When to enable Windows trusts

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) has built-in support for federation in organizations where a forest trust or external trust exists between two forests that represent the same organization. External trusts and forest trusts are also known as Windows trusts.

When Windows trusts have been established and you have decided to deploy a Federated Web Single-Sign-On (SSO) with Forest Trust design in your organization, you can configure ADFS to work over Windows trusts.

To successfully implement the Federation Web SSO with Forest Trust design and configure ADFS to support the Windows trust model, do all of the following:

• Verify that a forest trust exists between two Windows Server 2003 forests or that an external trust exists between Windows Server 2003 or Windows 2000 Server domains in each forest (where the resource forest trusts the account forest). For more information about Windows trusts, see Administering Domain and Forest Trusts (https://go.microsoft.com/fwlink/?LinkId=63917).

• Configure the resource Federation Service to enable the Use Windows trusts relationship option in the properties of the account partner. For more information, see Configure an account partner to use Windows trust.

• Configure the account Federation Service to enable the Use Windows trust relationship for this partner option in the properties of the resource partner. For more information, see Configure a resource partner to use Windows trust.