Implementing a Server Farm of Federation Servers

  • Article

Applies To: Windows Server 2003 R2

You can implement a server farm of servers that are running the Federation Service component of Active Directory Federation Services (ADFS) by appropriately installing and configuring token-signing certificates. Use the following options when installing the certificate and the Federation Service to implement a federation server farm:

  • During installation of the token-signing certificate for a server, if you select the option to install the certificate into the local certificate store, the certificate becomes available during installation of the Federation Service.

  • During installation of the Federation Service, the Windows Components Wizard provides options that affect how the token-signing certificate is configured:

    • Select token-signing certificate: You can use this option to select the installed token-signing certificate from the local certificate store.

    • Use an existing trust policy: If you select this option, ADFS automatically adds the public portion of the selected token-signing certificate to the shared trust policy of the Federation Service as the verification certificate.

Use the following methods for installing and sharing certificates to implement a federation server farm:

  • Use a separate token-signing certificate for each server and generate the respective verification certificates during Federation Service installation:

    • Install a separate token-signing certificate on each server.

    • During Federation Service installation, select the installed certificate and the shared trust policy.

  • Share both public and private portions of the same certificate by using an image of the server:

    • Install a token-signing certificate on one server.

    • During Federation Service installation, select the installed certificate and the shared trust policy.

    • Create an image of this server and use this image to create all additional servers in the server farm.

  • Share both public and private portions of the same certificate by importing the certificate file that is provided by a public certification authority (CA) into the local certificate store.

    • Obtain a token-signing certificate from a public CA.

    • Use physical media to import the certificate into the local certificate store of each server.

    • During Federation Service installation, select the CA-provided token-signing certificate and the shared trust policy file.

  • Share both public and private portions of the same certificate by exporting the private key:

    • Install a single token-signing certificate from an enterprise CA on a server and export the private key. This method requires that the token-signing certificate was generated and placed directly into the local certificate store by the enterprise CA and that private keys were marked as exportable.

    • Export the private key certificate to a file and protect it accordingly.

    • Prior to Federation Service installation, import the exported private key certificate into the local certificate store on each additional server.

    • During Federation Service installation, select the imported certificate and the shared trust policy. It is not necessary to export the public key because the trust policy is shared.

Completion of this task is accomplished during the course of Adding a New Federation Server.

See Also

Concepts

Managing Certificates Used by Federation Servers
Managing Token-signing Certificates
Rolling Over a Token-signing Certificate