Using Multiple Account Stores
Applies To: Windows Server 2003 R2
If you have multiple Active Directory Application Mode (ADAM) account stores that use Web applications that are protected by Active Directory Federation Services (ADFS), you must configure each ADAM store in the Federation Service with a unique uniform resource identifier (URI). In addition, you can set a priority for connecting to each store.
ADAM Store URI
Account stores are identified in Active Directory Federation Services (ADFS) by a Uniform Resource Identifier (URI). The account store URI is different from the Federation Service URI.
The URI for an Active Directory account store is always the same (urn:federation:activedirectory) because a forest has only one Active Directory store; this URI is provided automatically by the system. However, you can have multiple instances of Active Directory Application Mode (ADAM) account stores in a Federation Service. To uniquely identify ADAM stores within the trust policy, each ADAM store requires a unique URI. The URI can use a Uniform Resource Locator (URL) format, such as ldap//:ADAMInstanceName, or a Uniform Resource Name (URN), such as urn:federation:ADAMInstanceName. ADFS does not impose or check the URI format; however, ADFS does check for uniqueness.
When you use the exact ADAM instance name in the URI, ADFS searches that store first. If the URI does not contain the ADAM instance name, ADFS searches all ADAM stores until it finds a match for the user. Therefore, although ADFS accepts the ADAM account store URI as long as it is unique, you can improve efficiency of the ADAM search by including the exact ADAM instance name in the URI.
Task requirements
You need the following to perform the procedures for this task:
- Active Directory Federation Services MMC snap-in
To complete this task, perform the following procedures on an as-needed basis: