Re: How should we do it with ADFS?
- From: John <John@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2007 08:49:02 -0800
Thank you for your great help and generous time. It's a big help.
"Joe Kaplan" wrote:
Well, one of the two ADFS federation servers will also be the resource.
server. You'll still only need two ADFS servers though. One will be
strictly an account partner server and the other will have an account store
and will also provide the applications, so it will be a resource server.
You could also do this with three ADFS servers if you wanted and keep every
role separate, but there isn't an important reason to do that from a
technical perspective.
The terminology of this stuff gets confusing because a single FS can be both
an account FS and a resource FS at the same time. It all depends upon which
things you have configured in your FS. Basically, ADFS can configure
account stores, applications, account partners and resource partners.
Depending on which ones of those things you have configured, you could be in
any ADFS role. For example, if your FS has an account store, it can provide
the users in that account store with the ability to log in to something. If
you have applications configured, then you provide those applications to
either your own users (if you have an account store) or your account
partners (if you have account partners configured) or both. If you have
applications but don't have either an account store or an account partner,
that won't really do anything useful as no one will be able to log into that
application. :) As such, there are combos of settings that don't make any
sense.
I think it will become more clear once you get it up and running. The
standard scenario you go through is to put together an extranet type of
design like this, so you should see the scenario you want come about that
way.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C8035CB7-F944-4CA5-AC5D-D124E85D2B0F@xxxxxxxxxxxxxxxx
Joe,
Great thanks for your help.
Suppose we have all external users in the seperate AD. We have two
federated account servers as you suggested. We also have federate web
agent
on the app web server. So, we just need to configure ADFS on the account
servers, right? there is no resource server, right? We just need to
follow
Step by Step ADFS to configure ADFS on the account server? Should I
establish a trust these two account servers?
Thank you.
"Joe Kaplan" wrote:
The way I read what you are trying to do, you really should have two
federation servers. One would hold the AD account store and the
applications (basically be a resource partner with an account store).
The
other FS would just hold the account store for the external users which
would be placed in either AD or ADAM.
From what I understand about your current design, the external users are
not
currently in a directory but are stored by the application itself. If
that
is true, then conversion of those accounts into a directory that ADFS
supports will likely be the most significant part of the integration work
here.
The step by step guide can be useful for getting a test environment up
and
running, but it doesn't really shine at helping you understand the
underlying principles that will help you design the appropriate
infrastructure for your application. I think the deployment guide is
better
for that.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F5291445-8656-4E89-ACAB-12C85FD4F876@xxxxxxxxxxxxxxxx
Great thanks for your knowlege and generous help.
Now, I am setting up the test envir. to follow the step by step guide
to
deploying ADFS. According to guide for two forests, you need ADFS
account
and resource federation server and then configure the web server to
trust
the
root of the resource federation server.
According to my environment since we hold account and web servers, we
only
need only one federaion server to handle account and resource, right?
I
am
not sure this.
Thank you.
"Joe Kaplan" wrote:
You need SSL certificates for your federation servers as well as your
web
applications as ADFS requires SSL for all HTTP communication.
Additionally,
you'll need a certificate for token signing for the federation server
as
well. This can be the same cert you use for SSL or can be different
(up
to
you).
For the external users, I think the best design is to have them
associated
with a second federation server and a second separate account store.
I
like
to use ADAM for this as it is lighter weight, but ADAM is harder to
integrate with ADFS and requires more effort to get a provisioning
solution
in place, so there is a tradeoff. If you don't have much comfort with
ADAM,
there is a lot to learn there.
What I generally do is have the federation server that represents the
internal AD be the resource FS for the application(s) to share and
then
have
the external user FS be an account partner to the resource FS.
It is possible to have one FS and have AD and ADAM both be account
stores,
but that design is pretty hard to integrate and I would not try to do
that.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C8B2C8FB-E725-42EC-96AC-C1325948954D@xxxxxxxxxxxxxxxx
Thanks for your great help.
I can set up another server to be federation server instead of
domain
controller, right? When I install the federation services, I have
to
have
certificates installed on the federation servers, right? Still,
what's
the
best way to handle the external users(they are created with their
external
emails). Currently, they are created with extranet application, not
in
our
AD. How do I make them in our AD?
Thank you.
"Joe Kaplan" wrote:
Yes, R2 enterprise is needed for the FS. The web agent can be
installed
on
R2 standard. Note that all of your web apps will need R2 as a
result
of
this as you can't install the agent without R2.
Your DCs can be 2000 or 2003 and you don't need to be 2003 FF.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BB08EDD6-E399-4684-953A-E762E73B5F7E@xxxxxxxxxxxxxxxx
In addition, I definetely need federation server which needs
windows
2003
enterprise R2, right?
"John" wrote:
thanks for the help.
I thought I just need web agent installed on the application web
server.
I
am not sure whether you mean federation server and federation
agent.
/Any
difference? you mean I need to install ADFS on the domain
controller
which
hosts the accounts.
Thank you very much.
"Joe Kaplan" wrote:
You can definitely use ADFS to solve this problem. It is one
of
the
standard use cases for ADFS and my company has an identical
application
architecture using ADFS in production right now.
You'll need more than just the ADFS agent installed on the
application
though. You'll need at least an ADFS federation server to
serve
as
the
authentication mechanism for your internal AD users and you'll
need
another
federation server to serve as the account store for the
external
users
as
well. If they are stored in ADAM, you could potentially do
this
with
one
federation server but the design isn't very clean. I'd
recommend
against
that. Also, in order to use ADFS as the account store for the
external
users, they too must be stored in either AD or ADAM. If they
are
in
SQL or
some other store, ADFS can't be used.
I'd suggest reading the ADFS Deployment Guide to learn more
about
the
details. There is also a thread going on over at my book's
web
forum
discussing something very similar that you might be interested
in
(see
link
in sig).
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F057C141-2DFB-4B9F-9C1B-F3C179898F92@xxxxxxxxxxxxxxxx
Hi all,
We have in house application to allow external users to
access.
Also, we
want to allow internal users to access without creating
accounts
in
the
app
and just using AD users. (we have windows 2003 R2 active
directory
with
mixed w2K and win2003 DCs). Can we delopy ADFS to allow
single
sign
on?
Also, what are exact steps to configure this? Do we just
need
to
install
- References:
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- From: John
- Re: How should we do it with ADFS?
- From: Joe Kaplan
- Re: How should we do it with ADFS?
- Prev by Date: Re: Active Directory Default Domain Password
- Next by Date: ADMT 3.0 Question
- Previous by thread: Re: How should we do it with ADFS?
- Next by thread: Re: Windows 2k migrate to Windows 2k3
- Index(es):
Relevant Pages
|
