Re: ADFS questions

ok thanks

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ulx8u8DXHHA.3980@xxxxxxxxxxxxxxxxxxxxxxx
ADFS federation servers need to be domain members. There are some
instances where this makes perfect sense, especially when you are using AD
as an account store and need a Windows trust relationship to query the
directory for user attribute data to create claims. On the other hand,
some of us don't understand why you can't have a standalone ADFS server in
the resource role if it doesn't had an AD account store. However, for
now, you do and that's just the way it works.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John M" <sdkfj@xxxxxxxxxxxxx> wrote in message
news:%23i2mExDXHHA.3500@xxxxxxxxxxxxxxxxxxxxxxx
does the Federation server ( resource ) in the dmz where the web server
is, need to be a member of the AD domain in the DMZ or can it be a stand
alone server? Is there any up or down sides to either way?

THANKS
John


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e4khvm8WHHA.1000@xxxxxxxxxxxxxxxxxxxxxxx
You can make your scenario work using ADFS and many are choosing to do
just that. You might also be able to make it work in a more limited way
using forest trusts and Windows authentication in MOSS though. A big
part of your consideration is whether you expect other companies to
access MOSS using their own credentials and have their own ADFS
infrastructure that you can form a trust with or if you plan to
provision accounts for them in the extranet domain or both, depending on
the capabilities of the company in question. ADFS gives you a ton of
flexibility. The forest trust is more limiting because you won't easily
be able to trust your external partners directly. That's what
federation is really all about.

You don't install ADFS on your DCs. ADFS is basically a web
application, so you install it on a web server. Generally, you never
want your domain controllers to also run IIS. This is a no-no (although
some do it). In fact, your DCs don't even need to know that ADFS exists
in the environment, except perhaps from the perspective of DNS and
certificates (which isn't really AD exactly, although they are often
very connected).

When ADFS uses AD as an account store, it can use accounts from any
domain in the forest (as far as I know; I've not really tested it in a
multi-domain set up extensively).

In your set up, you'd want a federation server for your internal AD
working in the account partner role. You'd want another federation
server in the resource partner role serving as a resource server to the
MOSS app. It would also serve as an account partner to the accounts in
the extranet domain. Any external partners who wanted to use federation
would set up their own federation server and you would establish a
federation trust between their server and the resource/extranet ADFS
server.

Note that you can piggyback ADFS on the same server running MOSS. I'd
probably set it up on a separate website with a different DNS name at
least, but it might be possible to run it just as a separate vdir in
MOSS. I definitely wouldn't try that though. Asking for trouble. :)

That's not really much detail, but this is already a long response so
I'll stop there. Hopefully it gives you a concept of what this might
look like.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John M" <sdkfj@xxxxxxxxxxxxx> wrote in message
news:ehTELm4WHHA.5008@xxxxxxxxxxxxxxxxxxxxxxx
I believe I'm looking to setup a Federated Web SSO configuration. Let
me know if I'm wrong..

I have an existing corp. network with AD and a dmz network with ad
installed in a separate forest with sharepoint services 3 and maybe
upgrade to MOSS2007.
1. I wish to give my corp network SSO access to the dmz sharepoint
2. I wish to give other companies SSO access to the dmz sharepoint

Few questions,
1. do I have to install ADFS on a Enterprise DC in both domains?
2. I have a parent.child AD setup in my corp. network, the user
accounts are in the child domain that I want to use ADFS with. Can I
install ADFS on a parent DC or does it have to be on a child DC?

thanks
John









.

Relevant Pages

  • Re: How should we do it with ADFS?
    ... "Joe Kaplan" wrote: ... You'll still only need two ADFS servers though. ... strictly an account partner server and the other will have an account store ...
    (microsoft.public.windows.server.active_directory)
  • Re: How should we do it with ADFS?
    ... You'll still only need two ADFS servers though. ... strictly an account partner server and the other will have an account store ... root of the resource federation server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS questions
    ... ADFS federation servers need to be domain members. ... don't understand why you can't have a standalone ADFS server in the resource ... role if it doesn't had an AD account store. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SQL Trust issue
    ... Understand that when you deal with trust you'll find there are both registry ... This generally allows the installation to proceed smoothly. ... server and you are not on the network or MSDE - locally you are ... logged in under an account without trust, and or you have tried to login to ...
    (microsoft.public.sqlserver.msde)
  • Re: migrating computer account from SBS2000 to WS2003R2 using ADMT
    ... I run ADMT on the target domain I get the access denied error when trying to ... SBS2000 Server to a Windows Server 2003 Standard Edition R2 using ... The machine account migrates fine ... create a two-way trust between the two domains? ...
    (microsoft.public.windows.server.active_directory)