Install the Federation Service Role Service

Applies To: Windows Server 2008

Now that you have properly configured a computer with the prerequisite applications and certificates, you are ready to install the Federation Service role service of Active Directory Federation Services (AD FS). When you install the Federation Service on a computer, that computer becomes a federation server.

Note

For the Federated Web Single-Sign-On (SSO) and Federated Web SSO with Forest Trust designs, you must have at least one federation server in the account partner organization and at least one federation server in the resource partner organization. For more information, see Where to Place a Federation Server.

You can use the following procedure to install the Federation Service role service of AD FS on a computer that will become the first federation server or on a computer that will become a federation server for an existing federation server farm.

Prerequisites

If you will be using a token-signing certificate that is issued by a certification authority (CA), verify that a token-signing certificate with the private key has already been installed or imported into the local certificate store (Personal store) before you start this procedure. As an alternative, you can create a self-signed, token-signing certificate using the Add Roles Wizard, as described in this procedure. For more information about token-signing certificates, see Certificate Requirements for Federation Servers.

If you are adding this new federation server to an existing federation server farm, make sure that the trust policy file is available on the network with the appropriate permissions before starting this procedure. For more information, see When to Create a Federation Server Farm.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To install the Federation Service role service

  1. Click Start, point to Administrative Tools, and then click Server Manager.

  2. Right-click Roles, and then click Add Roles to start the Add Roles Wizard.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.

  5. On the Select Role Services page, select the Federation Service check box, and then click Next:

Note

If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them, and then click Next.

  1. On the Choose a Token-Signing Certificate page, do one of the following:

    • If you want to use an existing token-signing certificate that has already been added to the certificate store on the local computer, click Choose an existing token-signing certificate, highlight the appropriate certificate in the list, and then click Next.

    • If you want Setup to create a new, self-signed, token-signing certificate for this federation server and add it to the personal store of the local computer, click Create a self-signed token-signing certificate, and then click Next.

  2. On the Select Trust Policy page, do one of the following.

    • If you are installing the Federation Service role service on a single federation server or on the first federation server in a server farm, click Create a new trust policy, specify the name and path of the trust policy file, and then click Next.

Note

Every federation server in a server farm will have to use this trust policy file. Therefore, we recommend that you store this file in a protected network shared folder. For more information, see When to Create a Federation Server Farm.

  - If you are installing the Federation Service role service on a computer that will become an additional federation server for an existing federation server farm, click **Select an existing trust policy**, and then click **Browse**. In the **Browse** dialog box, locate the shared TrustPolicy.xml file on the network, highlight it, click **Open**, and then click **Next**.  
      
  1. After you verify the information on the Confirm Installation Selections page, click Install.

  2. On the Installation Results page, verify that everything installed correctly, and then click Close.