Configuring IIS to support federation

This topic describes how to configure Internet Information Services (IIS) on Forefront Unified Access Gateway (UAG) to support Active Directory Federation Services (AD FS).

Note:
The certificate used to create the HTTPS connection must be configured on the default IIS Web site; otherwise, the AD FS configuration script will not succeed.

The following procedures describe how to configure the server certificate on the default IIS Web site, and how to configure IIS to support AD FS.

To configure the server certificate in IIS

On the Forefront UAG server, click Start, and then in the Start Search box, type inetmgr and press ENTER.
In the IIS Manager, in the navigation tree, under Sites, right-click Default Web Site, and then click Edit Bindings.
On the Site Bindings dialog box, click the HTTPS site binding that uses port 6002, and then click Edit.
On the Edit Site Binding dialog box, in the SSL certificate drop-down list, click the server certificate that you used when you created the portal trunk.
Click OK to close the Edit Site Binding dialog box, and then on the Site Bindings dialog box, click Close.

To configure IIS and the AD FS Web Agent

On the Forefront UAG server, click Start, and then in the Start Search box, type inetmgr and press ENTER.
In the navigation tree, click Default Web Site, and then in the center pane, in the Other section, double-click SSL Settings.
In SSL Settings, select the Require SSL check box, and then in the Actions pane, click Apply.
In the navigation tree, double-click Sites, double-click Default Web Site, double-click InternalSite, right-click ADFS, and then click Convert to Application.
On the Add Application dialog box, click OK.
In the navigation tree, double-click Sites, double-click Default Web Site, double-click InternalSite, click ADFS, and then in the center pane, in the IIS section, double-click Authentication.
Click AD FS Windows Token-Based Agent, and then in the Actions pane, click Edit.

On the AD FS Windows Token-Based Agent dialog box, select the Enable AD FS Web Agent check box. In Cookie Path, type /. Ensure that the Cookie Domain field is empty. In Return URL, type: https://<Portal trunk host name>/. Then click OK.

Note:
If you are publishing SharePoint applications, you must enter the domain corresponding to your Forefront UAG host name and the alternate access mapping (AAM) host name in the Cookie Domain field. For example, if the Forefront UAG portal uses the host name portal.woodgrovebank.com and the SharePoint AAM host name is sp.woodgrovebank.com, enter .woodgrovebank.com. For information about publishing SharePoint applications, see Configuring SharePoint AAM applications with AD FS.

Note:

If you are publishing SharePoint applications, you must enter the domain corresponding to your Forefront UAG host name and the alternate access mapping (AAM) host name in the Cookie Domain field. For example, if the Forefront UAG portal uses the host name portal.woodgrovebank.com and the SharePoint AAM host name is sp.woodgrovebank.com, enter .woodgrovebank.com. For information about publishing SharePoint applications, see Configuring SharePoint AAM applications with AD FS.