When deploying Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0, you must configure the Forefront UAG server as a new relying party trust. To create the relying party trust, you must use the AD FS 2.0 Management snap-in, and import the Forefront UAG configuration data from federation metadata that Forefront UAG publishes to a local network or to the Internet. Perform the following procedure on the federation server in your organization.
|Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate a Federation Service that is publishing federation metadata. Therefore, when querying federation metadata, you should only use a fully qualified domain name such as https://myserver.contoso.com.|
Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure.
Before creating the relying party trust, you must either copy the federation metadata file from the Forefront UAG server (or array manager server) to the AD FS 2.0 server or make sure you can access it on the AD FS 2.0 server over the Internet. The file was created during Forefront UAG activation and is located in the following folder: ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\<trunk_name>\FederationMetadata\2007-06, or at the following URL: https://<Portal_FQDN>/InternalSite/ADFSv2Sites/<trunk_name>/FederationMetadata/2007-06/FederationMetadata.xml.
To create a relying party trust using federation metadata
Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
Under the AD FS 2.0\Trust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
On the Welcome page, click Start.
On the Select Data Source page, do one of the following:
- To import the metadata from a URL, click
Import data about the relying party published online or on a
local network. In Federation metadata address (host name or
URL), type the location of the federation metadata file, and
then click Next.
- To import the metadata from a file, click
Import data about the relying party from a file. In
Federation metadata file location, click Browse to
locate the file that you copied from the Forefront UAG server, and
then click Next.
- To import the metadata from a URL, click Import data about the relying party published online or on a local network. In Federation metadata address (host name or URL), type the location of the federation metadata file, and then click Next.
On the Specify Display Name page, in Display name type UAG, under Notes type a description for this relying party trust, and then click Next.
On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.
On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.
On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box.
Important: If trusted certificate stores have been modified previously on this computer, verify that the SSL certificate that is used to secure the federation metadata retrieval is trusted by the service account that is assigned to this Federation Service. If the service account does not trust the SSL certificate of this relying party, monitoring of the trust will fail. To prevent this failure, make sure that the issuer of the relying party’s SSL certificate is in the Local Computer Trusted Root Certification Authorities certificate store on each federation server in the farm.