Deploying AD FS-Enabled Web Servers

  • Article

Applies To: Windows Server 2008

To deploy Active Directory Federation Services (AD FS)-enabled Web servers, complete each of the tasks in Checklist: Installing an AD FS-Enabled Web Server. After you complete the tasks in this checklist, you can set up the Web server to host claims-aware applications or Windows NT token–based applications in the resource partner organization.

Note

When you use this checklist, we strongly recommend that you first read the references to Web server planning in the AD FS Design Guide before continuing to the procedures for configuring the servers. Following the checklist in this way helps provide an understanding of the full AD FS design and deployment story for Web servers.

About AD FS-enabled Web servers

In AD FS, Web servers in the resource partner forest host the AD FS Web Agent role service to provide secure access to federated Web applications that are hosted on those Web servers. The AD FS Web Agent receives security tokens and authentication cookies that are sent to the Web server from the resource Federation Service. The Web server requires a relationship with a Federation Service in the resource partner, where the forest that the Web server resides in trusts the forest where the resource federation server resides, so that all trusted authentication tokens come from that Federation Service.

The AD FS Web Agent supports two types of applications: claims-aware applications and Windows NT token–based applications. A claims-aware application is a Microsoft ASP.NET 2.0 application that is fully capable of using AD FS claims to make authorization decisions. A Windows NT token–based application is an Internet Information Services (IIS) application that is written to use Windows native authorization mechanisms and that is not capable of consuming AD FS claims.

The type of Web-based applications that your Web server will be hosting determines the type of AD FS Web Agent that you install on the Web server. That is, if your Web server will host only claims-aware applications, you install only the assemblies of the AD FS Web Agent that are used for claims-aware applications. If you have an existing application that uses Windows Integrated authentication, you install only the assemblies of the AD FS Web Agent that are used for Windows NT token–based applications so that the application can use AD FS for authentication.