|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Should ADFS be implemented when...Should ADFS (Federation Services) be implemented in a network where web
applications running on member servers requires access to a) domain-based SQL Servers, b) domain-based Exchange servers, and c) AD object info (such as user addresses, departments, groups, etc)? Trying to nail down where exactly (and IF) I need the Federation Services on our domain controllers... Thanks! Jack The main use case for ADFS in its current, initial release
is for interop between different authentication realms, such as the forests of two corps, where the objective is to provide webservices one to the other or both to each other, but, and this is key, where the authetication and authorization to use is unrepudiatable responsibility of the using realm once policy has defined what the used party agrees to provide and the parties agree on how those services are accessed. Long words. If I agree to provide services X to your users, but I do not want to define accounts for your users, nor to be responsible for authenticating that your users are who they claim, and I want you to be responsible for your use of the provided service, of the accounts you allow to use them, etc. so that I can hold you responsible for the uses made by your access, then ADFS fits the bill like little else can. This use model is probably overkill for the cases you have described. I can see how with an ADAM install on the machines without AD, and providing them with an STS install, you feasibly could squeeze the scenarios you mentioned into an ADFS model. It would however be pretty complicated for what it accomplishes. Also the present form of ADFS is that it is for web scenarios exclusively, and, when used in a domain does not need to be installed on the domain controllers. Show quoteHide quote "JackBlack" <jackisb***@hotmail.com> wrote in message news:%23GZM6AWxGHA.2432@TK2MSFTNGP06.phx.gbl... > Should ADFS (Federation Services) be implemented in a network where web > applications running on member servers requires access to a) domain-based > SQL Servers, b) domain-based Exchange servers, and c) AD object info (such > as user addresses, departments, groups, etc)? > > Trying to nail down where exactly (and IF) I need the Federation Services > on our domain controllers... > > Thanks! > Jack > 
Other interesting topics
IIS 6 Question: How to Publish from FrontPage 2003
ASP.NET 1.1 + IIS 5 + Nagios Is it possible for a trusted site to serve up an untrusted page? How to set ADSL router for IIS + ADSL connection ? Problem with IIS windows authentication Multiple certificates on one website? Lockdown Tool & IIS v6? IIS6 promps for authentication when trying to execute DLL references.... lockdown tool for IIS 6.0 users log into ftp://domainnameA.com and see domainB.com's directo |
|||||||||||||||||||||||
