Information Technology Reference
In-Depth Information
3. Right-click the
ADLDS1
instance and click
Uninstall
. Click
Yes
in the warning message and
Yes
again when warned that you're removing the configuration set. Click
OK
in the message
stating that AD LDS was removed successfully, and then close Control Panel.
4. Open Server Manager, if necessary. In the left pane, click the
Roles
node, and then click
Remove Roles
to start the Remove Roles Wizard. Click
Next
in the welcome window.
5. In the Remove Server Roles window, click to clear the
Active Directory Lightweight Directory
Services
check box, and then click
Next
.
6. In the Confirm Removal Selections window, click
Remove
. If prompted, restart the server,
and log on after the server restarts to finish removing AD LDS.
7. Stay logged on to Server1XX and keep Server Manager open for the next activity.
Active Directory Federation Services (AD FS) allows single sign-on access to Web-based
resources, even when resources are located in a different network belonging to another organi-
zation. A typical situation is a user in Company A needs to access resources in partner Company B
with a Web browser, so Company B sets up a secondary account for the Company A user. The
user is prompted for credentials when attempting resource access. If the number of users
involved in this type of transaction is small, the extra work required to maintain users is mini-
mal. The inconvenience of having to enter credentials each time the resource is accessed might
not be a major burden. However, if many users must be maintained or users must communicate
with many external companies, a single sign-on might be warranted. AD FS is designed for just
this situation.
AD FS provides functionality similar to a one-way forest trust, except in a forest trust, domain
controllers in each forest must be able to communicate directly with one another without inter-
ruption of service. As a result, when forests are hosted on separate corporate networks, firewalls
on the networks must be configured to allow Active Directory communication, which raises
security concerns. AD FS is designed to work over the public Internet with a Web browser inter-
face. The main purpose of AD FS is to allow secure business-to-business transactions over the
Internet; users need to log on only to their local networks. AD FS servers and ADFS-enabled Web
servers then manage authentication and access to resources on partner networks without addi-
tional user logons.
Like most OS technologies, AD FS has its own set of terms for describing its components.
The next sections discuss some terms and components used in the role services that make up
AD FS.
Federation Trusts
A
federation trust
, like other types of trust relationships, involves a
trusting party and trusted party. Because AD FS is designed to facilitate business partnerships,
the term “partner” is used instead of “party.” A federation trust is inherently a one-way trust,
but a two-way trust could be formed simply by creating a trust in both directions.
A typical business partner relationship involves users on one corporate network accessing
resources on another corporate network. For example, with a supplier of goods and a wholesale
purchaser of those goods, the supplier is likely to be the trusting partner and the purchaser is the
trusted partner. Users at the purchasing (trusted) company might access order entry, inventory,
and order status applications and databases at the supplier (trusting) company. In AD FS termi-
nology, the trusted company is referred to as the
account partner
, and the trusting company is
referred to as the
resource partner
. In the trust relationship in Figure 12-5, the arrow points from
the trusting (resource) partner to the trusted (account) partner. Users in the account partner
organization are said to have a federated identity, which describes the agreed-on standards for
sharing user identity information among two or more parties. This shared identity information
is used to grant users privileges and permissions to resources across organizations.
Search WWH ::
Custom Search