AD LDS is a LDAP-compliant directory service that provides dedicated directory service for applications. AD LDS does not require the full deployment of domain controllers and DNS. There are various features in AD LDS, such as API, Multimaster replication, and Synchronization with Active Directory directory service. AD LDS operates independent of Active Directory and runs multiple instances of AD LDS directories on a single computer. Also, AD DLS supports the use of LDAP over SSL and facilitates synchronization of information with AD DS.
AD LDS is designed to support various scenarios, such as storing data of application-specific directories, testing directory services, and managing extranet applications. The directory-enabled application can use Active Directory for authenticating users and AD LDS as a data store for the application-specific data that is associated with each user. By using AD LDS as the testing directory service, the changes to AD DS need not be implemented until the application is tested. You can use AD LDS as the LDAP directory store to provide simple authentication support for the Web portal application.
AD LDS allows you to create an AD LDS directory partition by using the Add roles wizard in the Server Manager. By using AD LDS Setup wizard, you can create and manage another instance of the AC LDS directory partition on another computer. After the installation, you can use ADSI Edit tool to view information related to the application directory partition and to add new information in AD LDS directory partitions.
You can use ADSI Edit tools to create additional objects inside the partition. You can create a user account and assign values to the user account. You can use the ADSI Edit tool to create and modify the properties of a group. You can also add additional users to a group by using the member attribute.
You can use SSO technology in ADFS to authenticate users to access multiple Web applications during a single online session. You can enable ADFS only if two organizations create a mutual federated relationship and define the resources that can be accessed by both the organizations. There are two types of organizations, resource organization and account organization. Resource organization owns and manages resources that are accessible to users from trusted partners. Account organization owns and manages user accounts, authenticates users, and grants security token to users to access resource in resource organization.
You need to consider various prerequisites to deploy ADFS, such as the directory store, server specifications, certificate, and network configuration. User accounts are stored in directories such as Active Directory or AD LDS. ADFS requires either Windows Server 2003 R2 or Windows Server 2008. The server also requires additional server components, such as federation services, federation service proxy and ADFS Web agent. Certificates are required for signing authentication tokens and providing secure web communication with each federation server. You can use DNS network configuration to locate federated services of both the organizations.
When a user from an account partner organization opens an application available on a Web server in the resource organization, the Web server of that organization authenticates the users based on the information provided. The account server uses the user account credentials stored to obtain attributes for creating SAML security token. The federation server authenticates the token and sends another to the Web browser. The Web browser authenticates the security token and provides the user with the application.
ADFS has various components, such as Web Services, WS-* specifications, Federation Services proxy, Directory services, ADFS web services agent and Federation services.
You can configure ADFS by configure its components, such as Federation Service (FS), Federation Service proxy and ADFS Web agent. Some of the FS configuration tasks include installing federation server, configuring ADFS trust policy, and configuring claims and certificates. Some of the Federation service proxy configuration tasks include configuring the federation service and determining methods to collect user credentials. Some of the ADFS Web agent configuration tasks include using the ADFS Web agent for two types of applications and configuring ISAPI.
You can configure application services that define the type of applications that are installed on the Web server. There are two types of applications, such as Claims-aware application and Windows NT token-based application. Claims-aware application is suitable for organization that uses ADFS claims for authorization.
You can use AD RMS to protect information in a digital file. AD RMS has various features such as Licensing and distributing rights-protected information, acquiring licenses to decrypt rights-protected content and applying usage policies, creating rights-protected files and templates, and AD RMS integration. To configure AD RMS, your computer should run on Windows Server 2003 or Windows Server 2008. You must also meet various software requirements such as IIS 7.0 with ASP.NET, Microsoft SQL Server 2005, MSMQ and Directory Service Integration.
AD RMS service architecture has various components such as, Active Directory Directory service, RMS-Compliant operating system and application, AD RMS services and Database server.
AD RMS includes both server and client components. These components provide data protection by granting specific rights only to trusted parties in an AD RMS system. The RMS-enabled application uses credentials and conditions to create a publishing license for that file. An RMS-enabled application encrypts the file with a symmetric key. An RMS server also adds relevant conditions to the use license, such as the expiration, application, or operating system exclusion.
You can configure AD RMS server role by using the Server Manager. You need to install IIS components, such as Microsoft Messaging Queue service, before installing AD RMS. You can create an AD RMS cluster and configure encryption for the AD RMS cluster key. You can choose a Website to use for the AD RMS and configure Web settings and License revocation.
