I’m a newbie in the ADFS 2.0 world and I want understand the basic assumptions of that technology.

My goals is guarantee the access to our customer users to web application on our cloud environment.

Here is my scenario:

  • Network “A” – Cloud Environment
    AD Controller (Win 2008)
    IIS 7 Web Server (web application with NTLM provider authentication technology published to the Internet)

  • Network “B” – Customer “X” - Local Network
    AD Controller (Win 2003 or Win 2008)
    PC clients

  • Network “C” – Customer “X” - WAN Network
    PC clients (home PC)

Customer “X” clients in Network B and C should be able to access to web application published on Network “A” with their windows domain credentials.

I’ve read various documentation about that but it’s not clear for me yet. It’s perplexing.

My questions are:

  1. Where do I place the ADFS server?
  2. Do I have to set up anything on the AD Controller in Network “A”?
  3. Does the customer “X” IT team have to set up anything?

I hope that someone can explain the infrastructure schema and the process as well.

Simon East
  • 1,514
  • 1
  • 15
  • 18
  • 1
  • 1
  • ADFS is probably not what you want in the first place, since you'd have to have a Windows CAL for **every customer** who uses ADFS. That'd get expensive very quick. – Chris S Jan 25 '13 at 16:23
  • This thread might also provide a helpful introduction: [What is ADFS (Active Directory Federation Services)?](http://serverfault.com/questions/708669/what-is-adfs-active-directory-federation-services) – Simon East Aug 14 '15 at 03:45
  • Also check the settings on the web application. Is it trying to use NTLM instead of simple authentication? – user228546 Dec 15 '17 at 21:11

1 Answers1


You are describing the federated web SSO scenario as per http://technet.microsoft.com/en-us/library/cc757344(v=WS.10).aspx. You could have ADFS in both customer environment and in your own cloud environment and then setup a trust between the two. You need not do anything special in AD itself other than configuring SPNs. But the IT admin from each environment will deploy ADFS in their own environment and configure the trusts as applicable.

Please see the deployment guide for more details http://technet.microsoft.com/en-us/library/dd807092(v=ws.10).aspx. Specifically as the hoster of the application you will be the resource partner. http://technet.microsoft.com/en-us/library/dd807047(v=ws.10).aspx

The customer as account partner will follow http://technet.microsoft.com/en-us/library/dd807112(v=ws.10).aspx

I expect you'd find the following book useful too http://msdn.microsoft.com/en-us/library/ff423674.aspx

The content map at http://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspx should help you find the info you need. There is a lot to read and understand before you deploy identity federation technologies. You might consider getting a consultant to come in and do the work for you if you have time constraints and want it done right.

  • 2,734
  • 2
  • 17
  • 23