ADFS Deployment Guide - Sneak Peek #3 (Checklist: Installing a federation server)
You've heard me talk about checklists for awhile now so it's finally time for me to show you one that we intend to use in the guide. Try and resist the urge to click the links because they won't take you anywhere, not until the guide is ready anyway. We have included a "Verify" topic at the bottom of each checklist which we hope will help you to pinpoint whether a new server was set up correctly. If you have a minute please let us know what you think.
***This posting is provided "AS IS" with no warranties, and confers no rights.***
Checklist: Installing a federation server
This checklist includes the deployment tasks necessary to prepare a server running Windows Server 2003 R2, Enterprise Edition, for the federation server role.
Note
Steps provided in this checklist should be followed in order. When a reference link you choose takes you to a procedure, make sure and return back here once you've completed the steps in that procedure so that you can proceed with the remaining tasks required to complete this checklists objective.
Task |
Reference |
---|---|
Review information in the ADFS Design Guide about where to place federation servers within your organization |
Planning federation server placement;Where to place a federation server |
Use the information in the ADFS Design Guide to determine whether a single federation server or federation server farm is necessary. |
When to create a federation server;When to create a federation server farm |
Use the information in the ADFS Design Guide to determine whether this new federation server will be created in the account or resource partner organization |
The role of federation servers in the account partner;The role of federation servers in the resource partner |
Review information in the ADFS Design Guide about how federation servers require server authentication certificates and token-signing certificates to securely authenticate client and federation server proxy requests. |
Certificate requirements for federation servers |
Review information in the ADFS Design Guide about how to update the corporate network Domain Name System (DNS) so that successful name resolution to federation servers can occur. |
Name resolution requirements for federation servers |
Create a new resource record in the corporate network DNS that points the DNS host name of the federation server to the IP address of the federation server. |
Add a hosts (A) record to corporate DNS for a federation server |
Join the computer that will become the federation server to a domain in the account or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests. Note To create a federation server in the account partner organization, the computer must first be joined to any domain in the forest where your federation server will be used to authenticate users from that forest or from trusting forests. |
Join a computer to a domain |
Install prerequisite applications such as, ASP.NET, IIS and Microsoft .NET Framework 2.0 on the computer that will become the federation server. |
Install Prerequisite Applications |
Obtain and configure a server authentication certificate and a token-signing certificate, which is required on all federation servers. |
Checklist: Configuring certificates for a federation server |
Install the Federation Service component on the computer that will become the federation server. Follow this procedure when you need to either create the first federation server in a new farm or to extend an existing farm. Note For the Federated Web SSO and Federated Web SSO with Forest Trust scenarios, you need at least one federation server in the account partner organization and at least one federation server in the resource partner organization. |
Install the Federation Service component of ADFS |
If this is the first federation server in your organization, you will need to configure the Trust Policy so that it conforms to your ADFS design. |
Checklist: Configuring the Trust Policy for the Web SSO design; Checklist: Configuring the Trust Policy for the Federated Web SSO design; Checklist: Configuring the Trust Policy for the Federated Web SSO with Forest Trust design |
From a client computer, verify the federation server is operational. |
Verify a federation server is operational |
Comments
Anonymous
January 01, 2003
Thanks for the feedback Dom. I really appreciate hearing feedback about this. ADFS is just so complex to configure and requires tasks to be completed in a very specific order, which is why I'm betting on this checklist strategy as a way to help Administrators keep it all straight. :)Anonymous
January 01, 2003
hi, i am from mexico, do you have a guide for implementing a federation between two domains?? not the step by step guide for microsoft, another? thanks best regardsAnonymous
January 01, 2003
Looks good Nick; I think this might help make ADFS a little easier to understand... but then again, I've been mucking around with it for so long its actually starting to make sense ;) In all seriousness though, this approach seems to be a better way of working through everything that needs to be done.Anonymous
January 01, 2003
Not at this time. We do have plans early next year to update the ADFS Step-by-Step Guide so that it includes guidance for how to configure Web SSO in a test lab. Also, the upcoming ADFS Deployment Guide will provide details on all of the scenarios and how to configure them for a production environment.