Active Directory Federation Services

Hello,

Not sure if my understanding is accurate, so I am hoping to get some
feedback as to what we are trying to accomplish.
We have a web page setup at abc.com on a Windows SBS 2003 System, in which
we have a domain controller with Active Directory running Windows Server
2008 on a seperate system.

Most of our clients would like access to this page in order to perform
certain functions. Will they have the ability to log in with their active
directory accounts from their local site into our webpage if we setup ADFS
on Server 2008? Or does ADFS require to be setup at both locations?

Can someone please clarify this with me?
Looking forward to your responses.

Basically, they would need ADFS (or a compatible system) as well to use
accounts in their organization to access your app.

Your ADFS server would be associated with your AD, so users in your AD could
log in to your web app using ADFS but not their users. If there was only
one ADFS server, you would either need to give them accounts in your AD
(which largely defeats the point) or potentially create an ADAM store to
issue them accounts and configure a secondary auth store for your ADFS
server (which also defeats the point but at least doesn't require you to put
their users in your AD).

Another possibility would be for you to configure your ADFS server to accept
something like Windows Live logins and then have your clients get Windows
Live accounts to use for accessing your app, but that also defeats the
purpose of them getting SSO with their internal AD accounts. It really just
moves the ball again as to where the external accounts might be stored.

The cool thing with ADFS is that all these things are possible, so you get a
tremendous amount of flexibility in enabling SSO to your apps for your
clients. For example, if you got a second set of clients from a different
org, you could add their ADFS server as well and then they could access your
app in addition to the first clients and your internal users.

I hope that helps solidify the mental model on how it works. For your
partner to actually use ADFS, they would need an enterprise SKU of Windows
Server and an AD. Other products implementing the protocol will have
different requirements.

I'm not sure about that - but I can tell you that you really don't want to
host a public website on your domain controller/Exchange server. Put it on
its own box in a properly secured DMZ.

I know this is an old thread but very pertinent to an upcoming project.

Client has domain with SBS2003 Premium. Wants to add SharePoint Services 3.0
for internal document/process management. Also wants to provide a portal for
select customers to access documents related to their projects.

It's my understanding that SBS does not include/support ADFS natively.

My question is: Is the following scenario feasible?

Add 2003 Standard member server and configure as BDC.
Install SPS 3.0 with prerequists.
Install ADFS on member server.
Setup webapp extranet to use ADFS.
Create customer logins in SBS AD.

Would this, should this, work? We only desire Web SSO for clients not their
networks.

You mentioned Enterprise Server 2003. Why?
Am I missing something?

Hello WISPaway,

Maybe you check this posting about:
http://www.eggheadcafe.com/software/...rk-with-a.aspx

Also i suggest to use one of this forums/newsgroups for SBS related questions,
too many steps are different there:
http://www.sbs2008.com/

SBS licensing would require an SBS user CAL for each AD authenticating ADFS
user. SBS limits liecensing to a maximum of 75, btw. Otherwise you might be
able to use an ADAM (LDS) instance instead of SBS AD. Rather a tricky
licensing scenerio not to mention the supportability factors.

The other important thing is that the ADFS federation server component can
only be installed on the enterprise edition of Windows server. I doubt that
changes with ADFS V2 (coming out real soon now).

Thus, you'd need at least one enterprise sku server to run ADFS itself
regardless of other licensing concerns.

Thanks for the thread reference. Looks like I'm on the right track.

--
I knows what I knows and I wants to knows more.


"Meinolf Weber [MVP-DS]" wrote:

> Hello WISPaway,
>
> Maybe you check this posting about:
> http://www.eggheadcafe.com/software/...rk-with-a.aspx
>
> Also i suggest to use one of this forums/newsgroups for SBS related questions,
> too many steps are different there:
> http://www.sbs2008.com/
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I know this is an old thread but very pertinent to an upcoming
> > project.
> >
> > Client has domain with SBS2003 Premium. Wants to add SharePoint
> > Services 3.0 for internal document/process management. Also wants to
> > provide a portal for select customers to access documents related to
> > their projects.
> >
> > It's my understanding that SBS does not include/support ADFS natively.
> >
> > My question is: Is the following scenario feasible?
> >
> > Add 2003 Standard member server and configure as BDC.
> > Install SPS 3.0 with prerequists.
> > Install ADFS on member server.
> > Setup webapp extranet to use ADFS.
> > Create customer logins in SBS AD.
> > Would this, should this, work? We only desire Web SSO for clients not
> > their networks.
> >
> > You mentioned Enterprise Server 2003. Why? Am I missing something?
> >
> >> Basically, they would need ADFS (or a compatible system) as well to
> >> use accounts in their organization to access your app.
> >>
> >> Your ADFS server would be associated with your AD, so users in your
> >> AD could log in to your web app using ADFS but not their users. If
> >> there was only one ADFS server, you would either need to give them
> >> accounts in your AD (which largely defeats the point) or potentially
> >> create an ADAM store to issue them accounts and configure a secondary
> >> auth store for your ADFS server (which also defeats the point but at
> >> least doesn't require you to put their users in your AD).
> >>
> >> Another possibility would be for you to configure your ADFS server to
> >> accept something like Windows Live logins and then have your clients
> >> get Windows Live accounts to use for accessing your app, but that
> >> also defeats the purpose of them getting SSO with their internal AD
> >> accounts. It really just moves the ball again as to where the
> >> external accounts might be stored.
> >>
> >> The cool thing with ADFS is that all these things are possible, so
> >> you get a tremendous amount of flexibility in enabling SSO to your
> >> apps for your clients. For example, if you got a second set of
> >> clients from a different org, you could add their ADFS server as well
> >> and then they could access your app in addition to the first clients
> >> and your internal users.
> >>
> >> I hope that helps solidify the mental model on how it works. For
> >> your partner to actually use ADFS, they would need an enterprise SKU
> >> of Windows Server and an AD. Other products implementing the
> >> protocol will have different requirements.
> >>
> >> Joe K.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "Yorgy" <georgei@FidelitySystems.net> wrote in message
> >> news:7F07C57B-98B8-405D-91E6-A8B1DA8F82BC@microsoft.com...
> >>> Hello,
> >>>
> >>> Not sure if my understanding is accurate, so I am hoping to get some
> >>> feedback as to what we are trying to accomplish.
> >>> We have a web page setup at abc.com on a Windows SBS 2003 System, in
> >>> which
> >>> we have a domain controller with Active Directory running Windows
> >>> Server
> >>> 2008 on a seperate system.
> >>> Most of our clients would like access to this page in order to
> >>> perform certain functions. Will they have the ability to log in with
> >>> their active directory accounts from their local site into our
> >>> webpage if we setup ADFS on Server 2008? Or does ADFS require to be
> >>> setup at both locations?
> >>>
> >>> Can someone please clarify this with me?
> >>> Looking forward to your responses...
> >>> Thank you
> >>>
>
>
> .
>

Thanks for the reply.
I'm well aware of SBS user/device limitations and licensing with ADAM would
be a hellish nightmare I would forego sleep to avoid. Luckily the number of
connecting clients would be very limited. Or so I've been told.
--
I knows what I knows and I wants to knows more.


"kj [SBS MVP]" wrote:

> SBS licensing would require an SBS user CAL for each AD authenticating ADFS
> user. SBS limits liecensing to a maximum of 75, btw. Otherwise you might be
> able to use an ADAM (LDS) instance instead of SBS AD. Rather a tricky
> licensing scenerio not to mention the supportability factors.
>
> WISPaway wrote:
> > I know this is an old thread but very pertinent to an upcoming
> > project.
> >
> > Client has domain with SBS2003 Premium. Wants to add SharePoint
> > Services 3.0 for internal document/process management. Also wants to
> > provide a portal for select customers to access documents related to
> > their projects.
> >
> > It's my understanding that SBS does not include/support ADFS natively.
> >
> > My question is: Is the following scenario feasible?
> >
> > Add 2003 Standard member server and configure as BDC.
> > Install SPS 3.0 with prerequists.
> > Install ADFS on member server.
> > Setup webapp extranet to use ADFS.
> > Create customer logins in SBS AD.
> >
> > Would this, should this, work? We only desire Web SSO for clients not
> > their networks.
> >
> > You mentioned Enterprise Server 2003. Why?
> > Am I missing something?
> >
> >> Basically, they would need ADFS (or a compatible system) as well to
> >> use accounts in their organization to access your app.
> >>
> >> Your ADFS server would be associated with your AD, so users in your
> >> AD could log in to your web app using ADFS but not their users. If
> >> there was only one ADFS server, you would either need to give them
> >> accounts in your AD (which largely defeats the point) or potentially
> >> create an ADAM store to issue them accounts and configure a
> >> secondary auth store for your ADFS server (which also defeats the
> >> point but at least doesn't require you to put their users in your
> >> AD).
> >>
> >> Another possibility would be for you to configure your ADFS server
> >> to accept something like Windows Live logins and then have your
> >> clients get Windows Live accounts to use for accessing your app, but
> >> that also defeats the purpose of them getting SSO with their
> >> internal AD accounts. It really just moves the ball again as to
> >> where the external accounts might be stored.
> >>
> >> The cool thing with ADFS is that all these things are possible, so
> >> you get a tremendous amount of flexibility in enabling SSO to your
> >> apps for your clients. For example, if you got a second set of
> >> clients from a different org, you could add their ADFS server as
> >> well and then they could access your app in addition to the first
> >> clients and your internal users.
> >>
> >> I hope that helps solidify the mental model on how it works. For
> >> your partner to actually use ADFS, they would need an enterprise SKU
> >> of Windows Server and an AD. Other products implementing the
> >> protocol will have different requirements.
> >>
> >> Joe K.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming" http://www.directoryprogramming.net
> >> "Yorgy" <georgei@FidelitySystems.net> wrote in message
> >> news:7F07C57B-98B8-405D-91E6-A8B1DA8F82BC@microsoft.com...
> >>> Hello,
> >>>
> >>> Not sure if my understanding is accurate, so I am hoping to get some
> >>> feedback as to what we are trying to accomplish.
> >>> We have a web page setup at abc.com on a Windows SBS 2003 System,
> >>> in which we have a domain controller with Active Directory running
> >>> Windows Server 2008 on a seperate system.
> >>>
> >>> Most of our clients would like access to this page in order to
> >>> perform certain functions. Will they have the ability to log in
> >>> with their active directory accounts from their local site into our
> >>> webpage if we setup ADFS on Server 2008? Or does ADFS require to be
> >>> setup at both locations?
> >>>
> >>> Can someone please clarify this with me?
> >>> Looking forward to your responses...
> >>>
> >>> Thank you
>
> --
> /kj
>
>
> .
>

Thanks for the reply Joe.
I haven't been able to find any easily available info from Microsoft support
your claim though I don't doubt it.
The Server 2003 version comparison chart doesn't even mention ADFS. WTF!
Looks like I'm on the right track with it though.

It may be a mute point now. We may decide to use some other authentication
method or platform altogether.
A shame really.
--
I knows what I knows and I wants to knows more.


"Joe Kaplan" wrote:

> The other important thing is that the ADFS federation server component can
> only be installed on the enterprise edition of Windows server. I doubt that
> changes with ADFS V2 (coming out real soon now).
>
> Thus, you'd need at least one enterprise sku server to run ADFS itself
> regardless of other licensing concerns.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
> news:eU9CgU7YKHA.6100@TK2MSFTNGP04.phx.gbl...
> > SBS licensing would require an SBS user CAL for each AD authenticating
> > ADFS user. SBS limits liecensing to a maximum of 75, btw. Otherwise you
> > might be able to use an ADAM (LDS) instance instead of SBS AD. Rather a
> > tricky licensing scenerio not to mention the supportability factors.
> >
> > WISPaway wrote:
> >> I know this is an old thread but very pertinent to an upcoming
> >> project.
> >>
> >> Client has domain with SBS2003 Premium. Wants to add SharePoint
> >> Services 3.0 for internal document/process management. Also wants to
> >> provide a portal for select customers to access documents related to
> >> their projects.
> >>
> >> It's my understanding that SBS does not include/support ADFS natively.
> >>
> >> My question is: Is the following scenario feasible?
> >>
> >> Add 2003 Standard member server and configure as BDC.
> >> Install SPS 3.0 with prerequists.
> >> Install ADFS on member server.
> >> Setup webapp extranet to use ADFS.
> >> Create customer logins in SBS AD.
> >>
> >> Would this, should this, work? We only desire Web SSO for clients not
> >> their networks.
> >>
> >> You mentioned Enterprise Server 2003. Why?
> >> Am I missing something?
> >>
> >>> Basically, they would need ADFS (or a compatible system) as well to
> >>> use accounts in their organization to access your app.
> >>>
> >>> Your ADFS server would be associated with your AD, so users in your
> >>> AD could log in to your web app using ADFS but not their users. If
> >>> there was only one ADFS server, you would either need to give them
> >>> accounts in your AD (which largely defeats the point) or potentially
> >>> create an ADAM store to issue them accounts and configure a
> >>> secondary auth store for your ADFS server (which also defeats the
> >>> point but at least doesn't require you to put their users in your
> >>> AD).
> >>>
> >>> Another possibility would be for you to configure your ADFS server
> >>> to accept something like Windows Live logins and then have your
> >>> clients get Windows Live accounts to use for accessing your app, but
> >>> that also defeats the purpose of them getting SSO with their
> >>> internal AD accounts. It really just moves the ball again as to
> >>> where the external accounts might be stored.
> >>>
> >>> The cool thing with ADFS is that all these things are possible, so
> >>> you get a tremendous amount of flexibility in enabling SSO to your
> >>> apps for your clients. For example, if you got a second set of
> >>> clients from a different org, you could add their ADFS server as
> >>> well and then they could access your app in addition to the first
> >>> clients and your internal users.
> >>>
> >>> I hope that helps solidify the mental model on how it works. For
> >>> your partner to actually use ADFS, they would need an enterprise SKU
> >>> of Windows Server and an AD. Other products implementing the
> >>> protocol will have different requirements.
> >>>
> >>> Joe K.
> >>>
> >>> --
> >>> Joe Kaplan-MS MVP Directory Services Programming
> >>> Co-author of "The .NET Developer's Guide to Directory Services
> >>> Programming" http://www.directoryprogramming.net
> >>> "Yorgy" <georgei@FidelitySystems.net> wrote in message
> >>> news:7F07C57B-98B8-405D-91E6-A8B1DA8F82BC@microsoft.com...
> >>>> Hello,
> >>>>
> >>>> Not sure if my understanding is accurate, so I am hoping to get some
> >>>> feedback as to what we are trying to accomplish.
> >>>> We have a web page setup at abc.com on a Windows SBS 2003 System,
> >>>> in which we have a domain controller with Active Directory running
> >>>> Windows Server 2008 on a seperate system.
> >>>>
> >>>> Most of our clients would like access to this page in order to
> >>>> perform certain functions. Will they have the ability to log in
> >>>> with their active directory accounts from their local site into our
> >>>> webpage if we setup ADFS on Server 2008? Or does ADFS require to be
> >>>> setup at both locations?
> >>>>
> >>>> Can someone please clarify this with me?
> >>>> Looking forward to your responses...
> >>>>
> >>>> Thank you
> >
> > --
> > /kj
> >
>
> .
>

I've definitely seen it published in the ADFS docs somewhere because it has
come up multiple times in my discussions with other business partners and
I've sent a link before. Search around. You'll find the reference. Sorry
the 2003 server docs don't show it. That is a little sad.

I'm not sure where things stand with Geneva/ADFS V2. You can also use WIF to
write your own STS for free but I doubt you'd want to do that. :)

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"WISPaway" <WISPaway@discussions.microsoft.com> wrote in message
news:DC2CA2C0-2DD0-47F9-A33D-874EBA75E076@microsoft.com...
> Thanks for the reply Joe.
> I haven't been able to find any easily available info from Microsoft
> support
> your claim though I don't doubt it.
> The Server 2003 version comparison chart doesn't even mention ADFS. WTF!
> Looks like I'm on the right track with it though.
>
> It may be a mute point now. We may decide to use some other authentication
> method or platform altogether.
> A shame really.
> --
> I knows what I knows and I wants to knows more.
>
>
> "Joe Kaplan" wrote:
>
>> The other important thing is that the ADFS federation server component
>> can
>> only be installed on the enterprise edition of Windows server. I doubt
>> that
>> changes with ADFS V2 (coming out real soon now).
>>
>> Thus, you'd need at least one enterprise sku server to run ADFS itself
>> regardless of other licensing concerns.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message
>> news:eU9CgU7YKHA.6100@TK2MSFTNGP04.phx.gbl...
>> > SBS licensing would require an SBS user CAL for each AD authenticating
>> > ADFS user. SBS limits liecensing to a maximum of 75, btw. Otherwise you
>> > might be able to use an ADAM (LDS) instance instead of SBS AD. Rather a
>> > tricky licensing scenerio not to mention the supportability factors.
>> >
>> > WISPaway wrote:
>> >> I know this is an old thread but very pertinent to an upcoming
>> >> project.
>> >>
>> >> Client has domain with SBS2003 Premium. Wants to add SharePoint
>> >> Services 3.0 for internal document/process management. Also wants to
>> >> provide a portal for select customers to access documents related to
>> >> their projects.
>> >>
>> >> It's my understanding that SBS does not include/support ADFS natively.
>> >>
>> >> My question is: Is the following scenario feasible?
>> >>
>> >> Add 2003 Standard member server and configure as BDC.
>> >> Install SPS 3.0 with prerequists.
>> >> Install ADFS on member server.
>> >> Setup webapp extranet to use ADFS.
>> >> Create customer logins in SBS AD.
>> >>
>> >> Would this, should this, work? We only desire Web SSO for clients not
>> >> their networks.
>> >>
>> >> You mentioned Enterprise Server 2003. Why?
>> >> Am I missing something?
>> >>
>> >>> Basically, they would need ADFS (or a compatible system) as well to
>> >>> use accounts in their organization to access your app.
>> >>>
>> >>> Your ADFS server would be associated with your AD, so users in your
>> >>> AD could log in to your web app using ADFS but not their users. If
>> >>> there was only one ADFS server, you would either need to give them
>> >>> accounts in your AD (which largely defeats the point) or potentially
>> >>> create an ADAM store to issue them accounts and configure a
>> >>> secondary auth store for your ADFS server (which also defeats the
>> >>> point but at least doesn't require you to put their users in your
>> >>> AD).
>> >>>
>> >>> Another possibility would be for you to configure your ADFS server
>> >>> to accept something like Windows Live logins and then have your
>> >>> clients get Windows Live accounts to use for accessing your app, but
>> >>> that also defeats the purpose of them getting SSO with their
>> >>> internal AD accounts. It really just moves the ball again as to
>> >>> where the external accounts might be stored.
>> >>>
>> >>> The cool thing with ADFS is that all these things are possible, so
>> >>> you get a tremendous amount of flexibility in enabling SSO to your
>> >>> apps for your clients. For example, if you got a second set of
>> >>> clients from a different org, you could add their ADFS server as
>> >>> well and then they could access your app in addition to the first
>> >>> clients and your internal users.
>> >>>
>> >>> I hope that helps solidify the mental model on how it works. For
>> >>> your partner to actually use ADFS, they would need an enterprise SKU
>> >>> of Windows Server and an AD. Other products implementing the
>> >>> protocol will have different requirements.
>> >>>
>> >>> Joe K.
>> >>>
>> >>> --
>> >>> Joe Kaplan-MS MVP Directory Services Programming
>> >>> Co-author of "The .NET Developer's Guide to Directory Services
>> >>> Programming" http://www.directoryprogramming.net
>> >>> "Yorgy" <georgei@FidelitySystems.net> wrote in message
>> >>> news:7F07C57B-98B8-405D-91E6-A8B1DA8F82BC@microsoft.com...
>> >>>> Hello,
>> >>>>
>> >>>> Not sure if my understanding is accurate, so I am hoping to get some
>> >>>> feedback as to what we are trying to accomplish.
>> >>>> We have a web page setup at abc.com on a Windows SBS 2003 System,
>> >>>> in which we have a domain controller with Active Directory running
>> >>>> Windows Server 2008 on a seperate system.
>> >>>>
>> >>>> Most of our clients would like access to this page in order to
>> >>>> perform certain functions. Will they have the ability to log in
>> >>>> with their active directory accounts from their local site into our
>> >>>> webpage if we setup ADFS on Server 2008? Or does ADFS require to be
>> >>>> setup at both locations?
>> >>>>
>> >>>> Can someone please clarify this with me?
>> >>>> Looking forward to your responses...
>> >>>>
>> >>>> Thank you
>> >
>> > --
>> > /kj
>> >
>>
>> .
>>