Re: How should we do it with ADFS?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 19 Nov 2007 14:19:47 -0600
You need SSL certificates for your federation servers as well as your web
applications as ADFS requires SSL for all HTTP communication. Additionally,
you'll need a certificate for token signing for the federation server as
well. This can be the same cert you use for SSL or can be different (up to
you).
For the external users, I think the best design is to have them associated
with a second federation server and a second separate account store. I like
to use ADAM for this as it is lighter weight, but ADAM is harder to
integrate with ADFS and requires more effort to get a provisioning solution
in place, so there is a tradeoff. If you don't have much comfort with ADAM,
there is a lot to learn there.
What I generally do is have the federation server that represents the
internal AD be the resource FS for the application(s) to share and then have
the external user FS be an account partner to the resource FS.
It is possible to have one FS and have AD and ADAM both be account stores,
but that design is pretty hard to integrate and I would not try to do that.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C8B2C8FB-E725-42EC-96AC-C1325948954D@xxxxxxxxxxxxxxxx
Thanks for your great help.
I can set up another server to be federation server instead of domain
controller, right? When I install the federation services, I have to have
certificates installed on the federation servers, right? Still, what's
the
best way to handle the external users(they are created with their external
emails). Currently, they are created with extranet application, not in
our
AD. How do I make them in our AD?
Thank you.
"Joe Kaplan" wrote:
Yes, R2 enterprise is needed for the FS. The web agent can be installed
on
R2 standard. Note that all of your web apps will need R2 as a result of
this as you can't install the agent without R2.
Your DCs can be 2000 or 2003 and you don't need to be 2003 FF.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BB08EDD6-E399-4684-953A-E762E73B5F7E@xxxxxxxxxxxxxxxx
In addition, I definetely need federation server which needs windows
2003
enterprise R2, right?
"John" wrote:
thanks for the help.
I thought I just need web agent installed on the application web
server.
I
am not sure whether you mean federation server and federation agent.
/Any
difference? you mean I need to install ADFS on the domain controller
which
hosts the accounts.
Thank you very much.
"Joe Kaplan" wrote:
You can definitely use ADFS to solve this problem. It is one of the
standard use cases for ADFS and my company has an identical
application
architecture using ADFS in production right now.
You'll need more than just the ADFS agent installed on the
application
though. You'll need at least an ADFS federation server to serve as
the
authentication mechanism for your internal AD users and you'll need
another
federation server to serve as the account store for the external
users
as
well. If they are stored in ADAM, you could potentially do this
with
one
federation server but the design isn't very clean. I'd recommend
against
that. Also, in order to use ADFS as the account store for the
external
users, they too must be stored in either AD or ADAM. If they are in
SQL or
some other store, ADFS can't be used.
I'd suggest reading the ADFS Deployment Guide to learn more about
the
details. There is also a thread going on over at my book's web
forum
discussing something very similar that you might be interested in
(see
link
in sig).
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F057C141-2DFB-4B9F-9C1B-F3C179898F92@xxxxxxxxxxxxxxxx
Hi all,
We have in house application to allow external users to access.
Also, we
want to allow internal users to access without creating accounts
in
the
app
and just using AD users. (we have windows 2003 R2 active
directory
with
mixed w2K and win2003 DCs). Can we delopy ADFS to allow single
sign
on?
Also, what are exact steps to configure this? Do we just need to
install
the
ADFS component in the wed server of Application?
Can anyone help?
Thank you.
.
- Follow-Ups:
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- References:
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- Prev by Date: Re: NTP help
- Next by Date: Re: Problems with Joining Domain from desktop station to Domain co
- Previous by thread: Re: How should we do it with ADFS?
- Next by thread: Re: How should we do it with ADFS?
- Index(es):
Relevant Pages
|
Loading
