Active Directory serves as a primary identity and authentication service in many organizations. Using Windows Server 2003 Active Directory, administrators can create forest trusts between two or more Windows Server 2003 forests to provide access to resources that are located in different business units or organizations. There are, however, scenarios in which forest trusts are not a viable option, for example two distinct organizations doing business across the internet, or applications located in DMZ or perimeter networks. (For more information about forest trusts, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical Reference on the Microsoft Web site.
By employing ADFS, organizations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet, which can include external third parties or other departments or subsidiaries in the same organization. ADFS is tightly integrated with Active Directory, retrieving user attributes and authenticating users against Active Directory, as well as using Windows Integration Authentication and security tokens that are created by Active Directory.
ADFS works with both Active Directory and Active Directory Application Mode (ADAM). Specifically, ADFS can work with both enterprise-wide deployments of Active Directory or instances of ADAM. When it interacts with ADAM, ADFS uses Lightweight Directory Access Protocol (LDAP) Bind as a means to authenticate users. When it interacts with Active Directory, ADFS can take advantage of the strong authentication technologies in Active Directory, including Kerberos, X.509 digital certificates, and smart cards.
ADFS supports distributed authentication and authorization over the Internet, and ADFS can be integrated into an organization's or department’s existing access management solution to translate the terms used within an organization into terms that are agreed on as part of a federation. ADFS can create, secure, and validate the claims moving between organizations, and it can also audit and monitor the activity between organizations and departments to ensure secure transactions.
ADFS requires the following hardware and software components.
Hardware requirements
Processor speed: 133 MHz for x86-based computers or 733 MHz for x64-based computers
Recommended minimum RAM: 256 MB
Free disk space for ADFS setup: 10 MB
Software requirements
ADFS relies on server functionality that is built into the Windows Server 2003 operating system. The Federation Service, Federation Service Proxy, and ADFS Web Service Agent components cannot run on earlier operating systems. This section describes the software requirements for each ADFS component and the overall software configurations that are necessary for ADFS in a network environment.
Note that the Federation Service, Federation Service Proxy, and ADFS Web Service Agent can coexist on the same physical systems in the Release Candidate (RC) version of ADFS.
Federation Service
Computers running the Federation Service must have the following software installed:
Windows Server 2003 with SP1
Internet Information Server (IIS)
ASP.NET
Microsoft .NET Framework 2.0 Beta
A default Web site that is configured with Transport Layer Security and Secure Sockets Layer (TLS/SSL)
A certificate for the Federation Service. Note that because this certificate is used for signing tokens, it must be a digital signing X.509 certificate.
Active Directory and ADAM account store requirements
ADFS requires the presence of user accounts in Active Directory or Active Directory Application Mode (ADAM) for the account Federation Service. Active Directory domain controllers or computers hosting the account stores must have the following software installed:
Windows Server 2003 with SP1
Or
Note: Local accounts and Windows NT domain accounts cannot be used for user accounts in ADFS account stores.
Federation Service Proxy
Computers running the Federation Service Proxy must have the following software installed:
Windows Server 2003 with SP1
IIS
ASP.NET
Microsoft .NET Framework 2.0 Beta
A default Web site configured with TLS/SSL
ADFS Web Service Agent
Computers running the ADFS Web Service Agent must have the following software installed:
Windows Server 2003 with SP1
IIS
ASP.NET
Microsoft .NET Framework 2.0 Beta
A default Web site configured with TLS/SSL
Note that ADFS will not enable 128-bit encryption over SSL connections during setup.
Trusted certification authorities
Because TLS/SSL relies on digital certificates, certification authorities (CAs) such as Microsoft Certificate Services are an important part of ADFS. A CA is a mutually trusted third party that confirms the identity of a certificate requestor (usually a user or computer) and then issues the requestor a certificate. The certificate binds the requestor’s identity to a public key. CAs also renew and revoke certificates as necessary.
For example, if a client is presented with a server’s certificate, the client computer might try to match the server’s CA against the client’s list of trusted CAs. If the issuing CA is trusted, the client verifies that the certificate is authentic and has not been tampered with.
TCP/IP network connectivity
For ADFS to function, TCP/IP network connectivity must exist between the client, the domain controller, and the computers hosting the Federation Service, the Federation Service Proxy, and the Web server.
DNS
The internal Domain Name System (DNS) servers on the intranet forest must be configured to return the canonical name (CNAME) of the internal server that is running the Federation Service for authenticating users that are located in the intranet. For best results, do not use Hosts files with DNS.
Web server
For The RC version of Windows Server 2003 R2, only a machine running IIS 6.0 with ASP.NET is supported as a Web server.
Web browser
Although any current Web browser with JavaScript enabled should work as an ADFS client, only Internet Explorer 6.0, Internet Explorer 5.0 or 5.5 for older operating systems, Safari on Apple Macintosh, and Mozilla are supported for the Release Candidate.
|
