Network+ Certification Active Directory Federation Services for each account
On the right side of the illustration, you have users who are trying to access an applica- tion on server 2. However, they authenticate through server 1. Once they?ve authenticated through that server, they then have to access yet another server in order to complete the tasks they need to do. As you can imagine, this can be quite annoying to users. It would be particularly irritating if they had to use the same username and password.
By using AD FS, administrators can create a trust policy between servers for the pur- poses of authentication. This means that in a situation such as Figure 1.16, you could cre- ate an environment where users could simply log on to their primary server and then be authenticated throughout the rest of the forest (or multiple forest) environment. It isn’t just convenient for them; it’s also less burdening on your servers. They get to automatically authenticate through a simple service vs. sending back and forth requests for user informa- tion that may require more demanding GUIs or other such programs they have to launch. When you’re first creating your design, CompTIA Network Active Directory Federation Services has several options on how it can be installed:
Federation Services Federation Services is the underlying architecture that provides the ability for users to sign on once in an environment. It does this through a series of designed trusts and allocations that is decided upon far in advance of the actual implementation of the feature. In general, Federation Services can implement single sign-on through one of three general federation designs, also referred to as federation scenarios : Web SSO, Federated Web SSO, and Federated Web SSO with Forest Trust.
Web SSO design In a simple Web SSO design, all users are external, and therefore no federation trusts exist because there are no partners. According to Microsoft, the primary reason an administrator would need a design such as this is if the organization had an application that needed to be accessed by users on the Internet.
Federated Web SSO design Sometimes companies merge, form partnerships, or oth-erwise need to share infrastructures and applications. Before AD FS, the only real way this could be accomplished is by creating separate accounts for each account, as well as a new series of policies and information to remember in addition to the current passwords. Now, when situations like this occur, administrators can incorporate a design policy that implements the concept of federation trusts. A Network Plus Certification trust is a type of agree-ment that?s made between two organizations that gives them the ability to verify users from one organization to be granted access to another. Federation trusts represented with one-way arrows point to the account side of the trust, as illustrated in 1.17.
A quick but very important point to consider before continuing is that federation trusts require two servers to authenticate. You can?t have a federation trust that authenticates to nothing.
Consider the example in Figure 1.18. In this ?gure, you can see a great example of where an organization could use Active Directory Federation Services. MyCorp, a service pro- viding a resource, has a trust established with MegaCorp, an organization with several accounts. Within MegaCorp, several users will need to log in to MegaCorp and have access to the services provided from MyCorp. In this scenario, they can simply log in to MegaCorp and access their applications at whim.
Processing your request, Please wait....
