The Active Directory Federation Services (AD FS) Microsoft Management Console (MMC) snap-in is installed when you install the Federation Service component in Add or Remove Programs in Windows Server 2003 R2 or when you use the Add Roles Wizard in Windows Server 2008 or Windows Server 2008 R2. You can use the Active Directory Federation Services snap-in to:

  • Configure the Federation Service or federation server farm.

  • Manage the trust policy that is associated with your Federation Service:

    • Administer Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) account stores.

    • Manage account partners and resource partners that will trust your organization.

    • Manage claims, certificates used by federation servers, and AD FS-protected Web applications.

Settings that you configure in the Active Directory Federation Services snap-in are stored partly in the Web.config file, which is located in the Federation Service virtual directory, and partly in the trust policy file. You can edit the Web.config file directly and push it out to different servers, or you can use the Active Directory Federation Services snap-in to modify the settings.

The trust policy file should not be edited manually. Instead, edit the trust policy file by using the Active Directory Federation Services snap-in, or edit it programmatically by using the AD FS object model.


Scripting support is provided in the AD FS object model. For more information, see Active Directory Federation Services Overview (

When you open the Active Directory Federation Services snap-in, the snap-in reads the Web.config file from the Federation Service virtual directory and notes the location of the trust policy file. The snap-in then presents a console tree hierarchy representing the Federation Service and all aspects of the trust policy, including organization claims, partners, account stores, and applications. Each item in this console tree hierarchy has options that you can use to view, modify, add, and delete trust policy entities.

Federation Service node

The Federation Service node in the console tree of the Active Directory Federation Services snap-in represents the local Federation Service that is assigned to the federation server on which you are viewing the snap-in. You control the local federation server configuration through this node in the AD FS snap-in. The local federation server configuration is different from the trust policy configuration in that the trust policy configuration is shared among all the federation servers in the federation server farm. The local federation server configuration is stored in the Web.config file, and it includes the following items:

  • The path to the trust policy file

  • The local certificate to be used for signing tokens

  • The Microsoft ASP.NET Web pages

  • The debug logging level and the path to the log files directory

  • The option to enable anonymous access to organizational group claims

Table Of Contents