5. Adding Federation Servers to the Farm
After the first federation server has been
configured, the AD FS 2.0 software can be installed to additional
servers. The same SSL certificate installed on the primary federation
server should be imported to any additional servers, and applied to the
IIS Default Web Site before AD FS is configured. By default, when a
system restarts after being targeted as a federation server during the
AD FS 2.0 software installation, the AD FS 2.0 Federation Server
Configuration Wizard automatically starts. To add an additional server
to the federation service farm, use the following procedure:
1. At the Welcome page, verify that Add a Federation Server to an Existing Federation Service is selected, and then click Next.
2. At the Specify the
Primary Federation Server and Service Account page, under Primary
Federation Server Name, enter the name of the primary federation server
and click Browse. In the Browse dialog box, locate the domain account
of the dedicated service account for the federation server farm, and
then click OK. Enter the password for this account, confirm it, and
click Next.
3.
At the Ready to Apply Settings page, review the details. If the
settings appear correct, click Next to begin configuring the AD FS
instance with these settings.
4. At the
Configuration Results page, review the results. After all the
configuration steps have completed, click Close to exit the wizard and
complete the configuration.
6. Verifying That the Federation Service Is Operational
After the federation service has been
configured, there are two methods that can be used to verify that the
service is operational:
• On a client computer that is a member
of the same AD forest as the federation service, open a web browser and
connect to the following URL, where <fedservFQDN> is the fully
qualified domain name of the federation service:
https://<fedservFQDN>/FederationMetadata/2007-06/FederationMetadata.xml.
At the certificate warning prompt,
click Continue to This Website. If the connection is successful, the
expected output is a federation service description document in XML
format.
• On a server where the
federation service role has been installed, open the Event Viewer.
Under Applications and Service Logs, expand AD FS 2.0 Eventing, and
then click on Admin. In the Event ID column, search for an event with
ID 100. If event ID 100 is shown, this indicates that the federation
server was able to successfully communicate with the federation service.
7. Federation Server Proxy Configuration
After the federation service is up and
running, the AD FS configuration can be performed on the systems that
will be used as federation proxies. The same SSL certificate installed
on the federation servers should be imported to each server that will
be used as a federation server proxy, and applied to the IIS Default
Web Site before configuring AD FS. By default, after a system restarts
after being targeted as a federation server proxy during the AD FS 2.0
software installation, the AD FS 2.0 Federation Server Proxy
Configuration Wizard automatically starts. To configure the federation
server proxy role, use the following procedure:
1. At the Welcome page, click Next.
2. At the Specify
Federation Service Name page, under Federation Service Name, enter the
fully qualified domain name of the federation service.
3. If an HTTP proxy
server is required to forward requests to the federation service,
select the Use an HTTP Proxy Server When Sending Requests to This
Federation Service check box; then, under HTTP Proxy Server Address,
type the address of the proxy server, and click Test Connection to
verify connectivity. When finished, click Next.
4. At the prompt,
enter the credentials of the dedicated AD FS service account that was
specified during the configuration of the federation service. This
account is used to establish trust between the federation server proxy
and the federation service.
5.
At the Ready to Apply Settings page, review the details. If the
settings appear correct, click Next to begin configuring the federation
server proxy settings.
6. At the
Configuration Results page, review the results. After all the
configuration steps have completed, click Close to exit the wizard and
complete the configuration.
8. Verifying That the Federation Proxy Is Operational
After the federation proxy service has been configured, use the following procedure to verify that the service is operational:
1. Log on to the federation server proxy system using an account with local administrator rights.
2. Open the Event Viewer; then, under Applications and Service Logs, expand AD FS 2.0 Eventing, and click on Admin.
3. In the
Event ID column, search for an event with ID 198. If event ID 198 is
shown, this indicates that the federation server proxy service was
started successfully and is now online.
