Share via


Enable enhanced identity privacy

Applies To: Windows Server 2003 R2

Enhanced identity privacy is an optional setting that you can configure on a resource partner in the account Federation Service in an Active Directory Federation Services (ADFS) deployment. This setting hashes the user-name portion of outgoing user principal name (UPN) claims and e-mail claims. It substitutes the common name with a random value. If you select the Enable enhanced identity privacy option in ADFS, the resource partner will not be able to correlate identity claims to personally identifiable user information.

The enhanced identity privacy setting affects the information that is sent in identity claims, based on the claim type that is being used to transfer the user identity, as follows:

  • UPN and e-mail claim types: The user component of the UPN and e-mail name is hashed, replacing the user component in the identity claim of the security token. In this way, each resource partner can uniquely identify each user without revealing their true identity.

  • Common name claim types: The common name identity claim is populated with a randomly generated, globally unique identifier (GUID), which ensures that the identity claim is unique per session with the resource partner and that multiple sessions by the same user cannot be tracked.

Enable this setting if you want to:

  • Prevent collusion between partners in correlating identity claims to personally identifiable user information.

  • Prevent simple dictionary attacks against the user-name hash.

For more information about the effects of enhanced identity privacy, see Partner organizations (https://go.microsoft.com/fwlink/?LinkId=62227).

Perform this procedure on an account federation server.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To enable enhanced identity privacy on a resource partner

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Resource Partners.

  3. Right-click the resource partner that will begin using enhanced identity privacy, and then click Properties.

  4. On the General tab, click Enable enhanced identity privacy, and then click OK.

See Also

Concepts

Configure a policy page for a Web site