ADFS requirements

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) has the following hardware and software requirements.

Hardware requirements

  • Processor speed: 133 MHz for x86-based computers

  • Recommended minimum RAM: 256 MB

  • Free disk space for setup: 10 MB

Software requirements

ADFS relies on server functionality that is built into the Windows Server 2003 R2 operating system. The Federation Service, Federation Service Proxy, and ADFS Web Agent components cannot run on earlier operating systems. This section describes the software requirements for each ADFS component. It also describes the overall software configurations that are necessary for ADFS in your network environment.


The Federation Service and Federation Service Proxy components cannot coexist on the same computer, and they can be installed only on computers running Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition.

Federation Service

Computers running the Federation Service must have the following software installed:

  • Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition

  • Internet Information Services (IIS)

  • Microsoft ASP.NET 2.0

  • Microsoft .NET Framework 2.0

  • A default Web site that is configured with Transport Layer Security and Secure Sockets Layer (TLS/SSL)

  • A certificate for the Federation Service


    This certificate is used for signing tokens. It must be a digital signing X.509 certificate.

Active Directory and ADAM account store requirements

ADFS requires the presence of user accounts in Active Directory or Active Directory Application Mode (ADAM) for the account Federation Service. Active Directory domain controllers or computers hosting the account stores must have the following software installed:

  • Windows Server 2003


  • Windows Server 2003 R2


  • Windows 2000 with Service Pack 4 (SP4) with critical updates

ADFS does not require schema changes or functional-level modifications to Active Directory. To ensure that ADAM works with ADFS, install the version of ADAM that comes with Windows Server 2003 R2.

Federation Service Proxy

Computers running the Federation Service Proxy must have the following software installed:

  • Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition

  • IIS

  • ASP.NET 2.0

  • Microsoft .NET Framework 2.0

  • A default Web site configured with TLS/SSL

ADFS Web Agent

Computers running the ADFS Web Agent must have the following software installed:

  • Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Enterprise Edition; or Windows Server 2003 R2, Datacenter Edition

  • IIS

  • ASP.NET 2.0

  • Microsoft .NET Framework 2.0

  • After the ADFS Web Agent installation is complete, at least one Web site in IIS must be configured with TLS/SSL so that federated users can access Web-based applications that are hosted on the Web server.

Trusted certification authorities

Because both TLS/SSL and token signing rely on digital certificates, certification authorities (CAs) are an important part of ADFS. Public CAs, such as VeriSign, Inc., represent a mutually trusted third party that allows the identity of the bearer of a certificate to be identified. You can use enterprise CAs, such as Microsoft Certificate Services, for providing token signing and other internal certificate services.

If a client is presented with a server’s authentication certificate, the client computer verifies that the CA that issued the certificate is in the client’s list of trusted CAs and that the CA has not revoked that certificate. This verification ensures that the client has reached the intended server. When a certificate is used for verifying signed tokens, the client uses the certificate to verify that the token was issued by the correct federation server and that the token has not been tampered with.

TCP/IP network connectivity

For ADFS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the computers that host the Federation Service, the Federation Service Proxy (when it is used), and the ADFS Web Agent.


For the purpose of authenticating users in the intranet, internal Domain Name System (DNS) servers in the intranet forest must be configured to return the canonical name (CNAME) of the internal server that is running the Federation Service. For best results, do not use Hosts files with DNS.

Web browser

Although any current Web browser with JScript enabled should work as an ADFS client, only Internet Explorer 6, Internet Explorer 5 or 5.5, Mozilla Firefox, and Safari on Apple Macintosh have been tested by Microsoft. For performance reasons, it is highly recommended that JScript be enabled. Cookies must be enabled, or at least trusted, for the federation servers and Web applications that are being accessed.