Deploying federation with AD FS

The following procedures describe the tasks required to configure Active Directory Federation Services (AD FS) with Forefront Unified Access Gateway (UAG).

Important:
You must configure two static IP addresses on the external network adapter of the Forefront UAG server before you install Forefront UAG.

Note:
If you are redeploying federation with AD FS after reinstalling Forefront UAG, you must first delete the Windows NT token-based application that you previously created on the AD FS server.

Installing and configuring an AD FS server─Ensure that you have an AD FS server installed, and add the Forefront UAG portal as a Windows NT token-based application in AD FS.
Installing the AD FS web agent─On the Forefront UAG server, install the AD FS web agent as a Windows component.
Enabling a portal trunk for AD FS─Enable a Forefront UAG portal trunk that publishes the applications for which you want to allow AD FS access to use Active Directory authentication.
Configuring applications with AD FS─Configure any HTTP-based applications so that they can be used with AD FS.
Configuring SharePoint AAM applications with AD FS—Configure SharePoint alternate access mapping (AAM) applications with AD FS.
Configuring an AD FS proxy replacement trunk─Configure a Forefront UAG trunk to act as a proxy for the AD FS server, and to inspect traffic flowing from the end-user client, via Forefront UAG, to the AD FS server.
Configuring IIS to support federation—On the Forefront UAG server, configure the IIS settings.
Granting access to AD FS users─Add users to the Forefront UAG ADFS Users group who are allowed to access AD FS applications.
Running the AD FS configuration script—Run the AD FS configuration script to prepare Forefront UAG to work with AD FS. The script must be rerun every time that you publish or modify an AD FS-enabled application.

Note:
If you plan to use Kerberos, note the following when you deploy AD FS: You must configure the AD FS server to map every partner user to a shadowed account in the resource domain. To verify that the AD FS configuration is correct, check the Forefront UAG Web Monitor to verify that you can see the correct user name after Forefront UAG logon. If a group name or GUID appears, this indicates that the AD FS server is not configured correctly. You must enable Kerberos constrained delegation. For more information, see Configuring single sign-on with Kerberos constrained delegation.

Note:

If you plan to use Kerberos, note the following when you deploy AD FS:

You must configure the AD FS server to map every partner user to a shadowed account in the resource domain. To verify that the AD FS configuration is correct, check the Forefront UAG Web Monitor to verify that you can see the correct user name after Forefront UAG logon. If a group name or GUID appears, this indicates that the AD FS server is not configured correctly.
You must enable Kerberos constrained delegation. For more information, see Configuring single sign-on with Kerberos constrained delegation.