AD FS Step-by-Step Guide

Applies To: Windows Server 2008

Active Directory® Federation Services (AD FS) is a server role that you can install in the Windows Server® 2008 operating system. You can use the AD FS server role to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Microsoft® Windows® and non-Windows environments.

For additional information about AD FS, see Active Directory Federation Services Overview. For more information about what features are new to AD FS in Windows Server 2008, see What's New in AD FS in Windows Server 2008.

About this guide

This guide provides instructions for setting up AD FS in a small test lab with computers running the Windows Server 2008 operating system. It explains how to install and test a single claims-aware application.

You can use the code in this guide to create a sample claims-aware application. No additional downloads are required. The instructions in this guide take approximately two hours to complete.

You can use the test lab environment to evaluate the AD FS technology and assess how it might be deployed in your organization. As you complete the steps in this guide, you will be able to:

  • Set up four computers (one client, one AD FS-enabled Web server, and two federation servers) to participate in AD FS federation between two fictitious companies (A. Datum Corporation and Trey Research).

  • Create two forests to be used as designated account stores for federated users. Each forest will represent one fictional company.

  • Use AD FS to set up a federated trust relationship between both companies.

  • Use AD FS to create, populate, and map claims.

  • Provide federated access for users in one company to access a claims-aware application that is located at the other company.

To maximize your chances of successfully completing the objectives of this guide it is important that you do all of the following:

  • Follow the steps in this guide in order.

  • Use the precise IP addresses that are specified.

  • Use the exact computer, user, group, company, claim, and domain names that are specified.

  • If you are unsuccessful at using virtualization software, attempt to use four separate computers that are connected to a private network.

Important

Any modifications to these configuration details might affect or limit your chances of successfully setting up this lab on the first try.

Note

Microsoft has successfully tested this guide using Microsoft Virtual Server 2005 R2 software.

What this guide does not provide

This guide does not provide the following:

  • Instructions for installing and configuring Windows NT® token-based applications, such as Windows® SharePoint® Services or Microsoft Office SharePoint Portal Server 2003, for use with AD FS.

  • Instructions for configuring Microsoft Office SharePoint Server 2007 as a claims-aware application.

Note

For instructions for configuring Office SharePoint Server 2007 as a claims-aware application for use with AD FS, see Configure Web SSO authentication by using ADFS (Office SharePoint Server) (https://go.microsoft.com/fwlink/?LinkId=84805)

  • Guidance for setting up and configuring AD FS in a production environment.

    For information about how to deploy or manage AD FS, look for AD FS planning, deployment, and operations content at Active Directory Federation Services (https://go.microsoft.com/fwlink/?LinkId=69592).

  • Instructions for setting up and configuring Microsoft Certificate Services for use with AD FS.

    For information about setting up and configuring Microsoft Certificate Services, see Public Key Infrastructure for Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=19936).

  • Instructions for setting up and configuring a federation server proxy.

Note

The federation server includes the functionality of the federation server proxy role. For example, the federation server can perform client authentication, home realm discovery, and sign-out.

Requirements

To complete the steps in this guide, you must configure four test computers with the following operating systems:

  • Windows Server 2008 Enterprise or Windows Server 2008 Datacenter for federation servers

  • Windows Server 2008 Standard, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter for the AD FS–enabled Web server

  • Windows XP or Windows Vista™, for the AD FS client computer.