Upravit

Sdílet prostřednictvím


Checklist: Setting Up a Federation Server

This checklist includes the deployment tasks that are necessary to prepare a server running Windows Server® 2012 for the federation server role in Active Directory Federation Services (AD FS).

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Icon for the Setting up a federation server check list.Checklist: Setting up a federation server

Task Reference
Before you begin deploying your AD FS federation servers, review the; 1.) advantages and disadvantages of choosing either Windows Internal Database (WID) or SQL Server to store the AD FS configuration database 2.) AD FS deployment topology types and their associated server placement and network layout recommendations. Icon for the Determine Your AD FS Deployment Topology link you can use in reference to setting up a federation server.Determine Your AD FS Deployment Topology

Icon for the AD FS Deployment Topology Considerations link you can use in reference to setting up a federation server.AD FS Deployment Topology Considerations

Review AD FS capacity planning guidance to determine the proper number of federation servers you should use in your production environment. Icon for the Planning for Federation Server Capacity link you can use in reference to setting up a federation server.Planning for Federation Server Capacity
Review information in the AD FS Design Guide about where to place federation servers in your organization Icon for the Planning Federation Server Placement link you can use in reference to setting up a federation server.Planning Federation Server Placement

Icon for the Where to Place a Federation Server link you can use in reference to setting up a federation server.Where to Place a Federation Server

Determine whether a stand-alone federation server or a federation server farm is better for your deployment. Icon for the When to Create a Federation Server link you can use in reference to setting up a federation server.When to Create a Federation Server

Icon for the When to Create a Federation Server Farm link you can use in reference to setting up a federation server.When to Create a Federation Server Farm

Determine whether this new federation server will be created in the account partner organization or in the resource partner organization. Icon for the Review the Role of the Federation Server in the Account Partner link you can use in reference to setting up a federation server.Review the Role of the Federation Server in the Account Partner

Icon for the Review the Role of the Federation Server in the Resource Partner link you can use in reference to setting up a federation server.Review the Role of the Federation Server in the Resource Partner

Review information about how federation servers use service communication certificates and token-signing certificates to securely authenticate client and federation server proxy requests. Caution: Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate the AD FS Federation Service to enterprise clients. Therefore, it is recommended that you use a fully qualified domain name (FQDN) such as https://myserver.contoso.com and only use SSL certificates issued to the FQDN of your Federation Service. Icon for the Certificate Requirements for Federation Servers link you can use in reference to setting up a federation server.Certificate Requirements for Federation Servers
Review information about how to update the corporate network Domain Name System (DNS) so that successful name resolution to federation servers can occur. Icon for the Name Resolution Requirements for Federation Servers link you can use in reference to setting up a federation server.Name Resolution Requirements for Federation Servers
Join the computer that will become the federation server to a domain in the account partner forest or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests. Note: If you want to set up a federation server in the account partner organization, the computer must first be joined to any domain in the forest where your federation server will be used to authenticate users from that forest or from trusting forests. Icon for the Join a Computer to a Domain link you can use in reference to setting up a federation server.Join a Computer to a Domain
Create a new resource record in the corporate network DNS that points the DNS host name of the federation server to the IP address of the federation server. Icon for the Add a Host (A) Resource Record to Corporate DNS for a Federation Server link you can use in reference to setting up a federation server.Add a Host (A) Resource Record to Corporate DNS for a Federation Server
(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.

Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm. Note: The AD FS Management snap-in refers to server authentication certificates for federation servers as service communication certificates.

Icon for the Export the Private Key Portion of a Server Authentication Certificate link you can use in reference to setting up a federation server.Export the Private Key Portion of a Server Authentication Certificate
After you obtain a server authentication certificate (or private key) from a certification authority (CA), you must then import the certificate file to the default Web site for each federation server. Note: Installing this certificate on the default Web site is a requirement before you can use the AD FS Federation Server Configuration Wizard. Icon for the Import a Server Authentication Certificate to the Default Web Site link you can use in reference to setting up a federation server.Import a Server Authentication Certificate to the Default Web Site
(Optional) As an alternative to obtaining a server authentication certificate from a CA, you can use Internet Information Services (IIS) to create a sample certificate for your federation server. Caution: It is not a security best practice to deploy a federation server in a production environment by using a self-signed server authentication certificate. Icon for the IIS: Create a Self-Signed Server Certificate link you can use in reference to setting up a federation server.IIS: Create a Self-Signed Server Certificate and then complete the procedure Import a Server Authentication Certificate to the Default Web Site
If you will be configuring a federation server farm environment in an account partner organization, you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where the farm will reside and configure each federation server in the farm to use this account. By performing this procedure, you will allow clients on the corporate network to authenticate to any of the federation servers in the farm using Windows Integrated Authentication. Icon for the Manually Configure a Service Account for a Federation Server Farm link you can use in reference to setting up a federation server.Manually Configure a Service Account for a Federation Server Farm
Install the Federation Service role service on the computer that will become the federation server. Icon for the Install the Federation Service Role Service link you can use in reference to setting up a federation server.Install the Federation Service Role Service
Configure the AD FS software on the computer to act in the federation server role by using the AD FS Federation Server Configuration Wizard.

Follow this procedure when you want to set up a stand-alone federation server, create the first federation server in a new farm or join a computer to an existing federation server farm. Note: For the Federated Web Single Sign-On (SSO) design, you must have at least one federation server in the account partner organization and at least one federation server in the resource partner organization.

Icon for the Create a Stand-Alone Federation Server link you can use in reference to setting up a federation server.Create a Stand-Alone Federation Server

Icon for the Create the First Federation Server in a Federation Server Farm link you can use in reference to setting up a federation server.Create the First Federation Server in a Federation Server Farm

Icon for the Add a Federation Server to a Federation Server Farm link you can use in reference to setting up a federation server.Add a Federation Server to a Federation Server Farm

(Optional) Use the AD FS Management snap-in to add and configure the necessary AD FS certificates required to deploy your design. For more information about when to add or change certificates using the snap-in, see Certificate Requirements for Federation Servers. Icon for the Add a Token-Signing Certificate link you can use in reference to setting up a federation server.Add a Token-Signing Certificate

Icon for the Add a Token-Decrypting Certificate link you can use in reference to setting up a federation server.Add a Token-Decrypting Certificate

Icon for the Set a Service Communications Certificate link you can use in reference to setting up a federation server.Set a Service Communications Certificate

If this is the first federation server in your organization, configure the Federation Service so that it conforms to your AD FS design. Icon for the Checklist: Configuring the Account Partner Organization link you can use in reference to setting up a federation server.Checklist: Configuring the Account Partner Organization

Icon for the Checklist: Configuring the Resource Partner Organization link you can use in reference to setting up a federation server.Checklist: Configuring the Resource Partner Organization

From a client computer, verify that the federation server is operational. setting up a federated serverVerify That a Federation Server Is Operational