Checklist: Installing an AD FS-Enabled Web Server

Updated: January 31, 2008

Applies To: Windows Server 2008

This checklist includes the deployment tasks for preparing a server running Windows Server 2008 Standard or Windows Server 2008 Enterprise for the Active Directory Federation Services (AD FS)-enabled Web server role.

noteNote
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist Checklist: Installing an AD FS-enabled Web server

 

  Task Reference
Checkbox

Review important changes to AD FS since the Windows Server 2003 R2 release, including an improved installation process.

Conceptual topic What's New in AD FS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=85684)

Checkbox

Review information in the Active Directory Federation Services Design Guide about where to place AD FS-enabled Web servers in your organization.

Conceptual topic Planning AD FS-Enabled Web Server Placement

Conceptual topic Where to Place an AD FS-Enabled Web Server

Checkbox

Use the information in the Active Directory Federation Services Design Guide to determine whether a single AD FS-enabled Web server or a Web server farm is appropriate for your deployment.

Conceptual topic When to Create an AD FS-Enabled Web Server Farm

Conceptual topic When to Create an AD FS-Enabled Web Server Farm

Checkbox

Review information in the Active Directory Federation Services Design Guide about how AD FS-enabled Web servers require server authentication certificates to authorize client requests securely.

Conceptual topic Certificate Requirements for AD FS-Enabled Web Servers

Checkbox

Review information in the Active Directory Federation Services Design Guide about how to update the perimeter network Domain Name System (DNS) so that successful name resolution between clients and AD FS-enabled Web servers in farms can occur.

Conceptual topic Name Resolution Requirements for AD FS-Enabled Web Servers

Checkbox

Join the computer that will become the AD FS-enabled Web server to a domain in the resource partner forest where it will be used to authorize federated clients.

noteNote
If your AD FS-enabled Web server will be hosting a Windows NT token–based application, the server must be joined to a domain in the same forest, or in a trusting forest, where the resource federation server resides.

Procedure topic Join a Computer to a Domain

Checkbox

Create a new resource record in the perimeter network DNS that points the DNS host name of the AD FS-enabled Web server to the IP address of the AD FS-enabled Web server.

Procedure topic Add a Host (A) Resource Record to Perimeter DNS for an AD FS-Enabled Web Server

Checkbox

Install prerequisite applications such as, ASP.NET, Internet Information Services (IIS), and Microsoft .NET Framework 2.0 on the computer that will become the AD FS-enabled Web server.

Procedure topic Install Prerequisite Applications

Checkbox

After you obtain a server authentication certificate (or a private key), install it in IIS on the appropriate Web site or virtual directory where your federated application will reside.

For an example of how to do this using the default Web site, see the link to the right.

noteNote
If you will be adding an AD FS-enabled Web server to an existing AD FS-enabled Web server farm, you must add the same server authentication certificate that you receive from the certification authority (CA) to the appropriate Web site or virtual directory where your federated application will reside on each of the servers that will be participating in the farm.

Procedure topic Import a Server Authentication Certificate to the Default Web Site

Checkbox

(Optional) In a scenario in which you want to install the Federation Service on your AD FS-enabled Web server so that the same server will play both the AD FS-enabled Web server role and the federation server role, configure certificates in the following way:

  • Install the server authentication certificate on the appropriate Web site or virtual directory where your application will reside, as indicated in the previous task.

  • Install the server authentication certificate for the federation server. This certificate must be installed in the Local Computer certificate store of the AD FS-enabled Web server, and its root certificate or certificates must also be installed in the Trusted Root certificate store.

    noteNote
    Use the Certificate snap-in to install certificates to the appropriate store.

  • Install the token-signing certificate that the federation server will use to sign its tokens. This certificate must be installed in the Local Computer certificate store of the AD FS enabled web server, and its root certificate or certificates must also be installed in the Trusted Root certificate store.

    noteNote
    Use the Certificate snap-in to install certificates to the appropriate store.

(Not applicable)

Checkbox

(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use IIS 7.0 to create a self-signed certificate for your AD FS-enabled Web server.

Because IIS 7.0 generates a self-signed certificate that does not originate from a trusted source, use it to create a self-signed certificate only in the following scenarios:

  • When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users

  • When you have to troubleshoot third-party certificate problems

CautionCaution
It is not a security best practice to deploy an AD FS-enabled Web server in a production environment using a self-signed server authentication certificate.

Procedure topic IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=108271)

Checkbox

Install the AD FS Web Agent component on the computer that will become the AD FS-enabled Web server.

Procedure topic Install the AD FS Web Agent Role Service

Checkbox

Install and configure a claims-aware application or a Windows NT token–based application on your new AD FS-enabled Web server.

Checklist topic Checklist: Installing a Claims-Aware Application

Checklist topic Checklist: Installing a Windows NT Token-Based Application

Checkbox

From a client computer, verify that the AD FS-enabled Web server is operational.

Procedure topic Verify That an AD FS-Enabled Web Server Is Operational

Community Additions

ADD
Show: