Checklist: Installing an AD FS-Enabled Web Server

Applies To: Windows Server 2008

This checklist includes the deployment tasks for preparing a server running Windows Server 2008 Standard or Windows Server 2008 Enterprise for the Active Directory Federation Services (AD FS)-enabled Web server role.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Checklist: Installing an AD FS-enabled Web server

  Task Reference

Review important changes to AD FS since the Windows Server 2003 R2 release, including an improved installation process.

What's New in AD FS in Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=85684)

Review information in the Active Directory Federation Services Design Guide about where to place AD FS-enabled Web servers in your organization.

Planning AD FS-Enabled Web Server Placement

Where to Place an AD FS-Enabled Web Server

Use the information in the Active Directory Federation Services Design Guide to determine whether a single AD FS-enabled Web server or a Web server farm is appropriate for your deployment.

When to Create an AD FS-Enabled Web Server Farm

When to Create an AD FS-Enabled Web Server Farm

Review information in the Active Directory Federation Services Design Guide about how AD FS-enabled Web servers require server authentication certificates to authorize client requests securely.

Certificate Requirements for AD FS-Enabled Web Servers

Review information in the Active Directory Federation Services Design Guide about how to update the perimeter network Domain Name System (DNS) so that successful name resolution between clients and AD FS-enabled Web servers in farms can occur.

Name Resolution Requirements for AD FS-Enabled Web Servers

Join the computer that will become the AD FS-enabled Web server to a domain in the resource partner forest where it will be used to authorize federated clients.

Note
If your AD FS-enabled Web server will be hosting a Windows NT token–based application, the server must be joined to a domain in the same forest, or in a trusting forest, where the resource federation server resides.

Join a Computer to a Domain

Create a new resource record in the perimeter network DNS that points the DNS host name of the AD FS-enabled Web server to the IP address of the AD FS-enabled Web server.

Add a Host (A) Resource Record to Perimeter DNS for an AD FS-Enabled Web Server

Install prerequisite applications such as, ASP.NET, Internet Information Services (IIS), and Microsoft .NET Framework 2.0 on the computer that will become the AD FS-enabled Web server.

Install Prerequisite Applications

After you obtain a server authentication certificate (or a private key), install it in IIS on the appropriate Web site or virtual directory where your federated application will reside.

For an example of how to do this using the default Web site, see the link to the right.

Note

If you will be adding an AD FS-enabled Web server to an existing AD FS-enabled Web server farm, you must add the same server authentication certificate that you receive from the certification authority (CA) to the appropriate Web site or virtual directory where your federated application will reside on each of the servers that will be participating in the farm.

Import a Server Authentication Certificate to the Default Web Site

(Optional) In a scenario in which you want to install the Federation Service on your AD FS-enabled Web server so that the same server will play both the AD FS-enabled Web server role and the federation server role, configure certificates in the following way:

  • Install the server authentication certificate on the appropriate Web site or virtual directory where your application will reside, as indicated in the previous task.

  • Install the server authentication certificate for the federation server. This certificate must be installed in the Local Computer certificate store of the AD FS-enabled Web server, and its root certificate or certificates must also be installed in the Trusted Root certificate store.

    Note

    Use the Certificate snap-in to install certificates to the appropriate store.

  • Install the token-signing certificate that the federation server will use to sign its tokens. This certificate must be installed in the Local Computer certificate store of the AD FS enabled web server, and its root certificate or certificates must also be installed in the Trusted Root certificate store.

    Note

    Use the Certificate snap-in to install certificates to the appropriate store.

(Not applicable)

(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use IIS 7.0 to create a self-signed certificate for your AD FS-enabled Web server.

Because IIS 7.0 generates a self-signed certificate that does not originate from a trusted source, use it to create a self-signed certificate only in the following scenarios:

  • When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users

  • When you have to troubleshoot third-party certificate problems

Warning

It is not a security best practice to deploy an AD FS-enabled Web server in a production environment using a self-signed server authentication certificate.

IIS 7.0: Create a Self-Signed Server Certificate in IIS 7.0 (https://go.microsoft.com/fwlink/?LinkId=108271)

Install the AD FS Web Agent component on the computer that will become the AD FS-enabled Web server.

Install the AD FS Web Agent Role Service

Install and configure a claims-aware application or a Windows NT token–based application on your new AD FS-enabled Web server.

Checklist: Installing a Claims-Aware Application

Checklist: Installing a Windows NT Token-Based Application

From a client computer, verify that the AD FS-enabled Web server is operational.

Verify That an AD FS-Enabled Web Server Is Operational