The Active Directory Federation Services (AD FS) Web Agent is a role service of AD FS that you can install independently from other AD FS role services. The act of installing the AD FS Web Agent role service on a computer makes that computer an AD FS-enabled Web server.

AD FS-enabled Web servers consume security tokens and either allow or deny a user access to a Web application. To accomplish this, the AD FS-enabled Web server requires a relationship with a resource Federation Service so that it can direct the user to the Federation Service as needed.

The AD FS Web Agent can be used for two different types of applications:

  • Claims-aware applications: a Microsoft ASP.NET application that is written to published AD FS objects that allow the querying of AD FS security token claims. The applications make authorization decisions based on these claims.

  • Windows NT token–based applications: an application that uses Windows-based authorization mechanisms. The AD FS Web Agent supports conversion from an AD FS security token to an impersonation-level Windows NT® access token.

The AD FS-enabled Web server also stores Hypertext Transfer Protocol (HTTP) cookies on clients where the cookies are necessary to facilitate single sign-on (SSO). The AD FS Web Agent comprises two separate components:

  • AD FS Windows Token-Based Agent Extension

  • AD FS Web Agent Authentication Service

AD FS Windows Token-Based Agent Extension

The AD FS Windows Token-Based Agent Extension is an Internet Server Application Programming Interface (ISAPI) extension that you can use to configure information in the Internet Information Services (IIS) metabase. In IIS Manager you can use the Federation Services URL and AD FS Web Agent property pages to administer policy and certificates that verify the AD FS security token and cookies.

The AD FS Web Agent properties in the following table are inheritable. These properties are required on an IIS resource if the ISAPI extension is going to support the WS-Federation Passive Requestor Profile (WS-F PRP) protocol.

Properties Description

Federation Service URL

The Uniform Resource Locator (URL) of the Federation Service. This URL is required so that it may be queried for trust information.

Cookie path

The path that is specified when the authentication cookie is written.

Cookie domain

The domain for which the cookie is valid.

Return URL

The URL that the token from the Federation Service comes back to after authentication at the Federation Service. This URL should match the Audience element of the token. The check against the Audience element is performed by the Windows service.

AD FS Web Agent Authentication Service

The AD FS Web Agent Authentication Service validates incoming tokens and cookies. It runs as Local System to generate a token by using either Service-for-User (S4U), which allows you to obtain a Windows token for the client by supplying a user principal name (UPN) without a password, or the AD FS authentication package. However, the IIS application pool is not required to run as Local System.

The AD FS Web Agent Authentication Service has interfaces that may be called only with local remote procedure call (LRPC), not remote procedure call (RPC). This service returns an impersonation Windows NT access token if it is given an AD FS security token or an AD FS cookie.

See Also


Table Of Contents