Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor
1. Integration of DirectoriesIntegration of Directories
and Federationand Federation
Javier VasquezJavier Vasquez
Senior Technology SpecialistSenior Technology Specialist
Federal Platforms TeamFederal Platforms Team
MicrosoftMicrosoft
2. Where it all beganWhere it all began
Infrastructure DirectoriesInfrastructure Directories
StreetTalkStreetTalk
NDSNDS
ADAD
Application Specific DirectoriesApplication Specific Directories
X.500X.500
LDAPLDAP
AD/AMAD/AM
Good for EnterprisesGood for Enterprises
Hard to FederateHard to Federate
3. Windows IdMWindows IdM
Active Directory – Foundation for Identity ManagementActive Directory – Foundation for Identity Management
Central Repository for:Central Repository for:
• User Accounts & AttributesUser Accounts & Attributes
• System Accounts & AttributesSystem Accounts & Attributes
• Organizational & Security GroupsOrganizational & Security Groups
• Application & Service LocationsApplication & Service Locations
• Management PolicyManagement Policy
• Security PolicySecurity Policy
• Digital CertificatesDigital Certificates
• Network Access PermissionsNetwork Access Permissions
• Printer LocationsPrinter Locations
• File Shares LocationsFile Shares Locations
……
Integrated SecurityIntegrated Security
• Kerberos v5Kerberos v5
• Mac OS Kerberos PAMMac OS Kerberos PAM
• x.509 Certificates (PKI)x.509 Certificates (PKI)
• Security DomainSecurity Domain
Directory Access ProtocolsDirectory Access Protocols
• LDAP v3 – Standards-based accessLDAP v3 – Standards-based access
• ADSI – Simple COM-based InterfaceADSI – Simple COM-based Interface
• DSML – XML InterfaceDSML – XML Interface
ActiveActive
DirectoryDirectory
http://www.microsoft.com/business/security/access/whpaper.mspxhttp://www.microsoft.com/business/security/access/whpaper.mspx
4. Reduced Enterprise Sign-onReduced Enterprise Sign-on
Extending Windows SSOExtending Windows SSO
ActiveActive
DirectoryDirectory
Logon to ADLogon to AD
Services for UNIXServices for UNIX
NIS Server for ADNIS Server for AD
NIS-AD directory syncNIS-AD directory sync
Password synchronizationPassword synchronization
User name mappingUser name mapping
UNIXUNIX
Host Integration ServerHost Integration Server
Windows to RACF accountsWindows to RACF accounts
Windows to 0S/400 Security SystemWindows to 0S/400 Security System
Bi-Directional Password SynchronizationBi-Directional Password Synchronization
390/AS400390/AS400
KerberosKerberos
ApplicationApplication
KerberosKerberos
Native AuthN protocolNative AuthN protocol
MIT v5 CompliantMIT v5 Compliant
Carries group info in PACCarries group info in PAC
Windows PAC is openWindows PAC is open
SCO, Vintella, Java SSO throughSCO, Vintella, Java SSO through
WindowsWindows
5. Reduced Enterprise IdMReduced Enterprise IdM
LDAP Authentication & Directory IntegrationLDAP Authentication & Directory Integration
Account DirectoryAccount Directory
LDAPLDAP SQLSQL
EnterpriseEnterprise
AppApp
Integrate LDAP with ADIntegrate LDAP with AD
LDAP v3 compliantLDAP v3 compliant
Single AD and LDAP user accountSingle AD and LDAP user account
AD/AM for personalization dataAD/AM for personalization data
Microsoft Identity IntegrationMicrosoft Identity Integration
ServerServer
Directory synchronizationDirectory synchronization
LDAP (eg SunONE & others)LDAP (eg SunONE & others)
Relational databasesRelational databases
DSMLDSML
Application specificApplication specific
Account ProvisioningAccount Provisioning
Automate account creationAutomate account creation
Automate account de-provisioningAutomate account de-provisioning
Password Management (MIIS 2003)Password Management (MIIS 2003)
Self-service password resetSelf-service password reset
Certificate ManagementCertificate Management
ExchangeExchange
Web ServiceWeb Service
File ShareFile Share
ApplicationApplicationApplicationApplication
ActiveActive
DirectoryDirectory
MIIS 2003MIIS 2003
6. Extending Active DirectoryExtending Active Directory
Newer conceptsNewer concepts
ADAMADAM
DSML gatewayDSML gateway
Distributed IdMDistributed IdM Web ServicesWeb Services
7. ADAM - Integrating extended LDAP appADAM - Integrating extended LDAP app
with ADwith AD
Store app data without extending infra DS schemaStore app data without extending infra DS schema
App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory
Maintain central user repository!Maintain central user repository!
ADAMADAM
Infrastructure Active DirectoryInfrastructure Active Directory
WebWeb
appapp
Store/Store/
retrieveretrieve
datadata
ClientClient
ServerServer
Data specificData specific
to portal appto portal app
Data sharedData shared
by all appsby all apps
User (right)User (right)
and “shadow” (left)and “shadow” (left)
9. Distributed IdM technologiesDistributed IdM technologies
How do we distribute IdM services?How do we distribute IdM services?
ADFS and AZ-ManagerADFS and AZ-Manager
10. Security in a Web Services WorldSecurity in a Web Services World
–– IBM/MSFT White PaperIBM/MSFT White Paper
WS-SecurityWS-Security
SpecificationSpecification
– Ratified– Ratified
April 2004April 2004
SecuritySecuritySecuritySecurity
PrivacyPrivacyPrivacyPrivacyTrustTrustTrustTrustPolicyPolicyPolicyPolicy
AuthorizationAuthorizationAuthorizationAuthorizationFederationFederationFederationFederationSecureConversationSecureConversationSecureConversationSecureConversation
SOAP FoundationSOAP FoundationSOAP FoundationSOAP Foundation
TodayToday
Web Services ApplicationsWeb Services ApplicationsWeb Services ApplicationsWeb Services Applications
Web Services SecurityWeb Services Security
WS-Security and Liberty AllianceWS-Security and Liberty Alliance
Rich Application stack vs.Rich Application stack vs.
IdM stackIdM stack
ID-WSF Web Services FrameworkID-WSF Web Services Framework
ID-FF – Identity Federation FrameworkID-FF – Identity Federation Framework
ID-FFID-FFID-FFID-FF
ID-WSFID-WSFID-WSFID-WSF
11. The Vision and Future of SSOThe Vision and Future of SSO
B2B Federated Single Sign-onB2B Federated Single Sign-on
ExchangeExchange Web ServiceWeb Service
CollaborationCollaboration
IntranetIntranet
ApplicationsApplications
ActiveActive
DirectoryDirectory
Security TokenSecurity Token
(eg Kerberos Ticket)(eg Kerberos Ticket)
Security TokenSecurity Token
User Account/CredentialsUser Account/Credentials
WS SecurityWS Security
ApplicationApplication
WS SecurityWS Security
ApplicationApplication
Requires XRMLRequires XRML Requires SAMLRequires SAML
1.1. ADFS Creates XRML tokenADFS Creates XRML token
2.2. Signs it with company’s private keySigns it with company’s private key
3.3. Sends it back to the userSends it back to the user
4.4. Access Supplier with the tokenAccess Supplier with the token
1.1. ADFS Creates SAML tokenADFS Creates SAML token
2.2. Signs it with company’s private keySigns it with company’s private key
3.3. Sends the token back to the userSends the token back to the user
4.4. Accesses Supplier B using the tokenAccesses Supplier B using the token
Supplier ASupplier A Supplier BSupplier B
ADFSADFS
12. ADFS Logon ServerADFS Logon Server
SOAP rich client proxy for browsersSOAP rich client proxy for browsers
Web ServiceWeb Service
ActiveActive
DirectoryDirectory
ADFSADFS
Web-basedWeb-based
Logon ServerLogon Server
Web Front EndWeb Front End
Security TokenSecurity Token
Security MessageSecurity Message
User authenticates to Logon server (forms based)User authenticates to Logon server (forms based)
ADFS validates credentials with Active DirectoryADFS validates credentials with Active Directory
ADFS creates the requested security tokenADFS creates the requested security token
Logon server returns token to clientLogon server returns token to client
Client forwards token to web front endClient forwards token to web front end
Front end sends WS-Security msg with token to webFront end sends WS-Security msg with token to web
serviceservice
13. Active Directory FederationActive Directory Federation
Service ArchitectureService Architecture
Federation Service (FS)Federation Service (FS)
Issues security tokens for usersIssues security tokens for users
Manages policy between federatedManages policy between federated
security realmssecurity realms
Logon Service (LS)Logon Service (LS)
Provides UI to authenticate usersProvides UI to authenticate users
Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for
passive (dumb) clientspassive (dumb) clients
Web Server SSO AgentWeb Server SSO Agent
Enforces user authenticationEnforces user authentication
Creates user authorization contextCreates user authorization context
Note:Note:
SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03
LS and FS can be co-locatedLS and FS can be co-located
Supports W2K or W2K03 forestsSupports W2K or W2K03 forests
HTTPSHTTPS
SOAPSOAP LDAPLDAP
14. Windows 2003 AzManWindows 2003 AzMan
Roles based access control (RBAC)Roles based access control (RBAC)
Authorization APIAuthorization API
IIS6 URLIIS6 URL
AuthorizationAuthorization
Policy DefinitionsPolicy Definitions
• Global app groupsGlobal app groups
• ApplicationsApplications
•RolesRoles
•TasksTasks
•OperationsOperations
•Role assignmentsRole assignments
•ScopesScopes
•App groupsApp groups
•BizRulesBizRules
Business ProcessBusiness Process
ApplicationsApplications
(E-Commerce,(E-Commerce,
LOB Applications,…)LOB Applications,…)
AuthorizationAuthorization
AdministrationAdministration
ManagerManager
Common Management UICommon Management UI Active DirectoryActive Directory
or XML (Files, SQL)or XML (Files, SQL)
PolicyPolicy
StoreStore
PolicyPolicy
StoreStore
• Role definitionsRole definitions
• Role assignmentRole assignment
Authorization APIAuthorization API
.NET Framework.NET Framework
15. DiscussionDiscussion
Where do I extend and where do I Federate?Where do I extend and where do I Federate?
Today Integrate; Tomorrow Integrate and/or FederateToday Integrate; Tomorrow Integrate and/or Federate
ExtendExtend
17. Active Directory FederationActive Directory Federation
Service ArchitectureService Architecture
Federation Service (FS)Federation Service (FS)
Issues security tokens for usersIssues security tokens for users
Manages policy between federatedManages policy between federated
security realmssecurity realms
Logon Service (LS)Logon Service (LS)
Provides UI to authenticate usersProvides UI to authenticate users
Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for
passive (dumb) clientspassive (dumb) clients
Web Server SSO AgentWeb Server SSO Agent
Enforces user authenticationEnforces user authentication
Creates user authorization contextCreates user authorization context
Note:Note:
SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03
LS and FS can be co-locatedLS and FS can be co-located
Supports W2K or W2K03 forestsSupports W2K or W2K03 forests
HTTPSHTTPS
SOAPSOAP LDAPLDAP
18. Federation ServiceFederation Service
ASP.NET-hosted service running on IISv6 - W2K03 ServerASP.NET-hosted service running on IISv6 - W2K03 Server
User authenticationUser authentication
Validates ID/Password via LDAP Bind for Forms-based LogonValidates ID/Password via LDAP Bind for Forms-based Logon
Security token generationSecurity token generation
Retrieves user attributes for claim generation from AD (or ADAM) via LDAP searchRetrieves user attributes for claim generation from AD (or ADAM) via LDAP search
Transforms claims (if required) between internal & federation namespacesTransforms claims (if required) between internal & federation namespaces
Builds security token & Returns to LS via WS-* SOAP messagesBuilds security token & Returns to LS via WS-* SOAP messages
Builds “User SSO” cookie contents for LSBuilds “User SSO” cookie contents for LS
Policy managementPolicy management
Establishes authority to issue security tokens by PKI-based key distributionEstablishes authority to issue security tokens by PKI-based key distribution
Defines supported token/claim typesDefines supported token/claim types
Manages trust and defines shared namespace for Federated security realmsManages trust and defines shared namespace for Federated security realms
19. Logon ServiceLogon Service
ASP.NET-hosted service running on IISv6 - W2K03 SeverASP.NET-hosted service running on IISv6 - W2K03 Sever
User authenticationUser authentication
Provides UI for Home Realm Discovery & Forms-based LogonProvides UI for Home Realm Discovery & Forms-based Logon
Authenticates users for Windows integrated authNAuthenticates users for Windows integrated authN
(SSL, Kerberos, NTLM)(SSL, Kerberos, NTLM)
Writes “User SSO” cookie to Browser (similar to Kerberos TGT)Writes “User SSO” cookie to Browser (similar to Kerberos TGT)
Security token generationSecurity token generation
Requests security token from FS via WS-* SOAP messagesRequests security token from FS via WS-* SOAP messages
Returns token to web server via “POST redirect” through BrowserReturns token to web server via “POST redirect” through Browser
20. Web Server SSO AgentWeb Server SSO Agent
ISAPI extension for IISv6ISAPI extension for IISv6 (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux)
User authenticationUser authentication
Intercepts URL GET requests & Redirects un-authenticated clients to LSIntercepts URL GET requests & Redirects un-authenticated clients to LS
Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)
Windows ServiceWindows Service
User authorizationUser authorization
Creates NT Token for impersonation (AD users only)Creates NT Token for impersonation (AD users only)
Managed Web ModuleManaged Web Module (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux)
Security token processingSecurity token processing
Validates user’s security token and parses claims in tokenValidates user’s security token and parses claims in token
User authorizationUser authorization
Populates ASP.NET iPrincipal context from claims to support IsInRole()Populates ASP.NET iPrincipal context from claims to support IsInRole()
Provides raw claims to applicationProvides raw claims to application
21. Active Directory RolesActive Directory Roles
On Windows Server 2008, ActiveOn Windows Server 2008, Active
Directory-related roles have beenDirectory-related roles have been
separated into distinct functions:separated into distinct functions:
Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)
Active Directory CertificateActive Directory Certificate
Services (AD CS)Services (AD CS)
Active Directory FederationActive Directory Federation
Services (AD FS)Services (AD FS)
Active Directory LightweightActive Directory Lightweight
DirectoryDirectory
Services (AD LDS)Services (AD LDS)
Active Directory RightsActive Directory Rights
Management Services (AD RMS)Management Services (AD RMS)
23. Active Directory Federation Services (AD FS)Active Directory Federation Services (AD FS)
Es un rol de Windows Server® 2008 permiteEs un rol de Windows Server® 2008 permite
crear soluciones de identificación:crear soluciones de identificación:
segurasegura
muy flexiblesmuy flexibles
múltiples plataformasmúltiples plataformas
entornos Windows como no-Windowsentornos Windows como no-Windows
a través de Internet.a través de Internet.
24. Gestión de identidades másGestión de identidades más
allá de las fronteras de laallá de las fronteras de la
organizaciónorganización
Solución de gestión de la identidad ySolución de gestión de la identidad y
accesosaccesos
facilita a clientes basados en navegadorfacilita a clientes basados en navegador
Web la posibilidad de identificarse de formaWeb la posibilidad de identificarse de forma
transparente "de una sola vez" a una o mástransparente "de una sola vez" a una o más
aplicaciones protegidas accesibles desdeaplicaciones protegidas accesibles desde
InternetInternet
Redes totalmente diferentes eRedes totalmente diferentes e
independientes.independientes.
25. credenciales secundarias???credenciales secundarias???
AD FS las hace innecesarias ya que:AD FS las hace innecesarias ya que:
Permite establecer relaciones de confianzaPermite establecer relaciones de confianza
proyecta la identidad digital y los derechos deproyecta la identidad digital y los derechos de
acceso a partners de confianza.acceso a partners de confianza.
En un entorno federado cada organizaciónEn un entorno federado cada organización
mantiene el control de su propio conjunto demantiene el control de su propio conjunto de
identidades,identidades,
permite un intercambio seguro de las identidadespermite un intercambio seguro de las identidades
de organizaciones externasde organizaciones externas
facilita la labor administrativafacilita la labor administrativa
mejora la experiencia del usuario.mejora la experiencia del usuario.
26. Novedades en WindowsNovedades en Windows
Server 2008Server 2008 nueva funcionalidad que no existen ennueva funcionalidad que no existen en
Windows Server 2003 R2 que facilita laWindows Server 2003 R2 que facilita la
labor administrativa y amplia el soportelabor administrativa y amplia el soporte
disponible a una serie de aplicacionesdisponible a una serie de aplicaciones
fundamentales:fundamentales:
Instalación mejorada: AD FS se incluyeInstalación mejorada: AD FS se incluye
dentro de Windows Server 2008 como roldentro de Windows Server 2008 como rol
de servidorde servidor
AD FS se integra de forma más estrechaAD FS se integra de forma más estrecha
con Microsoft Office SharePoint® Servercon Microsoft Office SharePoint® Server
2007 y con Active Directory Rights2007 y con Active Directory Rights
27. ith ADFS, each company manages itsith ADFS, each company manages its
own identities. But within a federatedown identities. But within a federated
environment, each company can acceptenvironment, each company can accept
and provide permissions and/or access toand provide permissions and/or access to
identities from within another company. Itidentities from within another company. It
all comes down to trust. The ability to trustall comes down to trust. The ability to trust
accounts from one company withoutaccounts from one company without
requiring a local account on your servers.requiring a local account on your servers.
This trust is called federated identityThis trust is called federated identity
management and is the core behindmanagement and is the core behind
ADFS. The biggest concern, logically, isADFS. The biggest concern, logically, is
security. All communication from onesecurity. All communication from one
28. An easier installation as a server role withAn easier installation as a server role with
all the necessary services beingall the necessary services being
automatically installed with the role itselfautomatically installed with the role itself
such as ASP.Net and IIS)such as ASP.Net and IIS)
Tighter integration with ActiveDirectoryTighter integration with ActiveDirectory
RMS (Rights Management Services)RMS (Rights Management Services)
ADFS works with MOSS (Microsoft OfficeADFS works with MOSS (Microsoft Office
SharePoint Server) 2007 with an easy-to-SharePoint Server) 2007 with an easy-to-
configure single-sign-on configuration forconfigure single-sign-on configuration for
both intranet and extranet/Internet sitesboth intranet and extranet/Internet sites
29. ADFS configuration is notADFS configuration is not
so simpleso simple Explaining ADFS is easy, but the designExplaining ADFS is easy, but the design
and configuration of ADFS is a tad bitand configuration of ADFS is a tad bit
more complicated than I've made it soundmore complicated than I've made it sound
so far. Theso far. The design readingdesign reading alone canalone can
take forever because you need totake forever because you need to
determine what you are truly looking todetermine what you are truly looking to
accomplish, and there are severalaccomplish, and there are several
methods to reach those goals. Formethods to reach those goals. For
example, do you want a Web single sign-example, do you want a Web single sign-
on implementation, a federated Webon implementation, a federated Web
single sign-on implementation, or asingle sign-on implementation, or a
federated Web single sign-onfederated Web single sign-on
30. Furthermore, you can deploy federationFurthermore, you can deploy federation
servers in multiple organizations toservers in multiple organizations to
facilitate business-to-business (B2B)facilitate business-to-business (B2B)
transactions between trusted partnertransactions between trusted partner
organizations. Federated B2Borganizations. Federated B2B
partnerships identify business partners aspartnerships identify business partners as
one of the following types of organization:one of the following types of organization:
Resource organization:Resource organization: OrganizationsOrganizations
that own and manage resources that arethat own and manage resources that are
accessible from the Internet can deployaccessible from the Internet can deploy
AD FS federation servers and AD FS-AD FS federation servers and AD FS-
enabled Web servers that manage accessenabled Web servers that manage access
31. AD FS role servicesAD FS role services
The AD FS server role includes federationThe AD FS server role includes federation
services, proxy services, and Web agentservices, proxy services, and Web agent
services that you configure to enable Webservices that you configure to enable Web
SSO, federate Web-based resources,SSO, federate Web-based resources,
customize the access experience, andcustomize the access experience, and
manage how existing users aremanage how existing users are
authorized to access applications.authorized to access applications.
Depending on your organization'sDepending on your organization's
requirements, you can deploy serversrequirements, you can deploy servers
running any one of the following AD FSrunning any one of the following AD FS
32. Installing the AD FS roleInstalling the AD FS role
fter you finish installing the operatingfter you finish installing the operating
system, a list of initial configuration taskssystem, a list of initial configuration tasks
appears. To install AD FS, in the list ofappears. To install AD FS, in the list of
tasks, clicktasks, click Add rolesAdd roles, and then, and then
clickclick Active Directory FederationActive Directory Federation
ServicesServices..
33. Managing the AD FS roleManaging the AD FS role
You can manage server roles withYou can manage server roles with
Microsoft Management Console (MMC)Microsoft Management Console (MMC)
snap-ins. After you install AD FS, you cansnap-ins. After you install AD FS, you can
use the Active Directory Federationuse the Active Directory Federation
Services snap-in to manage both theServices snap-in to manage both the
Federation Service and FederationFederation Service and Federation
Service Proxy role services. To open thisService Proxy role services. To open this
snap-in, clicksnap-in, click StartStart, click, click AdministrativeAdministrative
ToolsTools, and then click, and then click Active DirectoryActive Directory
Federation ServicesFederation Services..
34. Who will be interested in this feature?Who will be interested in this feature?
AD FS is designed to be deployed inAD FS is designed to be deployed in
medium to large organizations that havemedium to large organizations that have
the following:the following:
At least one directory service: eitherAt least one directory service: either
Active Directory Domain ServicesActive Directory Domain Services
(AD DS) or Active Directory Lightweight(AD DS) or Active Directory Lightweight
Directory Services (AD LDS) (formerlyDirectory Services (AD LDS) (formerly
known as Active Directory Applicationknown as Active Directory Application
Mode (ADAM))Mode (ADAM))
35. Are there any specialAre there any special
considerations?considerations? If you have an existing AD FSIf you have an existing AD FS
infrastructure, there are some specialinfrastructure, there are some special
considerations to be aware of before youconsiderations to be aware of before you
begin upgrading federation servers,begin upgrading federation servers,
federation server proxies, and AD FS-federation server proxies, and AD FS-
enabled Web servers runningenabled Web servers running
Windows Server 2003 R2 to WindowsWindows Server 2003 R2 to Windows
Server 2008. These considerations applyServer 2008. These considerations apply
only when you have AD FS servers thatonly when you have AD FS servers that
have been manually configured to usehave been manually configured to use
unique service accounts.unique service accounts.
AD FS uses the Network Service accountAD FS uses the Network Service account
36. What new functionalityWhat new functionality
does this feature provide?does this feature provide? For Windows Server 2008, AD FSFor Windows Server 2008, AD FS
includes new functionality that was notincludes new functionality that was not
available in Windows Server 2003 R2.available in Windows Server 2003 R2.
This new functionality is designed to easeThis new functionality is designed to ease
administrative overhead and to furtheradministrative overhead and to further
extend support for key applications:extend support for key applications:
Improved installation—AD FS is includedImproved installation—AD FS is included
in Windows Server 2008 as a server role,in Windows Server 2008 as a server role,
and there are new server validationand there are new server validation
checks in the installation wizard.checks in the installation wizard.
37. Improved installationImproved installation
AD FS in Windows Server 2008 bringsAD FS in Windows Server 2008 brings
several improvements to the installationseveral improvements to the installation
experience. To install AD FS inexperience. To install AD FS in
Windows Server 2003 R2, you had toWindows Server 2003 R2, you had to
useuse Add or Remove ProgramsAdd or Remove Programs to findto find
and install the AD FS component.and install the AD FS component.
However, in Windows Server 2008, youHowever, in Windows Server 2008, you
can install AD FS as a server role usingcan install AD FS as a server role using
Server Manager.Server Manager.
You can use improved AD FSYou can use improved AD FS
configuration wizard pages to performconfiguration wizard pages to perform
server validation checks before youserver validation checks before you
38. Improved applicationImproved application
supportsupport AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes
enhancements that increase its ability toenhancements that increase its ability to
integrate with other applications, such asintegrate with other applications, such as
Office SharePoint Server 2007 andOffice SharePoint Server 2007 and
AD RMS.AD RMS.
39. Integration with OfficeIntegration with Office
SharePoint Server 2007SharePoint Server 2007 Office SharePoint Server 2007 takes fullOffice SharePoint Server 2007 takes full
advantage of the SSO capabilities that areadvantage of the SSO capabilities that are
integrated into this version of AD FS.integrated into this version of AD FS.
AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes
functionality to support Officefunctionality to support Office
SharePoint Server 2007 membership andSharePoint Server 2007 membership and
role providers. This means that you canrole providers. This means that you can
effectively configure Officeeffectively configure Office
SharePoint Server 2007 as a claims-SharePoint Server 2007 as a claims-
aware application in AD FS, and you canaware application in AD FS, and you can
administer any Officeadminister any Office
SharePoint Server 2007 sites usingSharePoint Server 2007 sites using
40. Integration with AD RMSIntegration with AD RMS
AD RMS and AD FS have been integrated AD RMS and AD FS have been integrated
in such a way that organizations can take in such a way that organizations can take
advantage of existing federated trust advantage of existing federated trust
relationships to collaborate with external relationships to collaborate with external
partners and share rights-protected partners and share rights-protected
content. For example, an organization content. For example, an organization
that has deployed AD RMS can set up that has deployed AD RMS can set up
federation with an external organization federation with an external organization
by using AD FS. The organization can by using AD FS. The organization can
then use this relationship to share rights-then use this relationship to share rights-
protected content across the two protected content across the two
organizations without requiring a organizations without requiring a
41. Better administrativeBetter administrative
experience whenexperience when
establishing federatedestablishing federated
truststrusts
In both Windows Server 2003 R2 and In both Windows Server 2003 R2 and
Windows Server 2008, AD FS Windows Server 2008, AD FS
administrators can create a federated administrators can create a federated
trust between two organizations using trust between two organizations using
either a process of importing and either a process of importing and
exporting policy files or a manual process exporting policy files or a manual process
that involves the mutual exchange of that involves the mutual exchange of
partner values, such as Uniform Resource partner values, such as Uniform Resource
Indicators (URIs), claim types, claim Indicators (URIs), claim types, claim
mappings, display names, and so on. The mappings, display names, and so on. The
manual process requires the administrator manual process requires the administrator
who receives this data to type all the who receives this data to type all the
43. What settings have beenWhat settings have been
added or changed?added or changed? You configure Windows NT token-based You configure Windows NT token-based
Web Agent settings with the IIS Manager Web Agent settings with the IIS Manager
snap-in. To support the new functionality snap-in. To support the new functionality
that is provided with Internet Information that is provided with Internet Information
Services (IIS) 7.0, Windows Server 2008 Services (IIS) 7.0, Windows Server 2008
AD FS includes user interface (UI) AD FS includes user interface (UI)
updates for the AD FS Web Agent role updates for the AD FS Web Agent role
service. The following table lists the service. The following table lists the
different locations in IIS Manager for different locations in IIS Manager for
IIS 6.0 or IIS 7.0 for each of the AD FS IIS 6.0 or IIS 7.0 for each of the AD FS
Web Agent property pages, depending on Web Agent property pages, depending on
the version of IIS that is used.the version of IIS that is used.