Configure the security token protection method for a federated application
Applies To: Windows Server 2003 R2
Security tokens that are received by Active Directory Federation Services (ADFS) federation servers are protected during transit by one of two methods:
Public Key Infrastructure (PKI): A PKI is implemented as a hierarchy of certification authorities that verify identities. When a PKI is in place, a signature is embedded into the token that protects the token from tampering.
Domain service account: A domain service account, which is identified by a service principal name (SPN), runs under an account that is trusted for delegation and that can impersonate a client to gain access to resources. By default, this account is the Internet Information Services (IIS) application pool identity that hosts a claims-aware application and the identity of the ADFS Web Agent Authentication Service that hosts a Windows NT token–based application. When a token is transferred in a domain service account with this setting, the token contains a binary Kerberos V5 signature for the configured SPN. This signature protects the token from tampering.
You can use the following procedure to change the security token protection method for a federated application on a resource federation server.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To change the security token protection method for a federated application
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Double-click Trust Policy, double-click My Organization, and then double-click Applications.
Right-click the application whose security token protection method you want to change, and then click Properties.
On the General tab, under Security token protection method, do one of the following, and then click OK:
If your deployment uses certificates that are issued by a certification authority (CA), select Public Key Infrastucture (PKI).
If your deployment does not use certificates that are issued by a CA, select Domain service account and then, in service principal name (SPN) of service account, type the SPN of the account.