Partilhar via


ADFS Deployment Guide - Sneak Peek #3 (Checklist: Installing a federation server)

You've heard me talk about checklists for awhile now so it's finally time for me to show you one that we intend to use in the guide. Try and resist the urge to click the links because they won't take you anywhere, not until the guide is ready anyway. We have included a "Verify" topic at the bottom of each checklist which we hope will help you to pinpoint whether a new server was set up correctly. If you have a minute please let us know what you think.

***This posting is provided "AS IS" with no warranties, and confers no rights.***

Checklist: Installing a federation server

This checklist includes the deployment tasks necessary to prepare a server running Windows Server 2003 R2, Enterprise Edition, for the federation server role.

Note

Steps provided in this checklist should be followed in order. When a reference link you choose takes you to a procedure, make sure and return back here once you've completed the steps in that procedure so that you can proceed with the remaining tasks required to complete this checklists objective.

 

Task

Reference

Review information in the ADFS Design Guide about where to place federation servers within your organization

Planning federation server placement;Where to place a federation server

Use the information in the ADFS Design Guide to determine whether a single federation server or federation server farm is necessary.

When to create a federation server;When to create a federation server farm

Use the information in the ADFS Design Guide to determine whether this new federation server will be created in the account or resource partner organization

The role of federation servers in the account partner;The role of federation servers in the resource partner

Review information in the ADFS Design Guide about how federation servers require server authentication certificates and token-signing certificates to securely authenticate client and federation server proxy requests.

Certificate requirements for federation servers

Review information in the ADFS Design Guide about how to update the corporate network Domain Name System (DNS) so that successful name resolution to federation servers can occur.

Name resolution requirements for federation servers

Create a new resource record in the corporate network DNS that points the DNS host name of the federation server to the IP address of the federation server.

Add a hosts (A) record to corporate DNS for a federation server

Join the computer that will become the federation server to a domain in the account or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests.

Note

To create a federation server in the account partner organization, the computer must first be joined to any domain in the forest where your federation server will be used to authenticate users from that forest or from trusting forests.

Join a computer to a domain

Install prerequisite applications such as, ASP.NET, IIS and Microsoft .NET Framework 2.0 on the computer that will become the federation server.

Install Prerequisite Applications

Obtain and configure a server authentication certificate and a token-signing certificate, which is required on all federation servers.

Checklist: Configuring certificates for a federation server

Install the Federation Service component on the computer that will become the federation server. Follow this procedure when you need to either create the first federation server in a new farm or to extend an existing farm.

Note

For the Federated Web SSO and Federated Web SSO with Forest Trust scenarios, you need at least one federation server in the account partner organization and at least one federation server in the resource partner organization.

Install the Federation Service component of ADFS

If this is the first federation server in your organization, you will need to configure the Trust Policy so that it conforms to your ADFS design.

Checklist: Configuring the Trust Policy for the Web SSO design; Checklist: Configuring the Trust Policy for the Federated Web SSO design; Checklist: Configuring the Trust Policy for the Federated Web SSO with Forest Trust design

From a client computer, verify the federation server is operational.

Verify a federation server is operational

Comments

  • Anonymous
    January 01, 2003
    Thanks for the feedback Dom. I really appreciate hearing feedback about this. ADFS is just so complex to configure and requires tasks to be completed in a very specific order, which is why I'm betting on this checklist strategy as a way to help Administrators keep it all straight. :)

  • Anonymous
    January 01, 2003
    hi, i am from mexico, do you have a guide for implementing a federation between two domains?? not the step by step guide for microsoft, another? thanks best regards

  • Anonymous
    January 01, 2003
    Looks good Nick; I think this might help make ADFS a little easier to understand... but then again, I've been mucking around with it for so long its actually starting to make sense ;) In all seriousness though, this approach seems to be a better way of working through everything that needs to be done.

  • Anonymous
    January 01, 2003
    Not at this time. We do have plans early next year to update the ADFS Step-by-Step Guide so that it includes guidance for how to configure Web SSO in a test lab. Also, the upcoming ADFS Deployment Guide will provide details on all of the scenarios and how to configure them for a production environment.