (internal or external to your network) with a seamless "one prompt" logon process that allows access to one or more protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.

Active Directory Rights Management Services (AD RMS) is a server role in Windows Server 2008 that you can use to augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information, such as financial reports, product specifications, customer data, and confidential e-mail messages, from intentionally or accidentally getting into the wrong hands.

Overview of AD FS, Federated Applications, and Resulting Communication Across the Internet

If you want to support Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session, you can use AD FS in connection with appropriately designed Web applications, also known as federated applications. AD FS provides support to federated applications by helping secure digital identity and entitlement rights, or "Claims," that are shared across security and enterprise boundaries. Because of the relationship between AD FS and federated Web applications, you can control the resulting Internet communication by controlling the design of the applications and the design of your AD FS configuration.

It is beyond the scope of this white paper to provide guidelines about how to design an AD FS configuration or a federated Web application. For more information, see Additional References for AD FS and Federated Web Application Design, later in this section.

Port Configurations for AD FS

Because AD FS serves Web browser clients over Hypertext Transfer Protocol Secure (HTTPS), connectivity through HTTPS must be available to the federation servers and federation server proxies. The default port for HTTPS is port 443, but other port numbers may be configured depending on your IIS configuration. Your firewalls between clients and federation servers or federation server proxies must be configured to allow HTTPS traffic.

Just as clients need HTTPS connectivity to the federation server, the federation server proxy requires HTTPS connectivity to the federation server.

If any certificate that you use has certificate revocation lists (CRLs), the server with the configured certificate must be able to contact the server that distributes the CRLs. The type of CRL determines the ports that are used.

The AD FS design called "Federated Web SSO with Forest Trust" has specific port requirements. For more information about this design, see the Microsoft Web site at:

For information about the port requirements associated with forest trusts, see the last section of the following topic on the Microsoft Web site:

Additional References for AD FS and Federated Web Application Design

Extensive information is available about AD FS and about federated application design. The following list provides some sources of information. For information about Active Directory Certificate Services (AD CS), which focuses on the handling of certificates in your organization, see Certificate Support and Resulting Internet Communication in Windows Server 2008 in this white paper.

Additional References for AD RMS

Extensive information is available about AD RMS. The following list provides some sources of information.