Working with Active Directory Federation Services

Windows Server 2003 R2 introduced Active Directory Federation Services (ADFS). ADFS is a single sign-on solution for web applications, allowing for the authentication of users across multiple directories, such as separate AD forests or Active Directory in Application Mode (ADAM) instances. By managing web-based login identities and tying them together, through Windows login authentication, organizations can more easily manage customer access to web-based applications without compromising internal security infrastructure.

ADFS is managed from an MMC Console, shown in Figure 8.20, that can be installed on a Windows Server 2003 Server R2 Enterprise Edition system.

Figure 8.20. Viewing the ADFS MMC Console.

ADFS is not a replacement for technologies such as MIIS 2003 and/or the IIFP. Instead of synchronizing identities across various directories, ADFS manages login attempts to web applications made from disparate directories. It is important to understand this concept because ADFS and MIIS perform different roles in an organization's environment.

Understanding the Key Components of ADFS

ADFS is composed of three different server components as follows:

• Federation Server A Federation server is the main ADFS component, which holds the Federation Service role. These servers route authentication requests between connected directories.

• Federation Proxy Server A Federation Proxy Server acts as a reverse proxy for ADFS authentication requests. This type of server normally resides in the DMZ of a firewall and is used to protect the back-end ADFS server from direct exposure to the untrusted Internet.

• Web Server The Web Server component of ADFS hosts the Web Agent component and manages authentication cookies sent to a web server application.

Each of these components can be individually installed in an ADFS structure, or they all can be installed on the same system.

Installing the ADFS with Windows Server 2003 R2

Installing ADFS on a Windows Server 2003 R2 requires several key prerequisites:

• Windows Server 2003 R2 Enterprise Edition or DataCenter Edition

• IIS 6.0

• ASP.NET 2.0

• .NET Framework 2.0

• 10MB of free disk space for setup

• A Secure Sockets Layer (SSL) certificate installed on the default Web site of the server

When the prerequisites have been satisfied and all necessary components, such as ASP.NET 2.0 and IIS 6.0, have been installed, ADFS can be installed via the following process:

Figure 8.21. Installing ADFS.

Working with ADFS

ADFS works by inputting information about connected partners, such as AD forests or ADAM orgs, and inputting specific partner and application information. Each set of information can be inputted by running the various wizards installed by ADFS as follows:

• Add Resource Partner Wizard This wizard enables you to to manually create or automatically import resource partners by using an XML file. Resource partners contain information about the specific web-based applications that users can access.

• Add Account Partner Wizard This wizard, shown in Figure 8.23, adds the information about specific account partners, which are connected security token issuers such as domain controllers.

• Add Applications Wizard This wizard adds specific claims-aware applications to ADFS.

Figure 8.23. Using the Add Account Partner Wizard in ADFS.

By entering the information about the various web-based applications, and which directories and identities are to be granted access, ADFS can provide for seamless sign-on capabilities among various directories. It can be a valuable asset for an organization that wants to share corporate information with trusted partners, without exposing their valuable internal assets to unnecessary exposure.