When to create an ADFS-enabled Web server farm
Applies To: Windows Server 2003 R2
You create an Active Directory Federation Services (ADFS)-enabled Web server farm when you want to balance the load of incoming federated access requests that are made to one or more protected applications. The obvious benefits that can be obtained from a Web server farm are fault tolerance for the hosted applications and a possible increase in client-side browser performance. To client computers, the Web server farm performs like a single Web server servicing a highly scalable federated application.
If you are thinking about creating a Web server farm solely to increase performance, consider whether it might be better to optimize the hardware or software performance of a single Web server before adding the additional costs and administrative overhead that are associated with synchronizing data between two or more Web servers. For more information about how to measure whether your ADFS-enabled Web server is performing optimally, see Planning for ADFS-enabled Web server capacity.
You can use a network load-balancing service, such as the Microsoft Network Load Balancing (NLB) service that is included in Windows Server 2003 operating systems, to create and manage your ADFS-enabled Web server farm. The number of Web servers that is required to support your federated applications is determined largely by the type and complexity of the applications and their client connection state (stateless as opposed to stateful) requirements.
Guidelines for creating server farms for federated applications using NLB are similar to the guidelines for creating server farms for nonfederated Web applications running on Internet Information Services (IIS) 6.0. For more information about using nonfederated Web applications with NLB, see Identifying Applications That Benefit from NLB (https://go.microsoft.com/fwlink/?LinkId=74610).
When they are used together, the recommendations in the NLB deployment documentation and in the topic Planning for ADFS-enabled Web server capacity should provide sufficient data for you to determine whether your federated applications can benefit from the improved scalability and availability that an ADFS-enabled Web server farm environment provides.
Configuring servers in the farm
Creating an ADFS-enabled Web server farm involves more than just placing the Web servers in a resource partner organization and then configuring NLB clustering. The following table provides additional guidance for identically configuring each of the ADFS-enabled Web servers in a farm.
| To configure the … | To … | See … | ||
|---|---|---|---|---|
Claims-aware Web Agent in the web.config file for the protected application |
Point to the same Federation Service Uniform Resource Locator (URL) for each ADFS-enabled Web server in the farm |
Set the Federation Service URL for a claims-aware application |
||
Windows NT token–based Web Agent in the properties of the Web Sites folder in IIS 6.0 |
Point to the same Federation Service URL for each ADFS-enabled Web server in the farm |
Set the Federation Service URL for a Windows NT token-based application |
||
Server authentication certificate |
Export the private key so that the same server authentication certificate can be assigned to each ADFS-enabled Web server in the farm Most certificates that are issued by certification authorities (CA)s can be used on multiple computers without first exporting them. If this is the case in your scenario, you do not have to perform this procedure.
|
Export the private key portion of a server authentication certificate |
||
Server authentication certificate |
Install on the appropriate Web site or virtual directory where your federated application will reside (For an example of how to do this using the default Web site, see the following link.) |
Import a server authentication certificate to the default Web site |
.gif "note")
NoteFor additional details about how to configure an ADFS-enabled Web server farm, see Checklist: Installing an ADFS-enabled Web server.