Windows Server 2008 Domain Services – Part 2: Active Directory Federation Services

By /

If you missed the first part in this article series please read Windows Server 2008 Domain Services – Part 1: Active Directory Domain Services

In this second part of the article series about Windows Server 2008 Domain Services, I will focus on Active Directory Federation Services (AD FS) and briefly cover Active Directory Lightweight Directory Services (AD LDS). In my last article (Part 1) I introduced the Active Directory Domain Services.

AD FS and AD LDS were introduced in Windows Server 2003 (R2) and the development has continued and been improved for both products with Windows Server 2008.

What is Active Directory Federation Services?

Active Directory Federation Services (AD FS) is a feature introduced with Windows Server 2003 R2 that provides an identity access solution. It gives browser-based clients, which are inside or outside your network, Single-Sign-On (SSO) access to web-based applications. It is important to note that AD FS only works for web-based applications. AD FS can be used in web hosting or SharePoint environments. It is very useful when a company has web servers located in a DMZ or at a remote hosting vendor or business partner and wants to control account credentials to their web applications from the internal Active Directory.

News in AD FS for Windows Server 2008

So, what is new in AD FS for Windows Server 2008 compared to Windows Server 2003 R2?

AD FS is still a relatively new technology from Microsoft and this is the 2nd generation of the product. Windows Server 2008 includes some new functionality for AD FS, which was not available in Windows Server 2003 R2. The new functionality eases administrative overhead and extends support for key Microsoft applications.

Here is an overview of the new functions:

  • Improved installation:
    AD FS is included as a server role in Windows Server 2008 and server validation checks have been included in the installation wizard. Server Manager in Windows Server 2008 will automatically list and install all the services that AD FS requires during the AD FS role installation (ASP.NET, IIS etc).
  • Improved application support:
    The new version of AD FS has been more tightly integrated with Active Directory Rights Management Services (AD RMS) and Microsoft Office SharePoint Server 2007 (MOSS). MOSS 2007 now supports the Single-Sign-On (SSO) capabilities that are integrated in AD FS. AD FS now supports MOSS 2007 membership and role providers, which means that you can configure MOSS 2007 as a claims-aware application within AD FS and then administer any SharePoint sites using membership and role-based access control.
  • Better administrative experience when working with federated trusts:
    AD FS has been improved with a trust policy import and export functionality to help minimize partner-based (federation) configuration issues.


How AD FS works

Active Directory Federation Services (AD FS) provides cross-company, federated identity management services, allowing large corporations to selectively open their infrastructure to trusted partners and customers. AD FS provides three core capabilities:

  • Extranet authentication
  • Web single-sign-on
  • Identity federation services for IIS-based Web applications

AD FS is designed to be deployed in medium to large organizations that have the following:

  • At least one directory service: either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS)

  • Domain-joined computers
  • Computers running various operating system platforms
  • Computers that are connected to the Internet
  • One or more Web-based applications

All communication from the Active Directory to the AD FS is encrypted and all communication from the clients to the AD FS is encrypted with SSL.

The benefit is that in a federated environment, each company continues to manage its own identities, but each company can also securely project and accept identities from other organizations.

Roles in AD FS

AD FS in Windows Server 2008 consists of several different roles, depending on your organization’s requirements you can deploy servers running one or more AD FS roles.

Here is an overview of the roles:

  • Federation Service:
    The Federation Service can be used by one or more federation servers to share a common trust policy. Federation servers are used to route authentication requests from user accounts in other organizations or from clients that may be located on the Internet.
  • Federation Service Proxy:
    The Federation Service Proxy is a proxy to the Federation Service in the perimeter network (DMZ). The Federation Service Proxy uses WS-Federation Passive Requestor Profile (WS-F PRP) protocols to collect user credentials from browser clients and it sends the user credentials to the Federation Service on their behalf.
  • Claims-aware agent:
    Claims-aware agent is installed on the Web server that hosts a claims-aware application. It is needed to allow the querying of AD FS security token claims. A claims-aware application is a Microsoft ASP.NET application or a standard application like MOSS 2007.
  • Windows token-based agent:
    The Windows token-based agent can be installed on a Web server that hosts a Windows NT token-based application. It is needed to support conversion from an AD FS security token to an impersonation-level. A Windows NT token-based application is an application that uses Windows-based authorization mechanisms.




AD FS and Server Core

The Active Directory Federation Services roles are not part of the Server Core. This is partly due its dependency on ASP.NET, which is not available in the Server Core.

AD FS and development

AD FS is a feature that can help developers who make web-based applications. AD FS can be the key to providing secure external access to your Web applications. AD FS can be used with Active Directory Lightweight Directory Services (AD LDS) as an identity provider for authentication and Windows Authorization Manager for access policy control, providing a complete solution to extend your Web applications to trusted organizations.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) previously known as Active Directory Application Mode (ADAM) is a special mode of AD in which the directory services are configured solely for applications. This lightweight AD mode provides both storage for and access to applications, using the same interfaces administrators and developers already understand.

AD LDS is an LDAP directory service data storage and retrieval for directory enabled applications, without the dependencies that are required for AD DS. It also does not store security principles, which are stored by AD DS.

Developers can use AD LDS to work with Active Directory information in their applications.

AD FS is one of the applications that uses AD LDS to store credential information.

Summary

Active Directory Federation Services (AD FS) is a strong feature of Windows Server 2008, which gives organizations more flexibility towards connecting web-based applications and managing account credentials.

The new built-in support for Microsoft Office SharePoint Server 2007 is fantastic and it is a feature that every organization running Internet facing or partner based SharePoint sites should take a look at.

More resources on AD FS and AD LDS:

If you missed the first part in this article series please read Windows Server 2008 Domain Services – Part 1: Active Directory Domain Services

About The Author

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top