locked
a General question about ADFS RRS feed

  • Question

  • hi friends how are you ?

    my question is about win 2008 R2 

    i wanted to know if the ADFS functionality is similar to forest trust in term of Logging on at destination forest computers via the source forest user credentials ?

    suppose we have deployed ADFS between forest02 and forest02. now i want to know if a user from forest01 can go and sit at a computer joined to forest02 and login via his forest01 credentials ?

    thanks in advance

    Sunday, May 27, 2012 9:36 AM

Answers

  • Hi John

    It is a bit similar. But with federation you can provide a much more granualar way of trust. Besides the protocols are dfferent:
    Forest trusts have something to do with Kerberos or if you want NTLM.
    ADFS hase something to to with WS-Federation and SAML. Here a brief description on what ADFS does

    In ADFS we also have "trusts": On one side (Identity Provider) ADFS Secure Token Service (STS) issues Token to clients which have successfully authenticated to the STS. The client delivers a token to an application or another STS (Relying Party). The Relying Party consums the token and you are automatically authenticated and authorized to the application at the RP side. In the world of claims based identity we have a mutual "trust". The Relying party "believes" in the tokens issued by a specific identity provider; this is called a claims provider trust. The Identity provider believes that the Relying Party treats the tokens in a correct way; this is called a relying party trust.

    This is just a brief summary. David Chappell provides a better and more detail introduction to the world of claims based identity. Here a link to the document: http://go.microsoft.com/fwlink/p/?LinkId=198942

    Kind regards

    Pirmin


    • Edited by Pirmin Felber Sunday, May 27, 2012 12:57 PM
    • Proposed as answer by Pirmin Felber Sunday, May 27, 2012 1:06 PM
    • Marked as answer by john.s2011 Sunday, May 27, 2012 7:03 PM
    Sunday, May 27, 2012 12:53 PM
  • ADFS was designed for higher-level applications like things at the web level, not for when signing into a computer. You need a full domain trust to sign into machines on other domains.


    Developer Security MVP | www.syfuhs.net

    • Marked as answer by john.s2011 Monday, May 28, 2012 8:33 PM
    Monday, May 28, 2012 6:52 PM

All replies

  • Hi John

    It is a bit similar. But with federation you can provide a much more granualar way of trust. Besides the protocols are dfferent:
    Forest trusts have something to do with Kerberos or if you want NTLM.
    ADFS hase something to to with WS-Federation and SAML. Here a brief description on what ADFS does

    In ADFS we also have "trusts": On one side (Identity Provider) ADFS Secure Token Service (STS) issues Token to clients which have successfully authenticated to the STS. The client delivers a token to an application or another STS (Relying Party). The Relying Party consums the token and you are automatically authenticated and authorized to the application at the RP side. In the world of claims based identity we have a mutual "trust". The Relying party "believes" in the tokens issued by a specific identity provider; this is called a claims provider trust. The Identity provider believes that the Relying Party treats the tokens in a correct way; this is called a relying party trust.

    This is just a brief summary. David Chappell provides a better and more detail introduction to the world of claims based identity. Here a link to the document: http://go.microsoft.com/fwlink/p/?LinkId=198942

    Kind regards

    Pirmin


    • Edited by Pirmin Felber Sunday, May 27, 2012 12:57 PM
    • Proposed as answer by Pirmin Felber Sunday, May 27, 2012 1:06 PM
    • Marked as answer by john.s2011 Sunday, May 27, 2012 7:03 PM
    Sunday, May 27, 2012 12:53 PM
  • thank you very much for your great info , but my question still hasn't an answer  :

    suppose we have deployed ADFS between forest02 and forest02. now i want to know if a user from forest01 can go and sit at a computer joined to forest02 and login via his forest01 credentials ?

    what steps should i do for this perpose ?

    in forest trust we knew that forest1 users are as authenticated users and their permission is same as authenticated users.  what about in term of adfs ?

    • Edited by john.s2011 Sunday, May 27, 2012 7:32 PM
    Sunday, May 27, 2012 7:04 PM
  • ADFS was designed for higher-level applications like things at the web level, not for when signing into a computer. You need a full domain trust to sign into machines on other domains.


    Developer Security MVP | www.syfuhs.net

    • Marked as answer by john.s2011 Monday, May 28, 2012 8:33 PM
    Monday, May 28, 2012 6:52 PM
  • ADFS was designed for higher-level applications like things at the web level, not for when signing into a computer. You need a full domain trust to sign into machines on other domains.


    Developer Security MVP | www.syfuhs.net

    thank you very much
    Monday, May 28, 2012 8:33 PM