ADFS requirements
Applies To: Windows Server 2003 R2
Active Directory Federation Services (ADFS) has the following hardware and software requirements.
Hardware requirements
Processor speed: 133 MHz for x86-based computers
Recommended minimum RAM: 256 MB
Free disk space for setup: 10 MB
Software requirements
ADFS relies on server functionality that is built into the Windows Server 2003 R2 operating system. The Federation Service, Federation Service Proxy, and ADFS Web Agent components cannot run on earlier operating systems. This section describes the software requirements for each ADFS component. It also describes the overall software configurations that are necessary for ADFS in your network environment.
Note
The Federation Service and Federation Service Proxy components cannot coexist on the same computer, and they can be installed only on computers running Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition.
Federation Service
Computers running the Federation Service must have the following software installed:
Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition
Internet Information Services (IIS)
Microsoft ASP.NET 2.0
Microsoft .NET Framework 2.0
A default Web site that is configured with Transport Layer Security and Secure Sockets Layer (TLS/SSL)
A certificate for the Federation Service
Note
This certificate is used for signing tokens. It must be a digital signing X.509 certificate.
Active Directory and ADAM account store requirements
ADFS requires the presence of user accounts in Active Directory or Active Directory Application Mode (ADAM) for the account Federation Service. Active Directory domain controllers or computers hosting the account stores must have the following software installed:
- Windows Server 2003
Or
- Windows Server 2003 R2
Or
- Windows 2000 with Service Pack 4 (SP4) with critical updates
ADFS does not require schema changes or functional-level modifications to Active Directory. To ensure that ADAM works with ADFS, install the version of ADAM that comes with Windows Server 2003 R2.
Federation Service Proxy
Computers running the Federation Service Proxy must have the following software installed:
Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition
IIS
ASP.NET 2.0
Microsoft .NET Framework 2.0
A default Web site configured with TLS/SSL
ADFS Web Agent
Computers running the ADFS Web Agent must have the following software installed:
Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Enterprise Edition; or Windows Server 2003 R2, Datacenter Edition
IIS
ASP.NET 2.0
Microsoft .NET Framework 2.0
After the ADFS Web Agent installation is complete, at least one Web site in IIS must be configured with TLS/SSL so that federated users can access Web-based applications that are hosted on the Web server.
Trusted certification authorities
Because both TLS/SSL and token signing rely on digital certificates, certification authorities (CAs) are an important part of ADFS. Public CAs, such as VeriSign, Inc., represent a mutually trusted third party that allows the identity of the bearer of a certificate to be identified. You can use enterprise CAs, such as Microsoft Certificate Services, for providing token signing and other internal certificate services.
If a client is presented with a server’s authentication certificate, the client computer verifies that the CA that issued the certificate is in the client’s list of trusted CAs and that the CA has not revoked that certificate. This verification ensures that the client has reached the intended server. When a certificate is used for verifying signed tokens, the client uses the certificate to verify that the token was issued by the correct federation server and that the token has not been tampered with.
TCP/IP network connectivity
For ADFS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the computers that host the Federation Service, the Federation Service Proxy (when it is used), and the ADFS Web Agent.
DNS
For the purpose of authenticating users in the intranet, internal Domain Name System (DNS) servers in the intranet forest must be configured to return the canonical name (CNAME) of the internal server that is running the Federation Service. For best results, do not use Hosts files with DNS.
Web browser
Although any current Web browser with JScript enabled should work as an ADFS client, only Internet Explorer 6, Internet Explorer 5 or 5.5, Mozilla Firefox, and Safari on Apple Macintosh have been tested by Microsoft. For performance reasons, it is highly recommended that JScript be enabled. Cookies must be enabled, or at least trusted, for the federation servers and Web applications that are being accessed.