Configuring Active Directory Federation Services 2.0 （配置 adfs 2.0） -摘自网络

Active Directory Federation Services (AD FS) 2.0 makes it possible to deploy a federation server and begin issuing tokens quickly by following these steps:

1) AD FS 2.0 software installation

2) Initial configuration

3) Add a relying party trust

4) Add more federation servers to the farm (Optional)

5) Configure a federation server proxy (Optional)

In this blog post, I’ll discuss Initial Configuration (step 2) in detail. If you are looking for prerequisite information about how to set up and configure a new federation server for the first time, I suggest looking at the topic titled Checklist: Setting Up a Federation Server in the AD FS 2.0 Deployment Guide.

Setup and Initial Configuration

After AD FS 2.0 RC is installed on the machine, administration of the federation server is performed through the AD FS 2.0 Management snap-in (you can access the snap-in shortcut by going to Start -> All Programs -> Administrative Tools -> AD FS 2.0 Management). The first time the snap-in is run, AD FS 2.0 will detect that the federation server has not been configured and will prompt you to launch the AD FS 2.0 Federation Server Configuration Wizard, as shown in the following screenshot. Click the AD FS 2.0 Federation Server Configuration Wizard link in the center pane to launch the wizard.

Federation Server Configuration Wizard Walkthrough

The Federation Server Configuration Wizard guides the user through a series of steps that will deploy the federation server in a variety of configurations. Each page is described in detail below.

Welcome Page

The Welcome page explains the overall function of the wizard and presents you with the first decision: Create new Federation Service or Expand an existing Federation Service. Each Federation Service can consist of multiple federation servers, which constitute a farm.

Configuring and managing federation server farms is a topic that will be discussed in a future post. In the mean time, if you are looking for guidance on how to set up your federation server farm, see Create the First Federation Server in a Federation Server Farm in the Deployment Guide. For information about how to add federation servers to expand your farm, see Add a Federation Server to a Federation Server Farm.

For the moment, we will focus on creating a new federation server. Select the first option and click next to navigate to the Deployment Page.

Deployment Page

The Deployment page asks if you are creating a federation server farm or a stand-alone federation server. A federation server farm is able to scale with increasing demand and is the recommended option for corporate deployments. Stand-alone federation servers are recommended for evaluation and testing purposes. Though in-depth discussion of federation server farms is beyond the scope of this post, expanding a federation server is always optional.

A federation server farm consisting of a single federation server is perfectly valid and requires little additional management overhead versus a stand-alone federation server. Select the New federation server farm option and click next to proceed to the Federation Service Name Page.

Federation Service Name Page

This page asks you to specify a name for your Federation Service. By default, the Federation Server Configuration Wizard will retrieve the SSL certificate configured in IIS and use the subject name specified therein. If there is any ambiguity regarding the subject name (such as wildcard or subject alternative names), the Federation Service name combo box will be enabled and you will be required to provide a valid service name before proceeding.

For cases where no certificates are configured in IIS, the Federation Server Configuration Wizard will query the “Local Machine\MY” certificate store for all valid certificates (certificates with private keys and subject names) and display them in the “SSL certificate” dropdown. The selected certificate will automatically be configured as the SSL certificate. During this process, it is important to make sure that the certificate you selected is not removed or modified from the certificate store before the Federation Server Configuration Wizard is completed.

If you have no certificates in the “Local Machine\MY” store and no SSL certificate configured in IIS, you can use the Server Certificate Generator in IIS to create a certificate. Finally, the port field must match the SSL binding configuration. You will be able to make a selection in this combo box if multiple values are present. Let’s move on to the next page.

Service Account Page

Now is where the fun begins. Select the account under which the service will run. I recommend creating a service account in Active Directory for this specific purpose because the service account will be granted the SeServiceLogonRight and the SeAuditPrivilege by the Initial Configuration Wizard. For more information about how to do this, see Manually Configure a Service Account for a Federation Server Farm.

Once the account is created, click Browse and locate the account. Enter the password for the account and click next to proceed.

Summary Page

This is a simple page that lists the steps the Federation Server Configuration Wizard will follow to configure your new federation server. Review this information carefully as it will prepare you for the road ahead. When you are ready, click Next to begin configuring your federation server.

Tasks Page

Up to this point, the Federation Server Configuration Wizard has been collecting data on how your federation server will be deployed, but it has not actually made any changes to your machine yet. On this page, you can see the wizard running through each individual task to configure your federation server.

The specific configuration steps vary depending on what options you chose in the previous pages. During this phase, certain tasks may complete with warnings or additional information. If this occurs, click on the link for more details. If any tasks fail, this page will let you know which one(s) failed and why. When you have finished reviewing the information on this page, click “Close” to complete the Federation Server Configuration Wizard.

Conclusion

Once you have completed the Federation Server Configuration Wizard, the federation server is now deployed and running. However, there are other configuration steps you must observe before the federation server can do anything useful. Namely, you will need to configure the policy settings from within the AD FS 2.0 Management snap-in. This and more advanced topics, such as federation server farms, will be covered in other posts.

If you are looking for general design and deployment guidance for how to configure a federation server, try reading the following topics in the AD FS 2.0 TechNet library:

· Deploying Federation Servers

· When to Create a Federation Server

· When to Create a Federation Server Farm

I hope this post has been informative and helpful.

Robert Zhu

Software Design Engineer

AD FS TeamConfiguring Active Directory Federation Services 2.0