Understanding AD FS Role Services

Applies To: Windows Server 2008, Windows Server 2008 R2

Active Directory Federation Services (AD FS) can operate only when the servers running Windows Server 2008 or Windows Server 2008 R2 are configured with the appropriate AD FS role services. AD FS role services are individual AD FS components that you install on servers running Windows Server 2008 or Windows Server 2008 R2. You can install the following AD FS role services with the Add Role Services Wizard:

  • Federation Service

  • Federation Service Proxy

  • Claims-aware agent

  • Windows token-based agent

Depending on the environment in your organization, specific AD FS server roles must be deployed. The following sections describe the server roles that are associated with each of the AD FS role services that you can use to provide an AD FS federated identity management solution.

Federation servers

Federation servers host the Federation Service role service of AD FS. These servers route authentication requests from user accounts in other organizations (in Federated Web Single-Sign-On (SSO) designs) or from clients that can be located anywhere on the Internet (in the Web SSO design). For more information about the different AD FS designs, see Understanding Federation Designs.

Federation servers also host a security token service that issues tokens that are based on the credentials (for example, user name and password) that are presented to it. After the credentials are verified (by the user logging on), claims for the user are collected through examination of the attributes for the user that are stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

For more information about federation servers, see Understanding the Federation Service Role Service.

Federation server proxies

Federation server proxies host the Federation Service Proxy role service of AD FS. You can deploy federation server proxies in your organization's perimeter network (also known as a demilitarized zone, extranet, or screened subnet) to forward requests to federation servers that are not accessible from the Internet.

Note

Although you can deploy separate servers to host the Federation Service Proxy role service, it is not necessary to deploy a separate server to act as a federation server proxy in the intranet forest of either the account partner or the resource partner. A federation server performs this role automatically.

For more information about federation server proxies, see Understanding the Federation Service Proxy Role Service.

ADFS-enabled Web servers

Web servers that host either the claims-aware or the Windows token-based AD FS Web Agent role service are referred to as AD FS-enabled Web servers. These servers provide secure access to the Web applications that are hosted on those Web servers. The AD FS Web Agent manages security tokens and authentication cookies that are sent to an AD FS-enabled Web server. An AD FS-enabled Web server requires a relationship with a Federation Service so that all authentication tokens come from that Federation Service.

For more information about ADFS-enabled Web servers, see Understanding the AD FS Web Agent Role Service.