The following procedures describe the tasks required to
configure Active Directory Federation Services (AD FS) with
Forefront Unified Access Gateway (UAG).
|You must configure two static IP addresses on the external
network adapter of the Forefront UAG server before you install
|If you are redeploying federation with AD FS after
reinstalling Forefront UAG, you must first delete the Windows NT
token-based application that you previously created on the
AD FS server.
and configuring an AD FS server─Ensure that you have an
AD FS server installed, and add the Forefront UAG portal as a
Windows NT token-based application in AD FS.
the AD FS web agent─On the Forefront UAG server, install the
AD FS web agent as a Windows component.
- Enabling a
portal trunk for AD FS─Enable a Forefront UAG portal trunk that
publishes the applications for which you want to allow AD FS
access to use Active Directory authentication.
applications with AD FS─Configure any HTTP-based applications
so that they can be used with AD FS.
SharePoint AAM applications with AD FS—Configure SharePoint
alternate access mapping (AAM) applications with AD FS.
an AD FS proxy replacement trunk─Configure a Forefront UAG
trunk to act as a proxy for the AD FS server, and to inspect
traffic flowing from the end-user client, via Forefront UAG, to the
AD FS server.
IIS to support federation—On the Forefront UAG server,
configure the IIS settings.
access to AD FS users─Add users to the Forefront UAG ADFS Users
group who are allowed to access AD FS applications.
- Running the
AD FS configuration script—Run the AD FS configuration
script to prepare Forefront UAG to work with AD FS. The script
must be rerun every time that you publish or modify an
AD FS-enabled application.
|If you plan to use Kerberos, note the following when you deploy
- You must configure the AD FS server to map every partner
user to a shadowed account in the resource domain. To verify that
the AD FS configuration is correct, check the Forefront UAG
Web Monitor to verify that you can see the correct user name after
Forefront UAG logon. If a group name or GUID appears, this
indicates that the AD FS server is not configured
- You must enable Kerberos constrained delegation. For more
information, see Configuring single
sign-on with Kerberos constrained delegation.