3D принтер BiZon 3D принтер BiZon купить принтеры. lider-3d.ru |
The Active Directory Federation Services (AD FS) Web Agent is a role service of AD FS that you can install independently from other AD FS role services. The act of installing the AD FS Web Agent role service on a computer makes that computer an AD FS-enabled Web server.
AD FS-enabled Web servers consume security tokens and either allow or deny a user access to a Web application. To accomplish this, the AD FS-enabled Web server requires a relationship with a resource Federation Service so that it can direct the user to the Federation Service as needed.
The AD FS Web Agent can be used for two different types of applications:
- Claims-aware applications: a Microsoft
ASP.NET application that is written to published AD FS objects
that allow the querying of AD FS security token claims. The
applications make authorization decisions based on these
claims.
- Windows NT token–based applications: an
application that uses Windows-based authorization mechanisms. The
AD FS Web Agent supports conversion from an AD FS
security token to an impersonation-level Windows NT® access
token.
The AD FS-enabled Web server also stores Hypertext Transfer Protocol (HTTP) cookies on clients where the cookies are necessary to facilitate single sign-on (SSO). The AD FS Web Agent comprises two separate components:
- AD FS Windows Token-Based Agent Extension
- AD FS Web Agent Authentication
Service
AD FS Windows Token-Based Agent Extension
The AD FS Windows Token-Based Agent Extension is an Internet Server Application Programming Interface (ISAPI) extension that you can use to configure information in the Internet Information Services (IIS) metabase. In IIS Manager you can use the Federation Services URL and AD FS Web Agent property pages to administer policy and certificates that verify the AD FS security token and cookies.
The AD FS Web Agent properties in the following table are inheritable. These properties are required on an IIS resource if the ISAPI extension is going to support the WS-Federation Passive Requestor Profile (WS-F PRP) protocol.
Properties | Description |
---|---|
Federation Service URL |
The Uniform Resource Locator (URL) of the Federation Service. This URL is required so that it may be queried for trust information. |
Cookie path |
The path that is specified when the authentication cookie is written. |
Cookie domain |
The domain for which the cookie is valid. |
Return URL |
The URL that the token from the Federation Service comes back to after authentication at the Federation Service. This URL should match the Audience element of the token. The check against the Audience element is performed by the Windows service. |
AD FS Web Agent Authentication Service
The AD FS Web Agent Authentication Service validates incoming tokens and cookies. It runs as Local System to generate a token by using either Service-for-User (S4U), which allows you to obtain a Windows token for the client by supplying a user principal name (UPN) without a password, or the AD FS authentication package. However, the IIS application pool is not required to run as Local System.
The AD FS Web Agent Authentication Service has interfaces that may be called only with local remote procedure call (LRPC), not remote procedure call (RPC). This service returns an impersonation Windows NT access token if it is given an AD FS security token or an AD FS cookie.