Configure the Windows Token-Based Agent

Applies To: Windows Server 2008

The following procedure must be completed on the Web server so that clients in the account partner organization can access Windows NT token–based applications, such as SharePoint sites, that are hosted on the Web server in the resource partner organization.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To configure the Windows token–based agent

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click YourComputerName**(local computer).**

  3. In the center pane, double-click Federation Services URL, type the URL of the federation server in the resource partner organization name, and then click Apply.

    For example, if the federation server in the resource partner organization is named fedsrv1 and it is located in the forest, type


The Federation Services URL in Active Directory Federation Services (AD FS) defines the URL that is used for all Web sites and Windows NT token–based applications on a Web server where the AD FS Web Agent is enabled.

  1. In the console tree, double-click Sites, and then click YourWebSiteName.

  2. In the center pane, double-click Authentication, highlight AD FS Windows Token-Based Agent, and then in the Actions pane click Edit.

  3. In the ADFS Windows Token-Based Agent dialog box, select the Enable AD FS Web Agent check box.


This action will enable anonymous access to this Web site.

  1. Modify the following values as necessary, and then click OK.

    • Cookie path

    • Cookie domain

    • Return URL

    For detailed information about each of these settings, see Review the Role of AD FS Web Agents.