AD FS in Windows Server 2008 R2 Step-by-Step Guide

  • Article

Applies To: Windows Server 2008 R2

Active Directory® Federation Services (AD FS) is a server role that you can install in the Windows Server® 2008 R2 operating system. You can use the AD FS server role to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Microsoft® Windows® environments and non-Windows environments.

For additional information about AD FS, see Active Directory Federation Services Overview.

About this guide

This guide provides instructions for setting up AD FS in a Hyper-V™ test lab with computers running Windows Server 2008 R2. It explains how to install and test a single claims-aware application. For more information about setting up a Hyper-V server, see Virtualization with Hyper-V (https://go.microsoft.com/fwlink/?LinkId=126326).

You can use the code in this guide to create a sample claims-aware application. No additional downloads are required. The instructions in this guide take approximately two hours to complete.

You can use the test lab environment to evaluate the AD FS technology and assess how it might be deployed in your organization. As you complete the steps in this guide, you will be able to:

  • Set up four computers (one client computer, one AD FS-enabled Web server, and two federation servers) to participate in AD FS federation between two fictitious companies (A. Datum Corporation and Trey Research).

  • Create two forests to be used as designated account stores for federated users. Each forest will represent one fictional company.

  • Use AD FS to set up a federated trust relationship between both companies.

  • Use AD FS to create, populate, and map claims.

  • Provide federated access for users in one company to access a claims-aware application that is located at the other company.

To maximize your chances of completing the objectives of this guide successfully, it is important to do all of the following:

  • Follow the steps in this guide in order.

  • Use the precise IP addresses that are specified.

  • Use the exact computer, user, group, company, claim, and domain names that are specified.

  • If you are unsuccessful at using virtualization software, attempt to use four separate computers that are connected to a private network.

Note

The instructions in this guide assume that you are configuring the lab using Hyper-V, which is why the drive letter that indicates where files are saved throughout the lab is the D: drive. Therefore, if you decide to use four separate computers and run this lab in a nonvirtualized environment, make sure that you save these files to the C: drive instead when you are prompted.

Microsoft has successfully tested this guide using Hyper-V software. Any modifications to these configuration details might affect or limit your chances of setting up this lab successfully on the first try.

What this guide does not provide

This guide does not provide the following:

  • Instructions for installing and configuring Microsoft Windows NT® token–based applications, such as Windows® SharePoint® Services or Microsoft Office SharePoint Portal Server 2003, for use with AD FS

  • Instructions for configuring Microsoft Office SharePoint Server 2007 as a claims-aware application

    For information for configuring Office SharePoint Server 2007 as a claims-aware application for use with AD FS, see Configure Web SSO authentication by using ADFS (Office SharePoint Server) (https://go.microsoft.com/fwlink/?LinkId=84805).

  • Guidance for setting up and configuring AD FS in a production environment

    For information about how to deploy or manage AD FS, look for AD FS planning, deployment, and operations content at Active Directory Federation Services (https://go.microsoft.com/fwlink/?LinkId=133130).

  • Instructions for setting up and configuring Microsoft Certificate Services for use with AD FS

    For information about setting up and configuring Microsoft Certificate Services, see Public Key Infrastructure for Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=19936).

  • Instructions for setting up and configuring a federation server proxy

Note

The federation server includes the functionality of the federation server proxy role. For example, the federation server can perform client authentication, home realm discovery, and sign-out.

Requirements for AD FS in Windows Server 2008 R2

To complete the steps in this guide, you must configure four test computers with the following operating systems:

  • Windows Server 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter for federation servers

  • Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or Windows Server 2008 R2 Datacenter for the AD FS-enabled Web server

  • Windows 7 for the AD FS client computer.