DonatShell
Server IP : 180.180.241.3  /  Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Windows/Help/Windows/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME SHELL ]     

Current File : /Windows/Help/Windows/en-US/adfs.h1s
MZ@PEL!@0@.rsrc@@.its @@0	HX||4VS_VERSION_INFOStringFileInfo040904b0b!FileVersion1.00.00                         l"FileDescriptionCompiled Microsoft Help 2.0 TitleBFileStamp70C2CF1501CA041F4JCompilerVersion2.5.71210.08579VCompileDate2009-07-14T01:07:21      >TopicCount194000000000000ALegalCopyright 2005 Microsoft Corporation. All rights reserved.CCCCCCCCCCCCCDVarFileInfo$Translation	tipÖ2ITOLITLS(X쌡^
V`   x CAOLPHHC ITSF #0p	t-Y쌡^
VY쌡^
VIFCMAOLLIFCM AOLL!//$FXFtiAttribute//$FXFtiAttribute/BTREEm/$FXFtiAttribute/DATA/$FXFtiAttribute/PROPERTYN/$FXFtiMain//$FXFtiMain/BTREEk/$FXFtiMain/DATA/$FXFtiMain/PROPERTYN/$Index/$ATTRNAME/$Index/$PROPBAG#/$Index/$STRINGSr/$Index/$SYSTEM7l
/$Index/$TOC//$Index/$TOC/$adfs_LH`/$Index/$TOPICATTRS@/$Index/$TOPICS0/$Index/$URLSTRv/$Index/$URLTBLw/$Index/$VTAIDX+P/$Index/AssetId//$Index/AssetId/$BL0{/$Index/AssetId/$LEAF_COUNTS{/$Index/AssetId/$LEAVES	/$OBJINST`/adfs_lh.h1cn/adfs_LH.H1F~/adfs_LH.H1TyE/adfs_LH.H1Vd/adfs_LH_AssetId.H1K>k/adfs_LH_BestBet.H1K)k/adfs_LH_LinkTerm.H1Kl/adfs_LH_SubjectTerm.H1Ko/assets/0/assets/0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43.xmlt'0/assets/030f3abf-b6c9-406a-9149-e7ae9a5f620c.xmlz0/assets/0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5.xmlu0/assets/04072293-0c5f-4548-b4bd-5c3be9bfa44e.xml0/assets/05232cd5-b2eb-4a13-9e75-0992677383c7.xml+0/assets/068aee1f-882f-45f1-a70a-452b6352c15d.xml0x0/assets/07149786-09f3-4159-87f1-308feea5d774.xmljN0/assets/0ad590fe-6f85-4af8-b88a-4c2cebfb036e.xml8^0/assets/13f8e318-dbe0-4967-aaad-ad5ccdee426b.xmlt0/assets/1856eba5-b7e8-48b4-9027-5fd14d45a29d.xml
!0/assets/1a17d8ac-4ac6-418c-845c-a4251376e1e9.xmlN0/assets/23be4d60-fe62-4aab-871e-649f147be7d7.xmlg0/assets/277dfde3-8d89-41d1-98df-50fc35048ae7.xmlw
0/assets/2d63d1e2-c787-474a-9768-29d8cab6f713.xmlY0/assets/31b140ce-1c7a-4b1b-b6fd-c87c8233d07e.xmly\0/assets/31c2332d-7739-430a-aed4-25fc1ac9e640.xmlU0/assets/34f010d7-0c78-4412-a7ef-6a52653a4443.xmllu0/assets/3922aeaa-b2b7-4b29-b406-f6f5ddee0f10.xmlaK0/assets/3ce10c79-86e8-4afd-97ee-0425d605c0cb.xml,!0/assets/3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd.xmlMs0/assets/3da0b27b-3d5c-4117-9ba1-60ccee5c5965.xml@{0/assets/3fb68347-837b-4e40-9a7f-5fd7e90f1d77.xml;0/assets/42063d6a-ed4a-4c14-8381-bb239fbc606c.xmlA0/assets/4619d451-71da-4063-95c7-02fb9790bd58.xml[l0/assets/4737022f-1c54-472a-82ee-99d0306ddccf.xmlGj0/assets/4a88f9fc-8379-417e-88f6-ee7db530e9b6.xml1r0/assets/4afa2480-1414-4579-8448-1913ababd20d.xml#`0/assets/4bc380ae-866d-43fa-9571-9cf2a45830ed.xml0/assets/4de889ca-7eda-4dd9-984b-da0eb8350158.xml?0/assets/4fd78221-3d2e-4236-a971-18cdb8513d6b.xmlnf0/assets/5036aaaa-56cd-4da4-b210-5c789091da37.xmlT90/assets/505507c2-db4a-45da-ad1b-082d5484b0c9.xml
0/assets/54ffb525-5197-4a9e-a58b-654493cf983a.xml)0/assets/567f02b7-100c-4cac-bb39-2afea3a8d776.xml@_0/assets/5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f.xml80/assets/5fbf02b0-8e55-4635-8bd3-525fe8adfe18.xmlWj0/assets/64180160-5e21-4e7b-a61d-a3e27c5ca5a2.xmlA{0/assets/6fc4b2a8-6bbe-4996-85cb-e27a873a6c66.xml<b0/assets/7458dc18-13f7-495c-b571-33f6b37448cb.xml0/assets/798e37db-46a0-443b-b7a8-f96cbd8cf12c.xml850/assets/7b17fda1-f53e-4800-b629-cccd26344141.xmlm%0/assets/7bb63cfd-b17e-4a03-9619-f948e295dfbb.xml*0/assets/7cbc0c4c-1037-4fc7-80d4-d093ff64e644.xml<0/assets/8088c79c-eafe-4306-ac20-f43c4b23ccee.xmlX0/assets/80cfa5bd-44ad-4dbe-bae5-0633d2de1de7.xml`0/assets/823f77eb-a4aa-4a46-9513-ecd582b038f8.xmlrc0/assets/8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407.xmlUd0/assets/8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e.xml9#0/assets/8fbc984b-e639-49e2-b038-ee4aec3bc357.xml\J0/assets/90002538-e292-403c-b4d4-01a3810c7fed.xml&0/assets/913b46b6-7d47-42c7-84b3-06d53d191af4.xml4L0/assets/916957ce-daa8-4791-af8c-cdaa2c99735d.xml0/assets/91a4e9e4-ecf1-471d-8734-7474c8899c8a.xml0/assets/92c69ace-8d1e-41e3-9db8-85bdb28d28f0.xml0/assets/93795b81-918e-41ba-aa1f-aa68150b86b3.xml<0/assets/94b3daed-71af-48ca-a2f7-29dc47074c7f.xmlW.0/assets/96b523c7-5eb0-4a08-b699-1f7856066c59.xmlh0/assets/9c002b26-3d2f-45ff-ac9d-5081e82b30ee.xmlmT0/assets/9d06f526-fdd0-477c-85f9-29674c2e4d68.xmlA(0/assets/9fc7f8d8-1345-4400-b8b5-a6f637099d03.xmli0/assets/a2280f6f-45ef-47cd-b158-9bacfe1a2600.xmly0/assets/a23af311-766a-4b90-ac60-d2f0680ca339.xml60/assets/a6ef154c-075e-4427-95f2-aed04595958e.xml7j0/assets/ac922f38-12db-4f2f-bfd8-edc05f2a9978.xml!}0/assets/ae860c09-45c5-4a1a-9d83-ff4f4d2046cc.xmlY0/assets/b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9.xmlw}0/assets/b2163266-aea9-4251-8dfb-7c844233bced.xmlt;0/assets/bb89ffed-4b51-4ce0-99dd-92375eeb600f.xml/h0/assets/bd1c92bf-f72a-4444-8c67-ad00a3ab4dde.xmlB0/assets/bdb04181-d340-4929-9a63-a852b1765542.xmlY50/assets/c754a0fe-faed-4c83-b650-27ddcfe119cb.xmlw0/assets/c7cc7c1d-aff4-44a5-85f6-e18404591f9c.xmlh0/assets/ccdd7180-42a3-43b0-a8af-27972f5be619.xmlm80/assets/d87ee269-ff2e-486d-8401-db4325ffaa54.xml%_0/assets/debbb166-5143-49b9-8937-7d41c9f5b48b.xml@0/assets/e3c91285-4edf-4bd4-b762-60694f6bbcbc.xmlDe0/assets/e49d6f9d-b576-4a15-81d8-93b646bfea05.xml)Q0/assets/e4e26582-bde4-45f3-bc6f-b537e8d0f54c.xmlz0/assets/e61ad0bd-8dd7-416f-ae03-c7aa4569d147.xml*0/assets/e9d785ca-5159-4df0-8573-ac73b9a94f5f.xml:.0/assets/eae03733-b48d-43fe-a172-6e497efdf6df.xmlh{0/assets/ecf794aa-82fc-4f59-b951-c36870753892.xmlc0/assets/eefe0c5d-c756-4410-814e-b2dfb913cd32.xmljR0/assets/f01bd12f-85c0-445c-b6bf-645ab66ac0e8.xml<Q0/assets/f270ef7c-350f-44fe-87cc-3088c9d87971.xml
l0/assets/f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2.xmlyO0/assets/f3badc17-abb5-49be-a1a2-2119140dafb1.xmlHV0/assets/f60ca0a1-aace-4877-8b4d-40f06090d5c3.xml<0/assets/f60cc74f-d34b-45cc-9460-2d9127948238.xmlZA0/assets/f61b6a1d-c704-484b-8787-f27de22c700b.xml'0/assets/f702106d-2002-4123-b4a2-01676fcbcdcd.xmlBO0/assets/fc406ace-9397-4271-baa1-888383a12c63.xmld0/assets/feb4e99e-eb67-4562-8baa-aec24e7f4902.xmluy/relatedAssets/7/relatedAssets/1d3561e2-232b-4d2e-b451-98f575029870.gif`7/relatedAssets/3dd4f848-9c62-4403-bfe7-52364867ea8c.gif(B7/relatedAssets/8c328949-1021-498f-944d-e61113778c7b.gifJ7/relatedAssets/916d5d6b-dfac-4cc1-bffb-1870e5280ef4.gifU7/relatedAssets/9a246800-9d1a-446a-be01-5c650d9b0f3b.gifi07/relatedAssets/c72d956f-d07c-46ce-9cce-c65657259edc.gif]7/relatedAssets/f02e9737-1985-4abc-84a0-c55184b0660b.gif+t::DataSpace/NameList<(::DataSpace/Storage/MSCompressed/Contento$,::DataSpace/Storage/MSCompressed/ControlDataT )::DataSpace/Storage/MSCompressed/SpanInfoL/::DataSpace/Storage/MSCompressed/Transform/List<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTablex3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/s`M9%

	xeR@ESqUncompressedMSCompressedFX쌡^
V%LZXCHH<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Resource Partner - Advanced</maml:title><maml:introduction>
<maml:para><maml:ui>Token lifetime (minutes)</maml:ui>—Provides a space for you to type a new Security Assertions Markup Language (SAML) token lifetime setting. You can also click the up or down arrows to select a new setting. The Federation Service builds SAML tokens that are valid for only a certain period, the SAML token lifetime. The SAML token lifetime defines how long a security token is valid after it is created.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Incoming Group Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Incoming group claim name</maml:ui>—Provides a space for you to type the friendly name of the incoming group claim.</maml:para>

<maml:para><maml:ui>Organization group claim</maml:ui>—Lists the available organization group claims.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual>GIF89a9p,9$$$$$0$0<<04448<<<@<<<@0@PDP@DHLHHHLL8La LY$PeP(PPPP,U$Y0Ye,]D]u0]4]0ai8a8a<aaaa@e4i}$qPiiDi<m@muHm<qLmPqYuHuuuuUyYyLP]}]}aaa¥0UeY҅q4i ]mqu@Pquy0eq8}ʕ}΁@ay@΅qΡLҡqҍyꁮڪYaց֝ډ慺qڥޑޥޅ沙꾪ή	H*\ȰÇ#JHŋ3jȱǏ
ɓ(S\q ɲ͛8sx
<RmQwS:d8o?br)F[1bNJܙL(P!
ӲxJ	A>C\KXe+`=sqw(L`5(1J;0KLZcZicܸ5aW:o9.1cxKg( h)׮Ui{+
ȝC3wemu#G%ݪ75}@ֱ2-yoA~
YȬӍ}&ܗ_8D@㋀1C"<q 9?πa7^T(#~סR0RQ IU "",P6ח0tPҨ_&;@8TR]=Y$$(M#pJ&J6wʖu	sV0יFK>	rZiT<x
~	^6\Lf&j(<jjtIXRUxJNViG]6\	< j%^4Z>:+$
Lz5&ʬ3BnD".,߂MP(=BLF/6OjshO%/6\S#8yv¨11CwLbb2K cDX\c0Y-;
ZkT҄q(!0Xщ!25A1Ā;VuT5ڽnvI=F8<ňr.}4K71Dc¤[U^8jޏ{`RrCx-yڀ('{3?x({Q=,@FUN(b,wd@[C߮>	`HpʃL9]2r>4˘&x e_E
8V }O A%,2O:Gă	Y_= 
>_@	8!Fp A/$b
:0&R9 6	)@欋^<\7@[-kA	֡q4t$<N,i;8!ҎbA!8`/H8RAu,b,L: 'c'JRnh0IbL2f2`On?#8ZzĖDR6E	Nv<Iz$AriV3adP_%-A<`€)pDͨF7юn(H?iP"Ac00LgJӚ8ͩNs:iAD:BXB0E=Ԧ:AFzdㄒR`HXJֲhMZV + 
B39T-@
lG*aH{VYA-Bl`	IXZ`q4cÑ_%K>abqnZlckV>Ee߲hE8hoK&i	
D pınmk61Kr }6AJhwE.o0_r4L`1Z{5h̀5T5077&(ނ -@2((D	
&rd Į#`P$yLv2RdG9CV0
5!/h
\e)
h{4ٱF#ʠ Dk`P\4(bP(4
,@pꌅFɄxt'
b6hL25Ԁ
n֨!Q'	&W	Qh;QtFhB{fÑ-mo(n!(
`QXq
z#&6f3?>=;#$5vk8`B:pF[^0]2!P"N<vf1:nPZ#wtwO 7:3|_GS/9:lRfBm7ZV_lKW1>#@qyή7q:-tP\hj
(܌oM),Lzԁ~<LW>t|1[ϹBQ'hþLS#>ʸ+w՗n*5s-	.qkc%Mn2|6?7\뫮Kl=ӭ1{>W{\lpwq|x7AEf?Fddǀ׶ݕxLem`5@6#mnbzli@P>zX|&a(sU^pkAwHtmw6wuGp0hMigu|W`gx:灆u6hD`v~r__ri$'r~pFpvHxax~pFhl
6T5惍lAlʼn=QA(}'[E( ӗ膴x1(؋X(Aes47e0g@@IV`5jkcm`Ljvsls&dmiwc(A{
(ni&zXcjal[}_dVyVSh	`6wxofjXo(AH;54Y6y7m!y_W)uN}wV{fيHt;8hZ=6lzPefc oaQ9Փyuz.zN	y$,6Lx6!)a0@t AaQqI^eI!)1!gpA@VߥȖɔ/	!Yp0`99p0)ř	ĉ
iPItН!<i	fٛ9tVٟ隲 V@
VV`9"ࠆIAJ  0И%)ښ!TibI9BD jYp0
	Y0yП)D)g WPkJ+Z8Z|ڧ~p0M	)"I؉i)/AW(nZԩZ7JoAm8y8 *
)*	jZƺ1:y	 AS2@Ы)
i䩚iZ]j"JAjZV 	Цy[0t@*kJɁp哮ʮZ[Gz)ۯ
"0"*4ɦqњ6Z
lz)*{qqZe9ڡqzY
е!ZÈrʠ\V*|ilDwZy+{0eۡK)V	kɡ١@ dzdKÙй];t뙰;Gj$
Crt˟D yTڥ`ɠMڼ{I*Yg 0PVJaID6۹\3߻@Իx˟ajpɬDΊkۜ˩*y5{;Tڠ	-)Z%{V[Y+[Z5	JV@ 795Lb[#S
r)ΪԚ0mڥ<qWJ\aŒ˿o1bz|~ǀȂ<}\uň',|{\4ڤ,N<
 z+h<I'̨lLi{0@{=ʆY<j[kMʠ,̈	EL|=QpeZ]{DjYjʠl:^TV0dQyp	@L<[TT
0`ahxCTS@D\BР0dѸTP, 
)1"дv<X
2=||)yQZ@.-EX&1f
-:=+At 
P}pQSo@վ^ݯiIz+)An} #rR`t][}*)ߺz"@OP:M@9]a]9^z`r}=
@_-v]^&jˤWaܩ}n Aܳҍ|=61PPܨMs-pќ[]EޣkANAHgQP`0EaӔ!ߍȤT- ./@!b('b+QgQ1~VxMG=@.pe8ecFe挏e/NQFPfr~ZN^P^~2p  @=#. ^`dЀkifyn)viq`dMvNҶ{.	 ak">A}Y{|С'|H	
^>S`u`[^d`aXb逻~hc~VMه !:PL&l#j玄f
n\. $`e1
!NGzju5lAbj(f$]u!
 #	|@`+F8nЖm18eXV8O:o^|QKXat[]Qy^p`P
٥VfoY<"c^#R2YLEW/E@^U 1	/lT0@$Ҧʣ߆T%1_Xȟ?pPoZ?Yo_W?hV:.qF@
DPB
^QD-^xF=~H%MDRJ-]SL5męSN=}TPEETRM>UTU^ŚUV]~VXe͞EVZm"k5JucU9},MFX1x?YjXL4=A8s	.MF̈HӨWܸI{[nj+OcZyr
pď}JvݷUP8Ơsmq4I+6~s*@`CF#.aWBrfSHϰ>I0DvgE|i1Ǣ'f$Q1ǔ+SxaH-_g~8$sr8s9eK7EcZ
ijA:li|3!gf	<=	4D,E`A0"[L$`r!E\@SWqJDT[]-<FgnXE1&	2ynm&4ZwN~YcjNqQOTRͥ?QAðiOs!%_ї~S`]x`.>F?.W.V8㾂!ЁdePv$aݪ&`"v[(1,ngFk9gAٰV
zjj"`HA@pD; 71_\d"([&nPnn	;PnSIDz%$y2׮" 
ؐ;9ؼs-\r=8/s&`]A!Dn)GvD
<ܫ}L`r+$Pnֻ!$sn;22ǻ`6PPYzI/psD>mgwcBW=0k^wP}5Ƞ<B@z0x(Ɛ0ς
j60k792}(B.BԐBF7$RρcCO|[w?j
9?NQq|
9 uZwpIHHFo&0R=VA۲]o܎,G&͕̽`}勸A'
PSUs?pFz̨05c܄ǹNQt7	Nvrl3y0ݸ'Rp,MLQ Ώ>E~4\<b>?%>zyIK0	=7FnK<" FIL;iQ.!@sJbC9i΄o\$(1_0SLO}lQYQ
-;z&vS`@i}ʆ/CĊ(@=\Q4$eղ6?MZM%^q
α<)a~.Pk'6;Gz	Pzmu
ԃmW
.$_-rQ#=/mnMfLw#kx<-jE.3Ҁą0.z\&hd4$׿p<`4Zôʾ1QB0 $Gp-	TKЌE-bf5}Q!JܖjH@X&3_d"-JZh4(dҕRc-Jc
b@&"E=E23ӌvaE lt<&&*J
$O>t->K3$"8""D&@e+E@sita3
h4`7{~3Ej-iTݺvvGއ0"~9}d;JNE2a}m
?MiT.6T{#D"[)Ç$cŸIcےEO>GVɉ=\IW:w-7ɚdb"so{@mko]7swz@E]Z{xWmt{Ͳ8imw`Ν-7Ը[Ȕ#t08#}#}DALDNn+<6810'wrLIySb?@Ri}0[d1YBbo`ŋW/[-3C(0\#@k"-+ً1Ax?
TЄeҌJ4v;()*+(܃.B-$|''$3D4T5d6t7DI#z(-05C90C8A$D6.2R}@`&BJ|CC"*8B=0yhĒD8RU\=K9:v0Dv22D8RHVlc6ZgCOxD&$atDDPCf,TREs	؃	X30XhMd?kP@?TA(6XCf3<ER(H,Ƅ(hHRHz{.Ekr
	FF4pt(G4Ȋzl=xHpD{M*~.)ɊH68UotɧdŔDbLYD/tdCHdVH@ʆIH@C(GD4/-H<I\Gp=`ylIJ̘J7ɃHP(F~'DB\ƹȄKgtHM܃((KF1JyˉgMJ
̭˴˿ƌ:M͆MM$CL'`0sEMMǔ:cHfΉf1N|,*܏|!ۏ~A duLbh}P`ϱH?UXre/)2ъDBPhaqgIPſ\N
;kMҊQH&'<QHQ*''0@1
 W83;M
_mq؃$@B5CETS0@!&?!#ҒqT洙JTԑhH9"qՊhbIU"1+%W5VJPZQ]qU@hO`WH`<֋8gTdxn֔@c!gHhxeqpUz!nO31Pwe	[8/d9CqWF!Ss0t ؔFXj`seӢؗ(Nk]]Xh
MYi@jq%K@0qDa9&K*١؇;ل}#zCaO;0AA`x5`QV 0gz0ṃGO^nx
Qل#`.m `A0[;`4ȍ\PʅqSm9jx#pWPP{@X9ؽ0۠
8SH'h]&Z-Yq8uʸ؁M0
.dXO=hE1̐`4x$)[xݎ~:`XΊjh@VZ%0zpPh6f|z`PPmfuiHIwX&b 6'֊Ap(u#Pqp-b'bqP!c#c9}/pc78
x){(]c<?dA}@AH^z(cF6G~7bI)	OeXQȇNfdP&eR'x}WnXH Mz(e]Ne_`N
⢄?pP2qOeYbhff<\peFVof.g?#ebPea9w^	&6FVf^h@y.{6cm]n>mhft%isASh'g9heOvo钦ic9HiXiwvf&Ri`iP颖@9Hj~䨞gnjOjHjvQ₄n(@~g  Zb+8&x=,@)Jp?0.vꀂ+5bz&91%PVKOЮk~wxI1
籤Y$ɚI
^ ݱ@#8!!ʢ-P:F&O
BJͮd1n#`e/(_*An@	
%apP(cyq@jȱ١) `)#P Gx)q*"&hmϚI›[y𱀇V8nGj`H ؏$Gw)"qВ$J$꾛 ro$ڢp"߮$>r< @-'.d012gHX1:͑r7JꡟCmܹ,A,("\tV(ڞ,')]j%89qh58T'Uou!"~ig%sH'*>v)!r%(n1k-V $XPdffbuY$xw!@{Y,lF^DsN4qavKyכK)q;&pDW?tE #`Pp`:8'y
o!ٺl` hz	b&=`К%%2x(M(@2`	)^b[(ٲ%{iOusa$V< I5]`)-vF	}}`t'~~7)~>~FM~G{w~>w/J$,H
2lPa&Rh"ƌ7rqcG\'*Wl%̘2gҬifK.J|#РB'R.2m)Tv&M3*֬DVE
gְbUjr=[ڸr՚u[2ܼL}W/C)Q0b|31dQ8dY͢扡ea̔x-fNx`}?@HS$be"o?HlQ[N[lڵo3#B(^zg◎/AL9ϊXE0F?BFgwg,\SuxyEgz
se4V/b{aG
/3cr` r6n(a!b2!Q
|=@&do],DȒ="~V1U?wD^<=pD[3TuaP'ҡ
Q)%Ef"(s'`u`z#J(ɜ:դkO*
=ιZFYd{"6.Y{hD4*ZJڰLʘk_~#Gg"E9NDoʙnՖiY+hE]zDGuA|Y{ѲoX\\<g7@?"DFzy?0h(k(ma/Mn)=5T(ְ\P%5aU}av}vTcwU6q[kݔU]IţC=Q
OCaCu]wtWE:-ԳsA5ۙy\wj[a~ex񠚉;!Cֲ0w\&,gbDmn`8s.VVy'sND9f![ډ,w/5Nkdg0Ӯs	`tE1e
odPPDX `	i#t;y,IS^D?`*>Nen<i=k،r`&o
Tdg$nUG^ؕ#42kJz`6-p4QuA"R?VFuMp
(cLthKWF'QXGC4sc'2B%1)! %aYyc+zDU!$9RɷpE5(3C4bR03b>,ʞaЄ(T<0BV%fs.A/*d(q8!pAs"K~UJ=S*1 e	'|C79P%IfRE*\PP:<-EKk
:M{Rҟ)QTFmRv+RSp^*XÊ:Ban}+\*׹ҵBYzUu~+`ҽP=,bXꕰ1b#+ձf,e3Բ,gC+ZΚ}-jSz	b+Ҷ-ns򶷾mQY}\2}.t+Rֽ.v
X5n|,.k:^$izŻ^w$]i|+Fo\BEuC}M
`f7_pSx7}+s-Q;c\O(A꜉I(PAĬe:ȏ4,"]h⯡*.Bf8XFE42
Ã"218Y>y"2$X&;b#]V/EJqi8BDo$2=i%)t@W^&7̈́t}"9ոg	LQ>_$O( leK33O#ldbG.)Mv?4H	Y:ZR:h"FVݐVq>_|Z#`O~s`?<ʉ?񴳡X
w#ݕDy"܈,h9][3Nj1EaI7$E3ZnMޫG]e&7܈q
jS0\A<]mg3e>tHax=gRua\+Avܑ_D:PK_Id{^wx|v{3+=ɏLjbr|w{~8O-8d*1=.e`D'`㟿)qkX*+#2"|ɧg@a8m[C	3HZ9Bs"g54'ߢ9mQ͌_z0k-USZT4Ĉ}|F	ʚ`poJzY
jG	qPi̇UD
CrT
pX
eLۨ<K)0r2%P
RD]]ވD{^
_ny	}խ᠐mFlI!NјAt!jd!H<`iatޕajHP%N&-ԫ߉!
ۭLq|1LqT#aL-X@ԋ̋qp!\Gd#N	L~P#"BVƿIa;;O<u=>^>F@@>dVCbC\z@+\$FfFn$GvG~$HH$IF6B	K$LƤL$M֤M$NN$Od~j
%Q=WBR.%c	$S>%TSF%UVeSUfVC&V~f)"%X%PΗP%[[%\ƥ\%]֥]%^e\VM D\%Ve`
f\av_b.fa&Q*WdFZ0&e%dfgg6
hfXT]&I&jfjOi
lfTf$fw&n>noֆofSgU
kqrJa~fb~/#\]yባlN&iFiNGY8
m+-S<')'c0'F,au˷c-]E|[UG8Mvȋ[v#zc~{xڦxvDPǿ)mt؉j	i̛b h]F\ga`]B|E$OYJBp[j	PjO
Y QN89s9
L)
zj]TDΖLM}NN *b>輽ȉŚV
lu8r0!a؁HPDPy	rߪ\IL,nʏ~D.୞EF`f(AAs60ߖ7M",!Fd-Nd8Hi|EJ:HkZJvVPD\PfHHlsr^%"&fƶ,QykW,bͺ>EQlU-RW..n>m|FvDӲϞa:Jn[.6D.خ&d@vŭ-֭*dgZ-l	ޮY&Pe쐥>.t".NnXX-fE.Jv.b18.-鞮p..Ʈ.ߎ<.E@;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Cookies Used by AD FS</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) uses the following three types of cookies:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Authentication cookies</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Account partner cookies</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Sign-out cookies</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Authentication cookies</maml:title><maml:introduction>
<maml:para>Both the Federation Service and the AD FS Web Agent can issue authentication cookies. The AD FS Web Agent takes the AD FS security token that it receives and uses that token as the cookie value. The benefit for the AD FS-enabled Web server is that it does not have to be configured with a public/private key pair that can sign and verify its own cookies. The Federation Service publishes all the information that is necessary to validate its tokens. </maml:para>

<maml:para>At the Federation Service, the security token in a cookie holds the organization claims for the client. The organization claims may be mapped to outgoing claims for a particular resource. The AD FS Web Agent can also authenticate and use cookies that are issued by the Federation Service. The AD FS-enabled Web server receives a cookie when the client comes to the AD FS-enabled Web server. Then, the AD FS Web Agent can authenticate this cookie and use the claims that it contains. For more information about how the Federation Service uses tokens, claims, and authentication cookies, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The authentication cookie facilitates single sign-on (SSO). After the Federation Service validates the client once, the authentication cookie is written to the client. The Federation Service produces and consumes the contents of the authentication cookie, and these contents are not read by the federation server proxies. Further authentication takes place through the cookie rather than through repeated collection of the client credentials. For more information about federation server proxies, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The following illustration shows the contents of an authentication cookie and the AD FS role services that use the authentication cookie. The AD FS Web Agent comprises both the AD FS Web Agent Authentication Service and the AD FS Windows Token-Based Agent Extension. </maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=1d3561e2-232b-4d2e-b451-98f575029870" mimeType="image/gif"><maml:summary>The contents of the authentication cookie</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>The authentication cookie is always a session cookie. The authentication cookie is signed but not encrypted, which is one reason why the use of Transport Layer Security and Secure Sockets Layer (TLS/SSL) in AD FS is mandatory.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Account partner cookies</maml:title><maml:introduction>
<maml:para>The account partner cookie facilitates SSO. After interactive account partner membership discovery occurs, if the account partner cookie has a valid token, the cookie is written to the client. Further interactions use the information in this cookie rather than prompting the client for account partner membership information again. The account partner cookie is set as a result of the account partner discovery process. For more information about account partner discovery, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The account partner cookie is a long-lived, persistent cookie. It is neither signed nor encrypted.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Sign-out cookies</maml:title><maml:introduction>
<maml:para>The sign-out cookie facilitates sign-off. Whenever the Federation Service issues a token, the token’s resource partner or target server is added to the sign-out cookie. When it receives a sign-off request, the Federation Service or Federation Service Proxy sends requests to each of the token target servers asking them to clean up any authentication artifacts, such as cached cookies, that the resource partner or AD FS-enabled Web server may have written to the client. In the case of a resource partner, it sends a cleanup request to any AD FS-enabled Web servers that the client has used.</maml:para>

<maml:para>The sign-out cookie is always a session cookie. It is neither signed nor encrypted.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding the Federation Service Proxy Role Service</maml:title><maml:introduction>
<maml:para>The Federation Service Proxy is a role service of Active Directory Federation Services (AD FS) that you can install independently from other AD FS role services. The Federation Service Proxy functions as a proxy in a perimeter network (also known as a demilitarized zone, extranet, or screened subnet) for the Federation Service. The act of installing the Federation Service Proxy role service on a computer makes that computer a federation server proxy. It also makes the Active Directory Federation Services snap-in available on that computer on the <maml:ui>Administrative Tools</maml:ui> menu. For more information about the Active Directory Federation Services snap-in, see <maml:navigationLink><maml:linkText>Using the Active Directory Federation Services Proxy Snap-In</maml:linkText><maml:uri href="mshelp://windows/?id=8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>A federation server proxy participates in the WS-Federation Passive Requestor Profile (WS-F PRP) protocol by communicating with a protected Federation Service on the client’s behalf. When the federation server proxy is protecting an account partner, it collects user credential information from browser clients. When the federation server proxy is protecting a resource partner, it relays requests by and for Web applications to the Federation Service.</maml:para>

<maml:para>The federation server proxy also stores Hypertext Transfer Protocol (HTTP) cookies on clients when necessary to facilitate single sign-on (SSO). The federation server proxy writes all three types of cookies: authentication cookies, account partner cookies, and sign-out cookies. For more information about cookies, see <maml:navigationLink><maml:linkText>Understanding Cookies Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Account Partner - Verification Certificates</maml:title><maml:introduction>
<maml:para><maml:ui>Add</maml:ui>—Click to add an account partner verification certificate.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Your account partner must send you the verification certificate.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Remove</maml:ui>—Click to delete the highlighted certificate from the list of verification certificates.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You cannot delete the last certificate because at least one certificate must be present.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>View</maml:ui>—Click to view a description of the highlighted certificate in the list of verification certificates.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Revocation Settings</maml:title><maml:introduction>
<maml:para><maml:ui>Check the end certificate</maml:ui>—This option checks to see if the end certificate in the certificate chain has been revoked. Selecting this option can increase performance because only the certificate revocation list (CRL) that is associated with the certification authority (CA) that issued the end certificate is checked for revocation status, instead of any CRLs that are higher in the certificate chain than that end certificate's CA.</maml:para>

<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>Select this option only if you trust the CA that issued the end certificate.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Check the end Certificate in the Cache only</maml:ui>—This option performs the same actions as <maml:ui>Check the end certificate</maml:ui>, but instead of checking revocation status from the CA that issued the end certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Check the entire Certificate Chain</maml:ui>—This option checks revocation status on every certificate in the chain, including the root certificate. Although most revocation checks exclude checking the root certificate, this option runs a check to verify that the root certificate has not been revoked.</maml:para>

<maml:para><maml:ui>Check the entire Certificate Chain in the Cache only</maml:ui>—This option performs the same actions as <maml:ui>Check the entire Certificate Chain</maml:ui>, but instead of checking revocation status from the CA that issued the root certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Check the entire Chain excluding the Root</maml:ui>—This option checks revocation status on every certificate in the chain except for the root certificate. This option is the default setting for revocation checking in AD FS.</maml:para>

<maml:para><maml:ui>Check the entire Chain excluding the Root in the Cache only</maml:ui>—This option performs the same actions as <maml:ui>Check the entire Chain excluding the Root</maml:ui>, but instead of checking revocation status from the CAs that issued the certificates directly, revocation checking is performed on a CRL that has been imported into the Local Machine store. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Certificates Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Service - Advanced</maml:title><maml:introduction>
<maml:para><maml:ui>Enable anonymous access to organization group claim names in this Federation Service</maml:ui>—Select this check box to enable additional functionality that is related to group role authorization in claims-aware applications. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual>GIF89a

333!,


"meo[tX}F;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Provide Federated Users with Access to Your Web Applications by Configuring an AD FS-Enabled Web Server</maml:title><maml:introduction>
<maml:para>When you are the resource partner administrator and you have a deployment goal to provide federated access to an application that resides in your organization (the resource partner organization), federated users both in your organization and in organizations that have configured a federation trust to your organization can access the Active Directory Federation Services (AD FS)–secured application that is hosted by an AD FS-enabled Web server in your organization.</maml:para>

<maml:para>The following table provides links to the checklists that you need to follow to prepare and configure an AD FS-enabled Web server for federation.</maml:para>

<maml:para><maml:phrase>Preparing and configuring an AD FS-enabled Web server for federation</maml:phrase></maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the AD FS-enabled Web server to work with Domain Name System (DNS), install certificates and the appropriate AD FS Web Agent, and verify that the server is functional.</maml:para>

<maml:para>After you complete the tasks in this checklist, you can set up the AD FS-enabled Web server to host claims-aware applications or Windows NT token–based applications in the resource partner organization.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing an AD FS-enabled Web server</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91912"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Depending on your organizational needs, install a claims-aware application on the AD FS-enabled Web server and verify that it is operational.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a claims-aware application</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91913"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Depending on your organizational needs, install a Windows NT token–based application on the AD FS-enabled Web server and verify that it is operational.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a Windows NT token–based application</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91914"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Provide Your Users with Access to Federated Applications by Configuring the Federation Service</maml:title><maml:introduction>
<maml:para>When you are the account partner administrator and you have a deployment goal to provide federated access for employees on your corporate network:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Employees who are logged on to an Active Directory Domain Services (AD DS) forest in the corporate network can use single sign-on (SSO) to access multiple applications, which are secured by Active Directory Federation Services (AD FS), when the applications are in a different organization. </maml:para>

<maml:para>For example, A. Datum Corporation may want corporate network employees to have federated access to applications that are hosted in Trey Research.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Employees who are logged on to an AD DS forest in the corporate network can use SSO to access multiple applications, which are secured by AD FS, in the perimeter network in your own organization. </maml:para>

<maml:para>For example, A. Datum Corporation may want corporate network employees to have federated access to applications that are hosted in the A. Datum Corporation perimeter network.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Information in the AD DS account store can be populated into the employees' AD FS tokens.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>To set up this environment, you perform administrative tasks for installing a federation server and configuring the Federation Service in the account partner organization. The following table provides links to the checklists that you need to follow to install the first federation server in your organization, configure the Federation Service, and set up a federation trust with a resource partner.</maml:para>

<maml:para><maml:phrase>Preparing and configuring a federation server for federation</maml:phrase></maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the federation server to work with Domain Name System (DNS), install and configure certificates, and verify that the server is functional.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a federation server</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91901"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the federation trust with a resource partner organization.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configuring the account partner organization</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91902"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Custom Claim - General</maml:title><maml:introduction>
<maml:para><maml:ui>Claim name</maml:ui>—Provides a space for you to type the name of the custom claim.</maml:para>

<maml:para>Use the <maml:ui>Claim name</maml:ui> field to communicate any authorization information that is not one of the other claim types. You must specify a fixed set of custom subtypes. For example, you can extend the <maml:ui>Claim name</maml:ui> by specifying details such as Employee Number, first name, and last name. Each custom subtype is a separate unit of administration for claim population and mapping. The value of a specific custom subtype claim is an arbitrary string that is exposed to the end application.</maml:para>

<maml:para><maml:ui>Limit the auditing of this claim</maml:ui>—Specifies whether the claim name is to be audited or shared when the claim is produced or mapped. The audit indicates the name of the claim, but the value of the claim is omitted.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>AD FS Windows Token-Based Agent</maml:title><maml:introduction>
<maml:para><maml:ui>Enable AD FS Web Agent</maml:ui>—Specifies whether the Active Directory Federation Services (AD FS) Web Agent for Windows NT token–based applications is enabled. Select the check box to enable the AD FS Web Agent. Clear the check box to disable the AD FS Web Agent.</maml:para>

<maml:para><maml:ui>Cookie path</maml:ui>—Provides a space for you to type a path to the location where the cookie is stored for Windows NT token–based application resources. If this information is not provided, the cookie path defaults to a path for the site: “/”.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>An incorrect cookie path can result in the browser going into an infinite redirection loop. This applies to both claims-based applications and Windows NT token–based applications.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Cookie domain</maml:ui>—Provides a space for you to type the domain for which the cookie is valid.</maml:para>

<maml:para><maml:ui>Return URL</maml:ui>—Provides a space for you to type the Uniform Resource Locator (URL) to which the client is to be returned after authentication is complete. Typically, this is the same page that the client originally tried to retrieve. In addition, this URL must match the Audience element of the token. The Windows service checks for the Audience element.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the AD FS Web Agent Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=bb89ffed-4b51-4ce0-99dd-92375eeb600f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add a Windows NT Token-Based Application</maml:linkText><maml:uri href="mshelp://windows/?id=2d63d1e2-c787-474a-9768-29d8cab6f713"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual>GIF89a:p,:048<Hi<@@@DDDHHL LP$P(P} (U$Y0Y$]e,a4]8a<am@eu8iDi8m<m$@uHm$@Lm yHuPqLuPu,}<<UyH}<uLPaaeH@eYi L]$qq(,uy0u4y8ia}<@ae@DqHL҉LPuUqUuY]aaցi֝mqޡuy}ުުҺ޾	H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@
`cG*])QI}TUQ1z!_=nJJa;5-WPʭVlܹN_z50p4⻋{w0媌kuɕ^Fsk-vi[WNeآs.XtlVNJ3dKZthƁ}'{ݙ.|Q=f)'.߽yE_/>|f|w߁R7uEWȞcWyanHa$asmhb'"rxޅNagi߈2yx+nG#o=ZWB&d|7W_Qf\v`)dihlp)tigA<\2
Y tRsW,& {2B|bPh(1tA9DA;\)iĩ˫<5{&#{"kx6P
;J#-ݶN*`CJ<>X=:{ƺ9]+R>
>|B	%Slg`SO.s"<` @>ф=g 52RoC+5A
K3dˌ|''P/a̎賌l1u$<S220G]C`Ź4ۢfԉM<\-7^z}7}%ewq*
wI=co@pu}7s)|sI{~&נE74sq*0+[J:붼P(|Ў٩eND5O=/-R1?2:٘-#H%E'^#G> cǸ\٢7.E\w$m
!
-]Ә%L`Zd@~Dg8DW:Ȅv#@t <0#nphІ
]KZ0:+H^3*C5`BՀ!fڌ s(nP| gݒs$B]tš	,nKdxW<C^l(8bCI<(胏5f5J`xC*-b=#ģ}&Y]L)[*5Y#C8>@>c e
Z0!
YNXr
),
@ΗH׸ǹ"֫9 mȓ|PgHm(b7Cs;*βnn%<q79#d7Jvԁ)K-GSC"J(lcId!PqQE./J%EUP 
Xa<{w>v1_P?'GwHP\ PW 41I
S)  HEIAPbhk̐@EjM{Hu|`Mz<'!
h>nbG/V(L7 GPܩnb 6@JnC\.A0]<>;o24q
c5ЍKMwaE|E }|砃J>4#+"1r:D1!Z<uZ1`P,D]8AnCPlj]ǎ84+kz*x{
\9C;YѬ
Uݜ
Y>HDP)
{-hx+7Efil7ϵrM/n?'!
P3Xk>1.ENlcZjƨ,QW.PpmdNa'%:b4C
|KZ3wFN؍Had>]3/vY6,Jm$ݍx ËF4lw@aB&0F=*ez+&jqxcwFIPfsG-@c^#2	lyGH2yCD&kf‘Aqk/;}7Y`Y D>
u*^+8:3@6ʋ&
NXie;7nx0
JmK_=18<ˋv좚jByݨ
dLtm\-}iHwx.'3t;mW)'Mvq9]7@޴9U zP
_+޸BЇ$Is5Wy}xx[i:P
Gf
݀]}hv-LuS&g4OWkwkH4h wFȀ
gtÇd;
t{%PHEVgr]0tE&
k%K
gR8Pzh
]dU^~'iF;i
Mv_r7pDnLgTrF@uf}A8:&?cTXfwVxzr
r50AwE6{egezC{Es'c+7Rdb3sJIqYq
ԈW>
cjX~V>wgqE[`}]4O3
wt6h7
@NO.8mHliz
~_E9 yldhap4};d}U>X	?t|8Eh4D0
3(<z@X]rM8i6`W
秉]#
pRWdqQ=`?F0w7W
F@	
]pLy(P	*TQ	Ou4
y`viLhH	VN:3h9x5DhՖU
A9$k8TuZNPFG	
LSIQKdu7fpDCpH jFdPPysjs[0(Ex 
MX[sHvw3qWF3pYP	?PYYОꙞ=`.REX9iO4y4ZT0wh/jhEGbYSp5װ<d$PڠˣGE	@	<B-' YP
HLڤN
HO`pJZܗfP	,6_`h~rY{az|@OГ5
	:3:0eVtz\
J`
PJ2]4j{L<{`

qt1ڪz13[BX`PZDX	 gP8-頹٦^$oK @|3怐GYwFBxc

0
YBZ2J00@;۰D&PXĕ(Uz4XXEbGYEow;>59%Mo
WQ	}Jں`:4
 ?p6^{ WƮ

԰Dop<,TI;B

۰h5HЄDuVUz{BʫaE啒P
)~{ErvE75>@4^)90gIf~&g\Ƙh
S[Ov
s+ǐj;9Ip.]h]Tz=P	!9a֕5I;h4:WdГvǡ0
* h\zF0䳮+.+lBg
J02-
=3<[YTb3-jj@jwcʦzEӇPds@GBlP`n6]Vw#Lߐ
Y*3kB0)W;
@
SWiis}4&{xe$
`*^¶'JZwGVyadEGNDj*8d<`ǀ4B
t clL]=0YK=\l
ƾvRp
Zz$0;3@aC PR}%g~k~

~ޛ	(5KqF,=[3ZJt;dƺ
`cT3aL(
ǰϿ2P0ṋj	π+-#KY
| ?r0*%fh4\|Pa~z'{	»0*`6ST=VRSP/=m,5	}|s5zgPtwchuHxfp
@$:ga{]t6
@PBZ*mɭk{5Lvv}͌`
00myLz4kp7gs7ȯID
f@
U$di:˽η
pۀt(p]I:S&}v<=EdDXGjz?ݦMNӐ|
C'-;=00ۯZ7<ndrEE@
P	'vi|'9ϝڌpRtLvHo:E:`;%91*7jUCmˠFbE2tZ`SP'U>`
|4s:ZgO`ʽ	3}
٥hvԜɽYX|$67r0^+*ΰCam@`aE
pS	ʤ&),N85 ?%L\Ȉƾ
@4^3xFDM@R(P;Q<*<
;gp	r7 hS`ބ6+_\&b]0JcYư?<@
&bX]po8E4RÎrZ]͐1.]@6{BwI:cV_T	0
:0QSOUz=F琖d_G;O뎡Ȱ
Ǩ׶frj0
}
ݪa<)/`#	\MG?pS&SiO2C>ZFǭ_"@DPB
>tB-ONsF,B-΂h#D-]SL5!h"mpXшspڢN6:7c`%tQšU+0pB7BYvT;sIDg
ntֲEX⬖t:Ǿ-_vy@s
XhҥMeOhC6mo
4zy0EL@0Wb>mh#ۼǝR$JȽ2}EFsT)S3]AYЊ~
k,`!'ᰲzD΁:HK'c`}+LAFLjl` 
~E8H1"4*YxsDmtDg:mɮ"ccm)R1RjJ7߄s&1b,e#H'9h	ij3΅qnRa,"+Ta$
Q++jBs~"/Bva10֙bFW61}"kHF),9,`J>P[Yʲ"*h+Ί!V}o祷9ѝgHmHQj7擷rd`0O^.MMk0 cO'qkŖ@zoN(`k>y9蠇HdPY?	sMhtx0g­1˽G-ifcdϏQ9+PzCo-.8i6
SwEsBF1:H狊ZQjaYPܶ\LUkG8'kZfghk+BT45!V;f{(D)$$Ho}b iWƆyfo̙w6&9	@Vt^`0%1]	sd`
K;tI>	u"yG)j08C;")}RZ
pHTSG56Њ $OBU8x
}HXvL0;`acC;VKRlЏ#"#;G=@tAF5`)I`t}Ii8c$0̃E<$VEuc{fp"s|J$H¯	fދ*1+phnN
,ycڲWT(E,QF8YTHuX]01
!g@mhjUn~Hy	tIҲ/}^>0u@".[q0ib(xAYDg	 rAH*"}dz8K4 L}TlBoIՁ!R40=
RQ#!akG	}dO'T\V!$ʨ!Z}ѬYਧEKFP8ԭ|̨(h?Qh|j1d@
Xֶ*kVsCR[yVො.c#HXB=N%x5(B$©5y[jrọ%ԉ1		I2v97"_8&	4rY6\Y('r6І1`Pû#ie,E5dС#|1Hk{=/PFl1iqB™m<YuTOH7,
U\I<KZ>0M\
s-zV'yʝJgCup/@##`
2dIuS#ÇȘ~idXT͌KH#2 n֩%)8#r?YEEc5؂D|𪢢L\
Yacl[Z<]Csةn0ZᛕAD1NRZs#ֿNLU0H2isvf"Bs=x/r?]Ϫjpv?I⁌/1hژFV`̻V1}T8K=rrCuOVKZxYx1]%."%?nTp?⢃qwa^nfbs<sD-	_GrHfGZ `m2ѥzmqB5$4$t1Hb}jv`QGLA.`D3+xF6$CzvD(bÊbѐH-ƗC{"!\uуP
c#h=k$yHP>=ÊX]L4
,!3|ޚBP uPK-_ڃ+)1ycs9ʋ'h9f: ?ﰷ_KܢH@z=J`ry
h -0(jۇ3x`2(:
A8hn3a^sJ_(j,a cw]x%(Tt)nX
It3r0$5;ÏM(&釕ڋyCÅ;\ӧ`(@hԊKȅTx_<dщkCDLᷚ
9w1PU7i@i)\<x|
F[@M)~9:.@AD0&GFmĊ;(%*XDJAQ21_iydf4!
Ypt'H.j38xʠ(3-}8K,2Ԭa$h}4=

;gtIJiKȀxl`P1F2ثO.8K `ý@}@$٢'ʫa
-nCZ*&J27ADKH4Ę٨mU0Q(hIt*@f>!pL<#?*d
 Ȉx۲j8jMBҐBІUpԁt͟Ét7uk+cᘃTˠFr1F?)-9
^8= eEJŨkQPs ;PoPĊ̂F8|Z6/ʴ+YCD,a's}@cJ%=vH}ͺbYIuۈ??)?[Ǚ2NЀ3Ì$p-J;EJQbOyd`$_p9JhPTȀ$Є~Y(#Os%q*@SSeڠ0:f΀Ә8@t?FAW<&-h0KGCJ
Q|WW|
W D0K@JhI$Z!LOдH ڇɹ1dM%yS$|7 Mp]yjHԵW4Q-(8uUZR<T{Q{Wجۭ%FoJshk;ˌ2!
6-]Je1<dPHMS
ȥ"(4`
	x[o]#@
05"13?4^`
On`PBLڱ-ZZҸٚIJhAJTɝʍE>W	e+B[Je6{XYǕ%آ}*~x0ܙ^Q?
#(?^>z@x
4؇ۢglTG
itQBB^Ea6NT(̊h ,RIBL($iR
<x#"}h8uLjh\
3x/A}VfH ,5Yͣ h亊ӦQc-
W xHzU=E&
Tn;XJQP%Y_kWrF?`J,ǵQvu8*T0FKǟՀ  ^C`?0-4pfUQny52Kز=}Mށ5]UEP;hjN:)ݹ#@ ٥/=bd]!R`4kMRiض2f^(gk:/?ɜK4P`@v[i\^SPŊ*XUȁx_܋נLt۾]eg{&fZ;JxU
ˌ.̄zP`HM*ْ`Q靾x0`e}gM]So;gjr%m`5kMaakk
	ȋ$:84|1뭪ދW1QqLn	Ƴ$A \R@dl9lp4pR}@NQH?FKW6/nJ:jJ0,0Іc\3i9ӂUvzfagx&'7e}
L7Ip9.)q8rn𨕾ٙHW;(} 2y&
Ċ[rwXŻeEk
A[xpJ#ͅK1Mh(3P-WH[F_GXTՕ]Ȓ;kVae/9;c"8eJwڇc	o!#4y6y/5j7h07܆q0kh!
k\쁃w$>6GF^Gdy&
_0onW8uÆ,u@eEf&X*<	ɒ۪ [,]f/xc27=7Ktw^J.ER0ExVDaA0iI҆}hO%VkhU|[qKxP67Kȫd8G =kЕJ.u@`<h2	m@&hXWk(aPBN
Uޅ
^(	6b ui+  ms_HzGtg}oH|pn(kGc3p{}
%<^@}C\7se1{Zpsyvvg'P|H[oۄ5Bdd(1l!ĆtӆF1G?FiS
 0a2Y3&%:qęsΈ
ҤJ2A9B8Bj\"i#:?5рiGjײm-ܸrҭk-Xu3QGs%DڢNup)K>}f3h;^@m_5	H_rNP	Bܺw<lNeWw7K5s?w*b,$4(	" 0a,8ۦZ |\OJvK]qS9V>@V#NYgI6!8"%ҕ}:TX5A\0
YC39$O@֔tE$]nQ!爒j9Զn9&hpAcZ<0.d<9YsE[2KC9@@QBà(7pG%"`(Fx_
ZҀs5/T]
fX9bvMWvYh+
,80*UqXdu7rf$6!y9IlDe":ΗzSGesbN'nKک@CP 6TC<@ʧcpQC}/erASU]Fы:FV8;4E]Qu_c
/#z.9dOC/0;HqM"o
fu/Wol0E1EWg'|3,;8G.TAj1P`24@RJ}:DRQtլk<HX;oj@l3δנ5D}#]h^ܶJMrט;îj|#`~hc¢	v6z*6.+l!<-`@m cB~FR7.=n}QtcT6w6!M#C&Y^rCN,E)ab
!$68D7PcB:F22v#G<`bˉ&:AS1

Fp/_o>k fkS摈n(k+]aB71H$"GjUwy^|x#Tg+l%1.hzr%[BPSsFm?@6m: bpuU:өú1(C@LO)$G Iv(*CY6rUD\

Zэ
X#"N rEż,1pb9Ow.CRrCWL瘋KMC78ԥv0s1OaĐ?s5<U/l]
o
&!\Eڈ:
S(^j#~(E6ҍq@A]K1eNMM:x	W46ut~Q9uBC i&qҭIWɕ)OAֵ
$$@>*c!XRXR:$.4`zDbBE!:	*]JK_zZ|	xئ,Q~1ԁͮuC-*Zb
1ύHQ
ve54Wo7m!FG-uc,ce>UXAa
b}0xLNDfvD/i-lF?Yb+Hi4E
#n
gM7:%ݒIaYE<|jҝ1gJ['dz
<OüpKa5§)1D:rj3V˧obBkyR1E#Jl1,9'`K4/	(5`X䭥FUqX'GUW
#Ո^E=
f#ez%0bo
9e[:@8=u-{qjiDϡ m9oHc-x-k
9GgA;#@d`2FY6%BRɂc
R\VO(>qM׷<2`fj\5zg8
.W}
E_kmx8"M;)\#CwLGJW`
@aD,9x`>)޶S^)@h#'q
ln@C

yCXyj#Ր	}-`s8۲/`s/?{+ec#!}@+%_,5h]e<B,H|9Wq]I<hC<9C7Si4
*ăd`E=Ȃla`
$W<Z<A
_d0!eLQ`qʼnrނE`!aNa|&
U4P
`!%ެ 20с@PT]T $ Q1LTulFH[i)ayMF
b;|F1T>Vibf`0^"h8CL0TSWLC^BC7~V!MtCW$Ok‰MV
'ZT›R]0?Z*BC"P>}[JRchH[
]4DĮ<AFUW^`4f$C`YS݃ٔ;jtC<L	]E##O	8rȣ2)S
2=n6Հ[q>f٢Jzg]XDLd}?`eIJr9E"!!#CV 4NfTO6f:eΤA,}#$RleA@7`EW6xjCrK`[,#kÔj6(׃-Tb..
DEkؠcN$'OI	܌M	f&E^m2Ĺ;A=\ _%XCeQ\H
SʧiYM4J~rHJJdEǧ@T\D]9áQ'SB(tl(nh%B(OD
Q9#-~.L2jD|I(>$C|'CPΥUzhg9ULVIpn@_hkA6t)C9Zh0vB @4ȕ0@Lü%x.]\-`|@)ԨF!Q@@pCij	})$a7(E,B)먖,ET(O@Q(*)@P%CjLC7@Zg9hMe%vC#
…fݥ2UtA#0C$nT$	Sj |Eǜ|((2`,HaHCy@=RC4D9l=$>C-tZ+iN<tj|>29|y+պRB2LqE0=4->ZqaI) ޥ*=DC*=8),@ &Sm"NC5/Y ?;D,hg,8;?!ke`ø*w5BCNm9wF湜9Ad@ C7|1R5)dê(ՖS|4PH̨>hm
 C)pR
@-q6m<K>Q~>BN%-6تT>8.'63TReTH9`P/n
6-RTXj$YTY@mER2I>܎X6Jvgխk;L_+T<"(>(>IqUT/T6AD>xB{I3\-Lʁ>\DVRԕCj5Xe@66@X0>QG!
̃,Że;RJqq1$]?Z}K8?6$AhNA>_ci[UpP9 UkDBCiJmUAIcG/>Ԗ/E6+jD> ae=/@8C8@m3m$4񁔼1RZpRq1!L؟	#-AA7 CDUDq6f["rLrF0U鰏,Ӳ2D;t
DX<Н}j1vQFoEB$@W25ԯ>YB.äF$9C/(hyadĕQe$O=S,j.MʔkZ=
[\Ced) 42!>@I	P-w,C,d,5L*
3ᓄR_<tuš4,3l^v<fyYRI~*)cT1:I/J `u>]2~E95v2`nZo@0Z]"C^g53CY_/ ›d
[>&@H"T5( lh@p( /Eq31LTFxne"gTvF-3R$S{ST3rTSX!>|_|C6tFcc%rsF< ىU4L%$D'`7
xCQpHg݇:h"3C
<`,<YC5%`>`3ĬFK
ab*RuA	K
(AuNu/:9Ճ(j-~r4"@:tCpB3c<9xPRݱ*7Ӂ,i_F?dN9%H|Ý'!6P_$>}R>@v>--gXWF.Po(iډAGP+T8%8;L?9 YF0څ@vC8{eԂ~,bȖ,"=qed;Hsc9C:
79@BN$@3\84nG>Hzr5.AiMf
G7lr"|z'\:#ň]kUX.5<;8:,D;Xn-wY.9?!oV$%/ D[,> "5h'3D0E/I{}Su4xIW͚IK(=YhzJ8"a7L6E(qX+G~n|3C=w)CdO,a>#@XOs~XmP'K]'J1fԸcGA1W5 E9#@r1-8[#:FX&ƒR,:jUCdI$:T	Lmj1OO$5tj/ߞpR:v&  2 hQ\"g%2"j
v8\:txL"۾h6؁qcDGb(.L"](G}o6\ڛk,yyf<F8)gx)Y7'Z	,0
wα+XEBjl+@l/Ry&SN!L l,x|&R}|
<_6RQ)*Nq' s6Q/QD{լaMȈsj`o/²QܪA2!Q&!J#(Rks<A?1@:25.C81x4&z yf!rj3яvSbC8+:'	?醏\2RE!!*P9cϗ5Bs#|W፬AVр$)`d<䜦Q
YR*U Vy/Xeܾ 3P@Au,;4"9vGm!g79Ɣ9Dɮ[z	Q)z QR]W;tf㘪2kJZFUSUuXZglQ`QaFebBmK *e
CsfywgUnzTDI@EՑl@wQSy )Wq!wzUͥY7<"
,%pp>dytcK0A)MC( `4aGW@8  
F5DyjYn!
͆I;
	TQCN7Q>mYI8>#|mmjaҪa4c")J{XI q[y%}4.8ȤLd!LIQ68\ESuRL΢(b-y\6DlUItU\f1u2Err)$g0#|[(cH#VjZ%	3Fp`]iA@2H* P #sbzZQ!*#ʚK	h	 n@m(1FEZxcz^W=&"befX{1γd/ܛ!0} r"@*>onkVr6̒B:9"r7{'đ¬sEt`E94cjzp5znۃ"#T?L4Ks١L`5U=cg>mdM^*uB	pGe@$j;Rs#2JֻZ3Hc͈%1zxN,Ϣ-!p
7X<#\Pp#x-tpV!J<`	.O5D!AL0LD8iQ6`]Iu0Q^AHGCŽЃٸ̧`Jnqj$q7MʂEC^˲׽9;sW|a,&V&Йh#?~1~yфRalNǨ-teapXpz.(zP,DNŮuq\b|"5*6bit;",+N/1#l@j@prx8J"xrxG
sޏ8Vg(utjj>`Ph_e@
Bsl\a>	恍QFce1r4ĺw*VUYZNbfq`PhG]=`AT!@z1p'|tZVº-뒂At͉wSp0GrN-	33ZG/^'k*+rA |2#yrg)Z'BmgYHU1E6X[6H8G&.+ 18 !Az A؅тnr!mwƮ9~(3W\]5`C$BL?P8:g#%2/o<$hANGaK!B6ObDcQBh:C{^ϤL*
V$
lOp'\07a"\AZH!JyioJP-$ 	#07>AZ ᯨh#,$`a\!X%"P2LO"BҞ
# "V/G@k.:"H=O84&(M@0-pXBhNf`fr/}"fRS6% +Ab{b@	;BcAL`j)$ġD<8!U'9d$azR!Db06d<Uv@Eԡ2xa7q$> } .m"B>;+^=hSԢx>|dP1AFf"d>hdG(Q	P)")*)<a°!zCul$,TүGmf6`9R`C)1ak& !ƌ@2a2nr8-q"l!.s@<2SB2G2A`=`@^ҥ|fP
IvCEdgj8ʁabF")2*1	)r::#+#6j8Bn$8a
&FJe3^HD) L"3MOF
G
2?3$j0B(BB  2LO4AJ_*@
ahR6cBd*-x`v
%V.G~G!(s:)::;!$S$(>pa" Qಫ@$>?30tx
rJ dDԬ40#&4PEB †:O=qD1^B$d
e/!#.W"`Tj(Cg.t*s	9}9U#17tC4$8#oޒUeaqL?B)$Ttp	ơB2b
az.Q;2(rc,ƨY@`.UND=u6!O.XCd&6#&i3DU3R;!@1bA
,H-|8!EI:RJgu*2x!YF75"=AHV6Ohl‚Nj\]0vL AH^ _V#5_n"i 6@
i'!cCV@aF6d(<N6Rv,ZM$OPrWcMzz5hWwxIhv@?vKjM,C-&qMdlŠ"]	lpBA:9&S""rfgRN(@	)A6.`qqNA8A؃Z1h\@;A0`^AXtGAg@uzR$B&jôj 3CT8e3À.y$(z6MAlՆC-M?v ^@|}ʂ6cO"R"p3 Aj>,)AaBP$A yF%2XDT&bacULUx@X0vSB%EWa꘏4$97HRiµ-x@r0ZkV`yD>QBJ+X4R^Ɩ2l@#4$>K-~ƞ؎_OE#dCWcDMjH2!Z6CWR	:9Rxu	$]LF-O!DM8,dl0@lċg`pT^	
oSRP2ATB$э8Gy NY#6)!k<`qf處`FK3^AFayJ7FUvPb!mb`!#&o10.0`rO`8Mi"PjgUaR9;\sl:t"hqenWڪc.R8~zyODk1h&E
nfiMvb(wKx4"fW/bTlz:K"H[T$V/Dy"Cd]f<dAk@
.,
!za
۸:BʠB@K>@[W%cn`z*	1:@M:1fBaK)
QZġP{a,DP|"fk4dʥa"!z$0V]C&!!%E灜6#X+B`@B`UBo\ -% z\ET*h+IXY8!#\	AZrA]!GOe"	
aR,AhaA?@F#.@#]CGA˃,|S~πE#'jiտ-ܞ\ elEZ*50vZUOѴ
bZ@%٣#`۵}ϸP>a(y9[]<F^LpMĖ]CG^gt;M'8nvo&
$Hb-tY,pC~ T*6q>'D؎~&
噂εcڻ]pt~ZDŽl
B[AXS:q\ћi]{3m.``oo^qB^; /N`B@LBqzv(xrX*˟X(Z7e!V\ptCa{#,r<0…"D`?jAB@$GhXa.
,["$rjO<yMV<#=y7-d	PsOBX+zz2%,!ڲ׺D`+#yhdd5Fz+4pŌ7 @_993vhAį!t:AsMɀU(Q7?8z8I_"Y:_$44K	:VNPzF{
vpeӘp"ZsĴjpO*OwvwD{RE58cG DI(tbc@Jw;hh#
|5"G
hNEɁ9”S2UU
%V`Vc5v=䑌
O^c5uzZSaefA&Y9jiڜb
Pi8MqDC%R̓b
C"Ɠz@Da4wvFrwvmsǃx>^OrO$~xOlPD
FQH#J.
.O<Ɂy'&6HS5l\ՅC&{<qA
t^5%bN%DHqj(p~VgW8>Y-
ʓhO:Do58\)se]BciZF9 ^Qy
zaWSP1_`{H(m՞m%XMB.OC5,ծ~BeUEobo	\FS<#1h5Ė~Iw}bfAzKfAh"h0Pͽ!T"˼lL
VuQD]i]FwMt4O5$YՀL&E{ֺr}Fd8s>.fkԶ`Q&e#|C(VnmtFA"	HDFr׈?,A/<^"xr4$tA)򜫺$(ZP4:/o1E6"3;LB`֓C3p} (NJ)T$ѻa@EC_yL;jE5ȲTy8~~13!
( 
4ByІG!ARQ@NQPT9cAjR)
Bth^NK/Dsdpd"ɂ0`akY99,ր1B5a)0B14D8ד&N'T	C0B&
}!RQA-Q8k
6^"B(0hp@)`NԓI>I	ZP?3ĦH2tP{CX)Ρ~)u
A9U\\b56;Z``@<@X2Fc6Q'_,

G1k`aJ?p5?fE&PI;Ё/'$ 	QE_<qֈ@.{R}5aGȐt_@d4z5sΫK[;͛KYIp{-g!I:
/qaѣL$+G(S`QrٍJzk3`d4bpLJH@'vF]U^d
x̊./PŠlHtFhr0/:M,}}XXc1j5A0\ΥGNJ=d<ӈZ3`C(Ȑ,ksl1Mq҉3q0^93<U瀆Nd(?z0Tj4Dhً[#z=4Qe5/em&͆)}6Az|Ё!QBNƮPi3}c,g j̀ i9xDH9hqlvq-ߢUKPKChMqZdc%ы8ٻ*(@&P^v'X+e胍E4h~ewpڪc@o(*X<(jwo@=`Uc|G|5Py<w@%k0 9O%p}:+y
.}ܣXsdlEHBP\Qg1=X'mϗw,Dk^cG8{_.!b	PyPXpiE4 RS~w )R+5^LV\S-
K8>i"

\8;0p5y9F0Ut#20DTOsƅw700&02e
xGwl9yGv
p&Xi@:ZB(:{8vUQ"H@p'_
/V4U50rU%	EX
l0p}IL*i_)W ev 8Bx}vFZY5P];5xXEq3T9(5bP0YqxWr[_UڈB,hN'
 VvI|
0|Jl`6CA"=FrFRVy*H1wJXE-rW9|QgReЀ:g)&SC4:( 0773h@=?By	}p W2q0D	MW
Keq=tGUG8C}$(DHZ gߢH0r4,S!LV4ya3Mc
V
5(<Aa*J4ˆh.S8{(@+)Bzt!BА*ՂpI%gii4Y]Е/љ͙G$g
>RD$':%&uJ@D+s5i1gY	ԓ	Ȱ>t0b0e:jFGlng*rDZZ$l)0/(rX5H!*Ť@8T
Y 0W=SهɎH4ۣZt_%(|ۤ&J< :5жiK_<@	85pFP ߨ:R_{=GZc?_y*R@=n[[#;\
 d"./2
@+@d,_

By@fG'C8@	&	
^%tI1fX9zd(pi
vW]8K@rJzR`헬:l5|A@=5EA;Z))Ryr
z߰qx65>io)dUhY$
QIưlN3Vq=ep	QrZt_'s-~&bH}uq{	[GId/[w@8qЭp:!\r!	apeة񐔊" P=!*~?v  W
gzSK=5P
4[@`B6Rg$@fD{7wv ;)a-tc1qb`y$9VI`_Ơk@Qҫ)[yplizkxVG87T6W'2dUyC	N&
`W[ٺk `WrgWpR{~Bac)@ۢFP=*h@430_0P1HU	ZBb6.xH0؊sp"#czШJ`
 {t:\YL;V

p,
zʜXguX5s(jul'`7)@܏P1UbΛ{×|5l>~P
s3	[\dhqɘKc(p̚eҠQ {]̭#ypl˚`ȚJ@a	p{]
tCsF@nFSPG
'Hznji}…\E؀#,Fpϥp0~{N6/;byQ+	đe0r.?gA2ִ
a	p{ݰie0Vͮ=ʪDs*aBe[vP"20	BFr\ËW7TI	8(2)яKo];0	M2Ƈ40ҙ10`	p5yWEDjm`s`.pм*
PF[͢ẓ$\#PbYq8kh_ ]ݹJP<3%:!ʾ']$7494@T p37t3J}5-k	ƜLjMPeQY1"LM[	D{c@vvUv+ՃbD2Ab%P=a]2 p#_SsYFܝEuAp\^b:&>g#`

 ng#OMFZ~N$yVxm虙Z;bp}/iU6F^a^sq߬|Tkb	M,V:ynE5mٴNQfQBľP>}wri
0	rNgMC&P/Vp;GguCd
= v`g:Fz0T7b~)TR=b|-9eMN0Z
VP@lg@Y,x5q
o04_7+}Llp~ު1ϤSk0/p5
IEqF]La[7<"%RtU55tfEȴ2;P
cyAB<amb	]<pU6(L``<
A
 \C%N1sƴHuc\H@THK1'&Ej-`?C/~Kbx8ӎ>!vWaŎ%[,a哇P8H#>)N!Өj:YjTg޼Ifc%;.`+~!ZQQV$\a@1Q0k.
FظOz4<l,8Rv.z
fy?6<H1dy:h64F*]wWobs1m#"DACz
+`}pC;}PL䪁p(D:HQΛ;'
P!`ȇd,"ȌlH?,{$9'HBdH#YM!M6Df۸ˍ7߂(:9N<PGNP 0$
$`<|Db,d`!`ΩKtP0ۤ	_'O{zz8L}T]V9iո.`K~';GgҨy܉DV;ܨKmPWN $l8ëor#-Px9DTQmR(SKXOKA +vp=ԴfގP'䈪	MlNzhd93sKf;ҡyԓrrֺ$

@m:3fd:	#wY3ش0"4aT	B[n~.:Hob#\0&	4MiFd5r\8˜m25
YAEVm'҃/Q"QՙYԑ#QLD(kkFaDjвnlQTJW2!ݻo!p_x/&>@.r\Q<V:(@sh.>!IR赌iPO}P8lD%O
Ԟڭ#,2-ƁBhNGv'PQGn5I7.ǝE^"w?Ok	Ã|!`
85G$d#sN)>"#$#"EuB/PA
Yt*I|gEK"0%q8&6QJ1>,r'i+0dpP[
Άs(FF~ٗB8
-hLp!.#FAR!.4Jf(	Op^G|3p01Bg4V5	`p GYfI4qQC0F/yAk(R|SӋs<Yiq
(kGZNl݃'
FࠞCXO$J1|u=L世C8g@w"d$u!61kP4ӎDѰ1LدXFNAiCpdcI:]U0p@*_eY
@&cf	r$3`:LW%oy{^WA+W2(f3ѐQcLHa_V%p
|`'XM}mpYh)	72XpM|#FFi(1@!O\
pbx*GrUpӣv5:	rܗ8S^`
`G)@FA	Itdr|f4Y͑+@	zBhcr
v{s?ZЃXfQ@ƱГUD@y5H2Tcgd
]+~Qn
[M'5-؊88h4 Y*):`٣Ic$AF)4JG[eo=.E3@EAlQ`cXvh2ӼuծX|(r0h5s\>#	vacJ۠ne5wYY
ѭX.L$lJI!YrUS#mNJ)	O:rFpsi;槟9>2EL;·Nt[:T4Sg(cfٮq)]v&ٲq_ͼXRJGgUx4O#}kzl:ḏA?'#FozyzgK֧^GOf 9ypj},T|pL+z&ں}pF OxrO্1clwA_S_={D78ӋD$p3tS7ۣ=d3@k7l@=B=xT3p0
QЄ
<A}"鹩Rj;S;b#6;	x(`K#'S2p+Re P1?ڇ"	Ȍy0г,|	<@t4dd
t7tۻ@j:з%
9P;"3@腧	-T8+A%RA8b=>9	B؃:k*+DAd3Hu@&x9pCj
#@<4c(
VFj`43LC
,sC$=:ƨȑC7
(mX"I#@&wX0G;>B>D^X(="EHBE+ULhW "s *C
`G+ه:t "0:i$j=ӃCFlƟ5CIm,pyY`ˌ}:X"D`*480HA0	̻0"$?%5ȀshFBJ=: p7{ƞL	TFm5CpFtĽZnx$9q`xt̰Jבxhʈv`,N,˳4XxZ;"ӡȚKi# . xLKd́=@R8*gkL,C@$Y#u YM=h08hQ8<?mvȔ]8ȵ ;K(ErX"TH{H`I`KP:ф],7Cc9BO[iQ҇Dy,H$AQsDh2
m5(M1JP8tlЂۀX	b;
:| P566Eh8 x	x 
SHTITJTKTL4(VUQUR

XIHh2|*UZ%UN-\TIHLU_V_Vb-6NUZmVguV@U9P
}XGxĔgdUc
Wq?&1h(#T,MAGd 6P 8ui	3}P_I`X'hЉS@
#N,==3~顃4*yB-h<
:22ٮus)Fpv<=r .=KR60XɃs3
?URP
p)!s|qXGVDTAa	XonH8Z€92y>P2},*F"Y_0*m)S:S}肕Y6}a	 K`\!it!ڄs-G3*WE4v
hP]@J]PFHu2;xO(5iڸ2w"}8X}gHqg@lI}@,,S&hi)Ļara
"XlH s"e*<uAoo8ai8
i`R.1
2S%ސB",8_(shY!NA-Ka
 kPC]{vK=0B6OЇE(a(xMWp<pT(ܩ Yދ!x9\|I#	#aKAdXmAYRz^O	1nZVJsY2ٵ:x$PM FQZ`x^g zcXz	Kl=(vXuIfddhg#ՆlZ{yXlK*'q/RsT$g
Nh*; бYIdf=_fE1.3F%3gܵP B<?`S&q٣ dB@zyNJhRKx[B9%xxBz[KK~(@ujF$C} gvDsƻ}Hn*(&3&=""!%m%Yۦ"m	l _;zЇj[	cMd!k-jSɌsm&	#k؃hg%PC oVM@3 pUt_@m7eW89fF|֘(Yp( ,-'YvMs\k"(d_ަNiݶm6jx5Hա*h~ްkTNU	"}N,A
ڮD8KO}fX`d.J%9كlrxpC}'(o"]`:;5X LKU^p
-0k(?D!MVnЅ7QhA&ߣ>"H<2)%KPNR`J}P3_).6pW@+@vn'Japqr`php"}
:I'Ygخ
'wg}HFTWxm׀bykXOq qh\[-QЇAX*uvhs u2Tix]z
vXp`N0z/Tm?'wq*YyX:3gɄyފxGumNȆy_l?kч7d g#^p%N;N=h@ۅ9 ޙCwY`0_yz76%bL.&
deRDnN۶GͶ<P
^uU?RO(evJ+.hC	f7NRkC-ЬߡQlЗQ>1-5jtL;˨q#ǎ?)rrs0HR.MX6o
ۼ]Rb@egʑLT)jHT@QrF]8Q:"{NKA^I	hn+w.ݺvꠑsrΉrg!W4X

 \+y2w]
p,糀Rbf2i:5k$:eנblipDG!Jfg 6P	r /6/~rzP rFKR=CBp">u:,TU
}O$uu-\UbW
}qO&vN Db	ن/8%)0sh0Njmin	$@II?hkiaL
QaԦb	G\_()QXmaC9Ef٘ (
cul+,`
l!Ap3@9"54Ht}
x@ͮqx$GZFBoQ6d1ݔCo=/	(9>:Pa!J<ݦ<a9t pšԻ5zPtsAV%42a玚2"ƪ@H?[q
v<HӁ@^)PBt*>SF7ڠ-ahtMPpY.ƥ˯sC`7d*qPubuwG܉`3_6_!/yg$ga
\3aFC9#:V3dv
	{qG
)A8g3T[.;>+S$
nSnòt6e|j쉦O
D`V4;aC,z;s@,7zizDڽG@藔}T(eܮ1+j*ܓMIJh(C!2PpD Yn<|07݁D-
*@Jd#x- 4<0%sE[eIPUC4dxA0	4zHRCT2!Ԭ))IRKZؐ(A&+\e,бB&/XȀW’B2FT}Ca('!=Ch@7Y8aj<	)SMHD&Rxt7ɴlqER#AJ^#cl(%(h
xEեxeB)zCUCdNvre:+jѳ4B78.T'?dR
W(	~p>yh"cլzj<AmS[$]tGr$
N4s9`&-hxH{.AJ9   Zi95hZQ@{$Q_?(`!պtHV@)+DzBZעRZHKH:M.M
m`%d8.^5:c|Ub+6)!hDC|ÄmlyA6Jr3WDyx񗉺!EI=;\7Gd)-p.bJ	ݍdx/|H?÷Գ(\--FQN/i֐9ץk(nW1X
M<Q
n |C \M_6Q<OCJX
aӎ3#d=YP+`3ܨZ
sZg|icVj>aŮnbaz!5:KK!bj2άd!l^ J&(_8\H_e^][%_>3r@!`+]]	ڨ[a!/P?RNpv@kO\oMzݐnsPMl'ѽ^72ʨ7X!d
Hd%U/BQĢA7▄h"[6qǵZn#6vW/YcX5ȶ>D|~0N[1"598L`ԦjaHmt ڈⰨ=n04IEVJh|loF
.HzWp)q/n_0 %N)R3$e3݉4Iy2W}YM
OW"Ф^97XAnLG}^#qy}~C6z9HQ5^>ҮvJYdѯ(#/LkV Qq| 0QC7"gY9&J @xvPis1IDC/t,C/H
AeN }*hC-ü-I%p(G>l<B1x`iIqYl ȊT!̱S0+-Q`h; nIx4h*NhA7ndC7@T,<g!A~ę7$'	7ԝȥZuY a|?\E>1?I
RC>BͨΛ1ACD"gTA>F^~CݙfQC<a<CDElP)(n5(/a1c3
"

 hC\	%-!h٬_y2`"19*#nhAJ+02,Q"C݋.!|.|fcF!4C5kpCƋ<Dn C)7D6sԃ,PۇEv$T"aWF"Gd͛UČ>4BBQȞ% AWC)_ՇM>hY\[ %}|C
ƆC7ݜ1PhATX/D9UAn~%ٽ^QefttXV$Qy}>4`L%J7!އBA>J?4LYZ![nPQ*	j?0Q@0|d^JXř@Ha,Cf=bPH!Zf6Z<^CvYUIO0H!ВJB<:X! Êjo`֑+䁀?dJ@:(sI̓M6Йp5$h:L2y2Q"e5JD2`
^mdJ H`>\Ũ!W>l/\cJxfD%Ǒ7%rPL9$v~%9P(AcҏZ}MCx"a8,;(UL<_-UzֵS9i#@/ˉ>K3bF[7S&F^Ajv3tr_^"6)эЌ,|qOJOq
2Ru6<e8h4xX
2@0By?xP
ٍgm6*}%%|R^Þ^A9rlDE<CB9(pB3B"FSП=O3<_X>xv,0{b;,uJ7xzH
HSͪ,l"P.YG^5V%	qSأEIVn.|,PΒ%;9*,%8$*q8,Ciƒ+5!PB<.٘5\BQFÅ
|C1LnH:#9@@hA"7'QZ)r9B?e(gJa),ܒACк><|.dJV=O<@1Ő6A-$4)!n/(9.h-7jit'sm?)Wn5^
ԯWyX)ABBrZS\ <hp
-i/i7pJZ.>&nh6`瞋/í*G'/<4CVb3J#٢DD<tB]Z/C
X^=?ֽW7n0P5㴊>+a>
R(ptH@CoL٤7 !αH'E9,qj6AI6[ωjBOvd:);<&FH$آB*U9ȭC6a>CYID+pB1<0^'(318$"ml&C"؍rk2-rYY	hnŜ:m;(A?'i@50n^BvA:$C~<tC˺$O'49prE<Js(K,^ f.kJ$_O"9ă@(f(+H`P4M_E<7I*PC9@j2 tYH'[Æu|e#L|50'$=2T߲=+Ń6(D/[1v5;(K\B*S}: ^@9PæGA<`
ꀕ^5< jDa6
 =$<u@rP9p^ed5vT/C
~A.^[Eq%E< Wx<70td:T%M/|-)\Au7H`J0CbkF$>@)D= žrgdnZI8vP`brUC<tA|7B[AmZ_30"ѧACR (qkrh5#4Ћd=\X/pC6(a#@1MAhly^EiEXo82 B>4C&kNpe`-ĕsFS=J`Ax\Hzd7y"B#II샤]B3 s,yfQi"Hw%J~Rb/qyB\=4pKB=",x;"HwO!DB>P/4|8m>ڼf*D9dCx2<k7]Vȍ:WT)J=k0+x3C2zK9A}bЁ6A?05=xt-@78[f#nQnC0(A`"}<ad&V|*D=10D)أ:"δiۘILA6CSFpM*V#pxeB43axG%\|Qd3{.9f& >cbp1pπ'J~60pb?PnBTÓfU<3Fh½5\G?XCk>⤯(Di

 \bDaE8p?#I4yeJ+YtfL@1QibPC KZu2PdA"FA4,]66 pz|JfZkYL79?X%i
v`{qbŋ/>:E#^R¼:Y768(5gju~%Rgk
9^zBRxV8!<	v{vWVRBl=QsRs"Ut6YFbbl݂P2#渆r.VFKBkj05ܐKu^9ʰ!|"٬dB4:QPz^-_У6j00p3	H(9X|#
B0:b2lf8so -s1.1澻LGDAP<^Α>#eF&}ZAG4㱲Z5p",#ՈAŸ({h[Ѳ,x؃Z61xᦲ0a(9ݍLs<fj\ݪ2Y #DGM15N1*u ,zb5-X F"}m Q[b3ݶ[%W-APᆚhwjQANRǘX[
!2IBCmk 1z
;rp 
vdʎmbD9V5`v'hGmD*rz#'+P``w@!6ly~&`89;Qf1Ə#o`jw"
b M	<!
+7GhH7#{B8Б#/LY8
Zp@Q!ծq'`c
P5I
#%G8|]sQ3 `G S*?c68!.1;{ՠTr8&u.ymBk fB!!	$P
MS;|x1y
Y>Jŋ`; 2BJ_96L#	SdKńb:;X&3P`
ALoR8:' pBۤ„!IfZq@@qB-BOKaAf!el9wOXF<͌jJCQ+]`JѢkҨ4&|h
j%J_r	GP9
h
%jFxK
zSF02|rX1xuSq/Z!}u%xB)'X8
ةx"We̔cS-1[WΞvtBᯨ=I9B=8fH=leE1sP0]8F8Ȥʕn\MAHh*Jv
ڂOm?{X7K^y9R&GY'	+?xRI[۪
Ņf`2 cr U
9 }G+\`x~)P@,zbJv|҈UVU	V^	@VriCBlcf݈2 @%+,1aQ _Ip!@p1T7d'7<|أf jv<I1u͑$)pFөƎ g:VRT׹yk_'
le'ю6JlXҞh{%>vZlDކYrŸ[mvIoyoҶ?=r/ɹ}8m;<nq\	gw=wߛ%qxi⊻28s[?kΖo[H[{=.{s<
Gŵ G9=\MOI`Kq?~u}|)כ.=g:u.cYnv|6<x~q;yۿyv?{'[h9؞O_|v@;GIF89ap,048<<<@D0iDDDDHHLH LU(P00$Y(YY0Ye0a8au<a@4em@e@m@iDi8m$@uUeHmLm y0<Lq@uPq0]PuUuqqY}L]}aa<eUeiDyL} L]$qƙL}(qu0ue4}}}<]@@DqHLiuLPʲ}UY]a֕aiuޝ֝څimq⡶މquy}ުޮ	H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@?B*=4ѦKJJ(P
ZkLW=>JY\7=VeZkʝKw&Աa]ֿu-^}̸`Hʀky^ʠ-vӚf3歭W=`\a]{M߁UXץ?TɷK.mDZM=u'gF޽mN96ӷ?<rtϿ(h&a+F(FτaC@
 @XC(#_tu9
8<& /<(:YZ=\r(DdG&h"%'ZY&UY8t8✀wf0jϚmcJU
7ܙ'1

DnN莜(gi)DвϨ֓DG>jس
)F+ؙ|zlë&kJS$q
:^
B+f<j+,nKSr	.
j.3l1U!6B*G)7$/.zG> 0
?|I,H̡ؠsPNM5~̪B&3J"	8Dj䣬4Kwӭ721 PÏmBuIs.é`]412]ޢ=l"M=pA<T7
iߐ="1t紣d$.6*W~hQ{GuSRBOO}>3=%Q:3~, ,4S>s;4=Z0j<~>,9ڃ=$+(񇳱
xX
"@)%AEЎ
ƻ
16(cZ!m~(hJXC.Ak̃	MB:q"`C,A܉/@"POHv.Z`I1Q%r&k~Xt*"Qѻ:ѱcM"BBZ gj6)"<THfKe;(:9RaKzk_lBGq 8qH݀`0!U}첒$$nH}`ѡf u *k!7&Swjܢ~Eۧv	y@	<u
7~sTHϐ	RԉI܁!	²X˖LƧ[
ۼ!:N3rC[+uII>qP .w,cÜT1
Gp@d˰t #%U
ԝṼV,
xzZo_RA4hK!ۈ$|XPD-h%xM@KV
:s)X.iMKurDWHW
:\$|5dPR<@E>Ng\䊋B2]ҊV
]#jA`<([UGN1A_ 9RqQaxG(0;Xdq\լ}
AHanFЃ.7""HB@ZmuP:VSE5q;|ݣ@}@o;B]/P3&90~7+p-o0ˆEF/!G4u[ʂI`NyF{ZEmԢ=Aܤ;&"]33`a:HHo*n4!zba2 ]03Ak@Ȟ/h+DZ#se_X@G<jц"7f&$09H
"-l6xDfB&qj@]2N(=Rl쮸'.OB ?j!䘴¼뭥1	O{0!g-_6@bs(Mx6Ad\|PUyQ{,A
w]Xe{[qicdHA|}ܠEx9(ЄL܃\OZTŃGKkw;î	W@FG!gzt1|%a<]@
"<".شS;xۇ*]PbȍU@0Lhց2){P챮P?Cc sx:_qHAw*sP
rPy	E`t12'E` Y7`@~ !԰
x64r,yp @Z$)@^
m2|t@z@xp0|;6
*PP(J@Fg}`m'#3y
S0GzH,|-@Mr1J`DІH} \&w#Zb@=vw0K,u'cE _XmMw`prH}m0%|@o*I 8JTd7a_r،,;
WFȰ);H} 
RrPw upkeV!%B肥puEu.Pyrԗ
p%":Ip@D5Y
7h"R`)H|.Ɉ6$	XKn9̐{KRz
R'DIB2D
8xuEP P+hr:DUXu`r	n=pp+ i%`uS/d@PFiu
8E
+Y
QG`YVD	-
pir‚*^@ѰP	pggmG|ЋG)5y#
p.3ԛ5 @T%:S
gx.ui^#p͸*	iwאd;Ds.

נ
FaM:X
HDtLCS0Y6٠548Df&0Mj5R'.2/1Zl=Ԡ':꒏FoҐ0yDSGʂi:`R6=@6p]tagzi
SIkMI@d:vz,	tr>0("=d @<cXZ9XqlftNHfjJ 
Z7
0@Ř1k0Mpɠjj
.>߆EJШ2Zp!Q	7eEi}: j*3wP?rpS,9}`n]9P~A0j '[7ʂ!NR;T[V{*l`$@T$`T]۵bl@$]
zpr;t[p[siӄbƀTʏqJ56b
شN[kq+Ŋ{;kᰤf!?@?
I*@ɸ4A%Yh
0G;K{KNp	y+P];0Bw}L+۾͛+:ʹ	Ѿ+x%@
@[3X$e\:*aEP"E°;м;™k–
]	ث%xfFei@||]"L"<{Q'X|0i|3
Ԋ
H}x.WIA< $
{*N\,„<ŁX}`ôJt$K7uKC$17cyB`"IȢ{K,\±\˅ǰ[,m
nj>ƚ*<`UMIM yx ^ʺ%lŗjņl켊/<mɃǺQ7eEODP+!	ᠾw	 &|џˉ0@r ̫&)*Ѝ}QBtllArp
k|n#p	"K mD]@#PwH/\Te@KQ9S+A
	L}ΰ,`P0nCmr=i&0P
%"Ǭ%Q5UWJ)YUW` +8JhLrqPk=YiekikMei۶o;ڴ]۶}68P	XĎVWhw@6zW
P
9M uM<*X@X2Cm2/k|p9
vTͭHޘ
}n
9t@BΫ x卦}ZMZs0y݌<.0x]f܁[3[V;Y	-[ΐn
`
 b˾ [0c]EV
[.8	c>
Ԍ树@9N^r iA_jZ`
pPן7XVr``t+@)
`kևxƌ%ZE:)b6_bݛxB
*0@t9=d&MPVx΂;P*@廐x	Yk<gS#gZb3Cnn8t3֚߫
;H`@iL}$wh.0]|.qs Ʃv,xkv6Pz؜兓^bXSH/$mm2-ۘ*JVP	g0"@}PЅlaooo60쾸`P;=
^B
~BnqGF
P{Vn0ŷ
n>pSJssX%i?7R>틦hVV/ OhWguwZ.n|0
3 [ZbbrW
tL{gO@
DPB
>QD-G#@V]RH%G\HF
]
pKbRN=}\Z9YSJɹ4zܐSJ)"t۰!]?~u
4d%}ҮINaEj&ec^5%?"ЕT3],Z;{ZfΝ=Xd+bdKVBt.}45!RT(tHU,V\_>DLB
˶Om"e0w/Ep$Z>BƼ$)%Z.l>dAAㅁHJ#	-$		LBy΋*Ŏz!@JqEikBD+BZEO2a")K0J5dqL~q8'$$7 NC[XPJrTjG$	p#NX"K!>[E729"T
nH3XcE ˕L/"^.q#,)C+<!%Sqf@]1i 0}QAGJ-Ld!B:!K>9ge6d'oL$Rp\LuQCXӜdO,#C
`Mrx
f	́/$&p g:GR"-:SF`!@@qm":e/@tP
Gj
Y9ͷ'pH33!G\aDz>Pj
j߄^U
N䑱Wtޝ.+M74 <HJ+@/Dp(-^qoA?$)-`|%{/	w\7RZx1.I@ys#肻 jѐ"xK:pEcɀ7"x@\Ĺ<
0QnW}|`@j+8!S5L#a&lD rXө$yS@HсЂaA
JqEHTIERY_)B9BBB8ƫ`Ⱦ~)	Ƞ.fQ2X?5I=v,p!B@ U8#YW2Ĉ)<=TxcuKߜACMFSZ.xeoDqad`īduLt,g<5Jt?	J8䡫v݀ewJ?}s'gBzɅ41
p>^0.1La@nmĒgLezڳjr=Sԧ?4qIt'QCP`
/JDԨ`PTv`VюVd؇1cAۀK~owūAjzϢ]l`;XUu$l"
TVUOWvֳ%ȺEn7P8b+M!@^V{!ַoWY`8%}+Iiz'9%.O\V׷-GIk)9YJ^ֶ'n-h1׽o|^SEW$a,6ᢂM
tn,4m%"|!)d4)S@|hWvXprt?х1dqހȇs,b>Y}A@]BQc8GVkd`[Zy )dZa.e2$5e	MeIϨ+<)@H"3[T.4)jʕ&LI$Й0ƌpJ
J	yL?=L<8LgVOw%b-kJ:Ҷqa1a9Hu)E`.$k[3S43w@x8z
w´ߞի-8ir[ܶ˱JN^	(H4ˍkg7;vM7/q,!nc\r=nF:Fbہ!A!;Nw-qkZLyLP_!8d.@mF
7CDݦlHc?&_tvy0Q,IGTL72Q~pqWtUd}->X pN{?>!kXjY[px@p8>hqw4ws
cΩvb
E=ֽ/(!!`#YJXǫ:(}8@R,/m{]_bHMtҀ3VQd .hNi+#}Yd')z+=2W8XY1м[;@w@?uI,L`YK 0؇s@_8@8R`dcR6XP5s+T^
P"KB]17m /a!K"?9[x
(B؇?Obc6$B*y@_a64D؈뙕F UIA5#RDR0yU,MҠL?ւ
yEK3H]@
BS¡lEc@gh46ᓐ6!'9(t1bAfBA->o8m௽a)2EE{4spgwɇRZ3Kwo HV4.@1]h)PE)cȎ'#Gr@HJD>\Ƌ>~`aC/jHAYxI8I,\	R`CJa-DtUJu;.܆+Яb[K&s<S{y☮,/?,KK	I2:r+0dL|_E0xSw<̹{hLus+AcxKK/P|ˌM	h Û;(~!S;ЯER\͟(MX-Rz؞JN#(a"zг88:O?9xT*)Ork"!Q;(z@!(VY]TPtgxZdP͔yHFňkѱe5sQXL0R{K|KR@x- O;(yPM"eB:pا+=v	M)}u:K.10`(&N43>؈SC0Ϋ0IO	BQ;YQuTVR78)<[U
|I@QЏL1X=/.
V
#ѼvuRVbE9-⒂KHH<Si=l
Wr)v!hp{ͥ00V\FҸ2U,s9Pva*҅7.XjHty@5wlԈͫBY9:w](I8
֛r}	ŒTHٙrWJ1ѼBRZQID+)R!ژ⇴M_HJttE[[؅D؈FO!nٻѧͥV$#3Od#"O\`iHB4$tx\x	i4`ϥ(@{WޭG!$0'khvݤP	]|L_R5KD2]%^sm9Wz,b)V"zT_{%s*\w*ߝ .`+_e
"PqHU`N ɪ,2+arIѻh-pPD^f͓a
9e҅}S
X!6BNs7gJCe[^Yݝubrq1E*#2)S1Z2YKKpP0]/V7&c3pNU{6@)'(}!3"`>RZhL%E8},/FeX03kQ[zZO.]Q&u#4J0#t0)sFK_bxʣ_PD@0Td`6d"i>55y3RXIΘ3[apQgqNsƔit7d ?bxfk+c>XʛtЅQ>\+?(gb>0XI03s؂g逖%v@z({Qh
p0AU];QFX
 .ji#<CTj߈ZQu_X:6`^kVڻ=}j*HvKk6kpLMv{.hk&$A0@l7)
mv@|p	d)mX$à=~m7̞
DBt9lt؈+%lB!_Xf*vhP09
u\5m	!oV,ⶈZC;i=.5r1o$HDD`tkHnc:ҐpXUP|#2ά^acR䘂jXg5QE)|xρҙV|fu@ua
b$!f/a<EJ~Y]N_/|iM,/
.B߭k䛨eX4Wp/KhcR,zΗ.NtJjs@o8ILx{xuU|GpNPb&5uXr"H,GPHIaH~Ȉ׶XC^B4	\`.Ȑɒ:3986׉TiMm,Y,y^ŨIIPuĬ/xvu2ģ|Y|J1>xבi %
b8	#*˻ڏ4/uHye6hґszx808	dZ@zڑC 5(qȆ
7vU
5LT'.y/	M{O ,M.
_n|Ug؇{/3g	
kڼ<Dh OQ	bF٧ܯi\NB~A%'Lӥ
5)gĈ-X"ƌ7^4#C3G(6c^n!
5Mi2<c*ALDɠB-:Rh7ɋu	M)"RZ*t!@bǒ-[VK;uE,,BG˗<÷ab-f.l0Ċ3n1dM2fyޮ1Q"`9z9A7{b[/[&+I$n'PʗEmf8]jVډ	cX('6w
(R>_vEKD".TWQv!lj
#-	גqivtCHxV,I<HxidLl=Cɋ7D]wc;QJ9%a d#
qHŒQlbfl\rXUKr YñO]6%dVV׬
=ŒJ7`:R\{L:Y%:jd40J
nًpQh^暵i@,q
6&;wɥQI8(`lQ<e< ;DJ!\70L4	ؓ.3@B_*Q_x+bm-y"蔒DZ|QZ>ҡmZDPN9aȃywגn5|3~1Ζ+
Q
,0+:i: :)_3=PFx7(N6SF]DR3ׇ3u=`%ϫde-G
+8;.k `.T~g9硻йG~:ꩫ:aF x6mׇQ,Mcd2)s}7NjjK?pЯ}fP>f/GcHk?תá=Fv%Fx/"2q{A!)IZ(pfAWxF+v
N#_w},laTX?°#BFlL^B!P xiن^Jth Kxp}tZ  
eJ
9
Wñ\,.\F7ʱ}nYH~i#"2^Thzd'	x^$XlC)JP/HB/<C"uJF@|r-s%Lr0
i	HY7"gTz%0
F@ǮfR<':͒DT߲Ym{,YK_q/#KQzѠԧEk`b:pͲϐ'j#ҩRtM
xVfy(
US:t&Pb*}(N񰢊c~20&Ʊ0eonW\)X)05LIB	7MjvFڱ,Pya5k
#z	r9+?)F<*K 1"`J.GQjͰr|qV_SH[
X<u^ZǟѧEE.]u&EswXmlM7Cf$Qmօ^fZxZ=/z+/HY=SL`I9"d4q)|Qί^62ߣGʫ	S6DBTvd}\yaȇ1GQ1 )0ƤF,gw[2Ӫq#0	c.l"SjdQĦa	H(ފScăZAt5YG(p<f +Ə{BX(GF AІ>4MPaќ#h< -QAN4C-QԄBM	Y4hEXbPrF	yt«bX!|@l [XH
_̳P>KZ@N%w؆]TmXVölT^ #;Ea	YC6C9pCv&`?c,G=ц9 n)q=xDQ=>pH @W}R8ncFeA1r7e
l3IrD
@&
pȭcF#!ȸ4T$0Q3 g~6Doy(!zV#Ѽ@1<!x*Z֓>O^5Dt?.ݒmݼA$ɓ/,+8.DOB:ڰ![*v;?SbO/!DN$K(H{OWX#'i*
:Bx8 IQq9Ѐ64U93hiWHmmH!5v= C8 1)DC!YCi=) M<.l
D:肯y]gŃ]>삏i'?@0ɉR) F)HxUu	 2ͩ
$܂e]e2aߑ% YGJ0\=8(@g"wd8$E!JyrD8C$M<1""IY-lA;PAdam6
tLI]i":9b-Â&H?|9hq6z#fѫc1RNlL4 	L
dB @?p|:b2̚J8xBμX،9a4!B;ZPHI^7z/#$1cVa<);`+1	dY,"*LrqϷ|Y+|
]ٛH+^M,3a;eB@<U$h^—!KA4`Mejfp@^j#&n&bYKx:CZo±"b2&)[
	=8?0 iVЎ]m^ԥcx@>d4ž,lH}jDq@_NGaP>LrJ<A
8:ԃmƍE=	8(؃DZ}%'3ú,|2(K>`m'h
E@_ʁ0Ae=:'ݞ`C#0?4B,`'FĂ2܅C`(Li:bX@H~f7-8Y>:DW*8aC@7FaĒ>d?@).PiP|.?۽4&@W<VJȚ$y$W!ބL\b^*C$H%UUCMFI<ԙ*:?H',<?.
-X)iB빮ꮦk!gW	1'`ۺEk鿮;C*A
JA>`o’h8B:1`*f8>d+?!|(\ÙB˺,~WLA40ECk}j#%,쾦5	?deQC5J9h=B?ý*-fAve+mbl@644FWFqp.)k.--,hd@[,MZC)<H(|->bƦ..t
l`dWi9mNG-ȣ>AbFl
;)x?B%PO}j<Tkr4i\V-oJ3d $MDYJ//Я"ԶԅZD"CǑ%~d8\ˎXT!-㾬m/HdnK
R4ְ
n/Y	U%%$py^!>LtAdD@=.$ȁ<eAc;Bq}ChxpK:E9^Pl	H*ލ9ʂʕgދA4z2<ў%fqEYlKK&Ĺn~o"/K$tGC)crD,/N\3ACdEB2{+) "KH|?|\=iu@Q
:*Fn(jq
Gqr>/15MyGzm L|4cW=r):4?C<4GvIj-fHL*}.LSVhf0	:I<")cçF|?B|+?#` ek~p
PoZZ	))a[uFuwI`ĤT": C\c4㎄Fe_<G@C-D-bVJ8%̯$&Nu˖jԥE,פ˥z0"
d\vP8V?/G2TYckU1x3m+d ̊LEs*#y+~0
C7H-ʴ^TYob/n+&2eC0;CplboO0,6@M}7;GNYvoo
TCZڴۀ%4*T'=Bd_Lcxn~yKV$Q>hRc.y'qyPB96(vx㦷Z+>0
3A(8cU{LyO簆r?L8I?dAg
5uzwBZDȃ6/x7H@(^P5W%- bH:F̩99{y>Fõv2[N2RFݦS'
t€׊nV:EGG<nX@C.JZ9Ѭ%O>T-7FbRJ6̾ọzr(:lņ^	hvbLFɹs8
z9<	;D&	:</s;C|I\<HA=>WkHL^U%&uRw`|Fjxûo}c&WJbK[\n"G' b=s`=^C#|E1j{DW$tJ75o^E+Fvw?$FވAB\m4ggc.WrT2=A&SĮ<c:kȆVy`/XK
@PGHt7۰!] F8bE1fԸcGpGq0JBG|fZCxØ"ڱ"KE݆h9x#rkW_VԮHUk2`UXoƕ;Ғ ,%yϒ
Rv*dncǏA$iXfIѲq0U/ϼ7~+]tэ$qiTib
d߿SH>G[yss힃EޝrF(ԍ3
1I-f"8Nu4R9=Jz`m)d٦ڠ:`~Ы—8ɜ.Qt(e%0v0Jcl!(iQb!kl/'JnxFtX5|-:hɼPG"*lF7|.dG+%t:;dѼ8	HF4.\>f$m'$'JKpBYL{>~b3V@Wt "_{]/W\;Ag<zN0A}+b-cVn/RY"Gᔱ'"J/u%,<(PtSM=^`qmU1 "M?7pXx#eawP:
Aڄ*O49䍁fO%"aaxt.jbSN#ʒmQߥJTL>{f.%i^Is*R.6;n{Xy{c)N"mUeEyZln;
AԥtG{IH'u1
B}uQڼ~0>MwY!
h[hWy牘DXT#;ڝeēhyj'	Z<<o_05nR{vIh`UB_ 6)؄mp+B79Ogފ% ya;:$a2B0x
Bϻ[Fz&RsD$ hE%Y%DA@9b$MJVwxHxaX⪛:xad7E5bPj
k7)<Dp@6&O#]wGo7MAMtCP+mKu?`A`A99P!
I$ɅE0"MDC<;HK>>!,3S0HYh!
0FS#}9C(,Is42j.Dp|k^:`=b1Oc]DrQ7j8/hQ- v2xa opcr1H}Vb;&"T^(6Gtc;HNA{4*"13HNB}3HqֺE
@G4%cI#B~BRq<؆!*5S8Ta$(R7V)	P37AKPIhЪ֑xNJ##};!=7ұE!uv0qY,2W2
@D=@HjEYAKf8l-F Y$u+g`m['nu_s
)H+E:Nw5"h5,Tv"B=z cQ؜%lTFXnE~\d"~%/
>$&U0@3d#6우M2f?W2Ţ#iOrR[P*]r38L&)Xr'ߢH!bRC>)9"Aph(Z"
w
?~q?$
y]x&mցB@W|,Iyő/yi+EZNmCKw-*M[M~;P!N&_wdIx:dsWUmS	lAXԎ6ǖ\0=ed#ĕvuT#rL<KiÁ-?!
iG&Á8ѣ8ZdmfL+
 
Ms)DNp).S0B

QL;6%OM RozCE?h8
kN')^9bzV.-Ȼfb$'䠵%Q
(G`<\
yw.MFq!t=#II!pH9LEMv@C7x`-}*TT5!xaZr V!o(O
y-aJOn`D
o7P-ڏ~C8(D(Pn;a0*_B1P߄b@B
.@@AaHd!#X/,#NG`H,M+F"*
+,n$#
Z
A$+YLְ4*;t+Т80˄b8#pAQ
#єu'BnA!Vf&m#~) La11D^f'h!:OF!ef," tdp!NxQ?1𿞭
1%\v@V
4G,/Fڸ16M
CFePgޡwo
&

`0+ 7` ߤCR`(Z*AuHJ>R$mҺPB1^T%a`c)at\HZ#Adz0lBCRri$ ƨsMnM&+oŨ!`
|a^,16/ɦ$CFtr~@Vr$2\dv ͅJ	`

2!aA27ԋL\*!4tQ!X(:+mr6!EG24|!$N@}caBS%
")F|!~&W!S!!
<`v2!.N83&pb>ESE
nJ&,\3-e3qDr;; a
HBsR(BC /;:A a{
CT&hW"DbaAh<?!ؔL&&$AIJK/.?WС'@oJ@&d(j]"TM+98V`Cs
Y"ZȩJNH	qxPۡ/5"Va
n4	j!$R  !C<lsTˡ4Iutm)/|jֲڶeqUFAM9RCgtR#Yd"&dBZZ![<'aG$0f$U$N`lq ]/C
D0*?Шa_=5$9dXorh)!&1kxgZ#Z%jZ!JQUeE&lf6#-),\)9t/ʮ~v]@BA-6./x&X	d`loAH<d\SM
2A-oAz!ovB\Ǹ/UeU`Bm*aj0iP!s twtv޶LpA©&Daxvcs`RT-oV4Rp9V<X,J$rd-
:s@&$`{Q{WL혦37VwgNgܶCp+~t('

D
j4z37Z#X*
N{q$Nq*pEvAr.
FM0f8oADrX'~)Bܜ􈆍kv$nsgbx!NWځT&n-R*28NH^N8L$8(w` aoAD|
< h(x~@$@AR$LAFbNf7L\ʰ8QxBT$-%Ҍl}'F'B(POtcmLxc:e/`r@̡i(pe%=9Is/bBJG
BhSfp_vz7
4%5VJdO-3z:l9/<y`(B4abe$*`FIڛ@:CwؼJyB.PG
Ӳ;V	#4A>G?O@DYYaPI:eFa>6,LDC@nCx|ךMETDZEHICxK+.Nh(/v+w$κO0J-~O&:&YԚ@vSځA@{HoUP[h8b^A:O;t{yᄸ|z+!BS.`VSJ!T
ki,;'	P'^D`"Bn+RM27U]Ge{cZJ	{/K㙃K+]9_ޡ_ s
:GBBc
D ҡ+4
i$/AEJ2%ˈ
Seg,	pCcjKqi $lt|/RDaԢ%F	]mAb`>-Ԋ͆ aZbt!xrP
CB<#Xq+uVuu6	b
1:v(<]B .vI]d%4|]tDt3g羻{}#9SE-.`nڝ=RA].A7B@AW`/
>M	qobBCAO(V \	mb5!Av*E]
ܡA
>B1JIV! ^A'!HQ+1oYаDϜa-Tcy"Ёh,*;	>C.̝#>!~$,_G"G
 ra5BhӤK*T0j\4 8i&1T~r]ށiIKx3>`V,}.4*"j!Mi
7 @X:|1ĉ+Z1bbqr=
d<2JK<"[$H9Pzo6pbҥL)A @9g%ruȵ׭^/5K6lYbٶͨI_BAj	Ϙzu&iME@7I
-R7@L͜;?OEQSr^[2ϴkS<]A]0l_2<@;d7x<bsFi	
vvT}og!v}{_~cժkw1lN7LN9`Øcf}x⊇"B.i=Bj257#޸S3HC<9:`JM
=8YOpwTRJ~xPP
1J[='gFt@ N!66%T&>'iXo}
?B=hDj}i^^#(
?
{;3)X
*S@+"#P>>K&PIy}vߝw7'^Xh_SD`
*酮IBJϷMuKiϥHO?Τ>2)Z(32?ɵe),{sܔ,smQR&nG~ˮqkQ\	Q?
|:EdXc</T>%Iq?+}4(C?`B!&[И<8㴵4L %K>39ϖ{6tt4E(cOD`1[B|C}v]JS.3Dռjx<-A=|(ݝX?ڴ;lh8B +\P>%'D2p:Og_Sܠ:Y<AwjO3‹	"0jȇ10%9@pHG/
p
~|SsP՘2*Va?@{JD	:I<x$IhUdhم=\MW5!!@m;)
~Ly*[CN%,saJ׾XŀbF:BqG͛*ʔl
ݨ^RCI@(aXb$s47`r,Q0(̓h-\#H	p,"҉Q
b)	X)T4y#MأaxȻ>D|UϩDH\N A(Z0JX"4$C*
Ѡ`zY:g^k"@BdpY3LfDx(@'AB{!@a=vQI"GTfMQj(Y>
U29dԥFUC7h::gW o:r(""^b`%D!l͌a)Œ"HER2@Hhǧ7QumcFR&h؅
x#?Bx|y:EO6RqYX!:{PqE@rE7"əDLp
А񇿂9ĂG;ʾԲㅈ;"ڛK(A<;Zx[emUSq#XP=jB(b\S8
CNШ=ƁJ~#fяG&
.nT܂]
~idygNOVGM/`[8B<%G8`81O
{<Bј3#% [CarBabp1sYR**A?hT'eebxдg~'\<!?ɾ뮈lOgH^Cy!	,ENsZz 
ib,B=Vx;4zΈCHf'f^bead0}H#N4&`*B۠|}X`RÆ))B5e+h7FU)9M|aEz
oc6
zQmS
l92SOHHMWuSč7sJ8F
qHIAI 
`W{5#$ܼw΁IgD8%Z#Q?1!0N=y_UhB[c);mG
#.>@5y/?ƀL< _B8
"(d@O12=؝i11'zIZuz mw4`{w@W 1	0HEuW@
Z##p
8M'#= f(,J2+6} x;`~iP{<Q6@kSrp3WXaXgyyIsn5@7vGզr`	!1FXHPNs6X@4N PE@"C1M 6#c
5^ާKx_P]rS~T h
g@62%_P^_zCsF's	0t; oƉE@PUҰs@.+M`C-BwIp0Y(x+ q0H {3XIЋ$XjSy&|A2y
8N9W@
HoIIoo	M`!#WP8p	T}t^T
0- 1Xbk]Py Ys"%$4aG42HY;	0?	. uxH
Z|w
vٙuQ9iyJ[CaP(ѐQ7Y?9,~t !RsIv:p|9l~yXWwtx!@}	
_8|+# p8JiY@d
JP8KV  bC79Qy}ysA蒔pMСhT9Z i+`:W-=EP&`
0M&` F|kgZPΉWHM0?rSbe	Sxw 6]PD% ؓ@R+NS"6%^xѵ
1B8X:}`%.{Giy(50JP
#4:V]rxYc8 BQgzvJ㩩tYF Y͔|",޴BAz”!	60v3
	M"j+)Ч).i
RJrW;q pW?j<Kk*S	qI5BMZ/DECY\
Á)`uj@вat3f9xE
1(> tсf$Okk	AyXn <^	UaK3
ƃK$Ŷ;t^&
Pb:A7ɪ뻮*]Bp#C$+vQZze	V[z{FKY)0s+Sɐ*C>`y7	ȀHT8몼PC50P" F9pajr@B[
[cd+G)E	AMLMD! k/-_ 90oSzQfjrYkE 	!	|Y@	k3jP{F@CFL@0lY\6fÙ
tN
 );xF<
ZlcQ_F'^mPkdrfRg9Yfm
uL^
[
BB["E#y@Z|)zY<[zP9Q
@
rMj L PqP
HXd0,Ø q<LfG+Hj{Ȁ@.=NͤxX/~:jyϡ<L6f{Ϣ  ť
yW0-Ӑ7P/򗇪{L|FC`
,ZF  )UMg]pӯ
<mЅ
<g Yb|NPIk`a|ya]
e̴VG/@u>ѻ#-Ѝ
萇jc`q&mLtjP8jJHEMy
Jr̉Z]PVJ3;EW+Rg! a	焾p`3e޹ɹmؽsrl
W΂S2	Ёl"  
acմA鼡x+}P`4Ҳ}*͸D5"/!y519Ь#M
`	םڍ}u#D-TK.#
l_Oe&:XRBrq=O!
6YuL`J4 r  ~a3uPLuz;$P{Q%ĭ LnA[+1~THi<(2%I{uՆrI,Ђ:rnR2w>g\;.LoI}/Q/JݎT۲.-cᐅa(y;-L~
 
$nr.z$
ΐf (6ֹ f6^p998#:%@?!w_rqO>JG}՞SZɳ<v=}ގM߱ᠻ)T@p@SB$M1jp 
tXE;K4gZ&*B:>}@ߣ.qk]~1Fڱ
1jE;DYY).x;KD7&
n/~}e덈ꇽo}p?
BKKK{	},p FA__z\uV1fۀjP'ԠiOR
u`P_yGg8UOJ6.	TB5^@/q	D׎	ʹ%k[t
mؐ.‰K5n>Q+)UG6PGmO={	?I.e4$4%ac\y&iŹZe[qΥ[]&_&\&% :@1E?5	'Vhcȑ%oٴ4Ŗ/=fݺs4?tT-If+	&'gfsѥ;9Moޝ0aiE+PfY&Yiө0gn
y2rdb8,"B3pC̑dqD /(eKD_ [)d3>XrD sŔҸ@rJO\L
J,Ү/f HPLVQ
Bno50D2{D1Ls" THtTa*nK"JRL'AOPCF:L	XMNt\8F+M=܎'xWQ/*
iɧ"xSIYjaR*ZlmN&Xp
1kqu,/!D"U(<o?`_PWF6ڌōZtYSNэ
bj"E\CfʾRj̧EѶUXs7	@\'AonR֡j3a pIM(&K
_!CRtTD't:!
ʦ^;z%Iʑ'2o(EGBk;ԑqlA%5!_mFSuA&i#%NOopmaCC)tt|)s߰:t<#$d3^ݾ[qݧp3^ñ-.*L
n!(d0.TT{`tqy|#	z e^03/0:6;pEmvgMېҼNc<О:xE,҅E	/H ۰ʺ&G exohG*P|(14"D
J1%Q*SѣVfe	i0[ӱQ) &۠GdXw㍞md{[fTA1MbP>)\*Lh*[76y՜VJR;@O+V98.dy#6#7X2/b4	MLEpgAs>TnAi`Pj~2,L+v5

d("@V+8V0iT9"tle]*YtgAQh p,6<,T䇠(OUA;CC(t/
M
ѱ
R(
&dDHƉG(vgPX( X˄u=jG4.y*?%E)\n@G!#j*E$9s|
_*[өƘ
렵ءRkDu#@j
<UD2oHz"a3=+\Z3Rq\)9gE~i梗ki@0,</$M$].eŦx
5!I@ĥ‚+r%0>qx%`dńN#]qUZ1をvbJ&wcI#vx"r`]Pw7L&IT"= 
2Lh|iK(t"IMa],KND(΂ǤHV}vIdh:`^*1!9Dy}ih[:E,<IR9ipQ)BQ?@ 1#uO`k@/4
AFCT(p-h'J@jw/p@pSs`<.ʻEtTԘA,r΂-\J+\Wl2 cʃe܅YBp'#.maҲEoI|T0xߝB(
!fKH($PNN6[za!۹-EGt:aKM`V{C,)tC7qD"po>L0ϕ۸-JL8c-{DӪZ`4En&zh!
{&AtbJKY.!dгcE/ ɝKT.~ā#a8
mi8>Zpii9@`8?Q1;Z Q}x8y@P7N	d&K<;@l8L2A?bCP:T014
H$H5X̠ö٠k+(4Đ[G:Y({8z+<,d(
҅h)XrȌȩ@1|DA4L)5h<d(xz"9;& &=,>,$!}0)	c_Dal-JD9$؆D
pZpPT\YSԥ	U5nW`Į
p8ޘh@a(DdĚRF,R,!ṃңkU%^4$G?4ǫ)R*FFzH{|L}m@28z‚ܵ>#V\ (8*
[)@H,{<Ƒ ђ
"7_BɿP2ɳɟOB&=OGdJI͒dhiqJ<Ȅ\̜7iHIT܏a!x4Q\/x`\JG C '媸#ĤmLBK'3Hm؆P6ydHlJc4M,I:7D1cNI1|0$-˞LNN֨1"8Ѩw(NTOAy=ω=FPz0D8dJbyJX"t%CXzHk\Pa!E
F
`]<ЏLPPd5s@pOBy`Qy:GK	RQ}ϒSzQ us(q8(?muҠ8So}\zӛ̫1 DxH9Sz$;-IS{mT;A!M`+ȄPfa4'i%GHFbc6K	<S>H҉nFll2M/OT
5u"qYFMZм\	Ca!	PGdELx-4Y
N2ݠ@Rc!&dnFG׏(D;AayWe5lDAW?$$~{RyԄG^(oRKUFɌSg$ذTBˑeQ^:扄ܰUH!" Oa^
T2A@6J$oƤWƬR gjœ
@n[H"(
[ճcjֽLAue5ȯoV
>#J):\ąo=p}\
1JI~tJ4xۖ[;]mH,"$:$R@FzuXN$])`5TQ<٭A42az^@ƣJPej8ޏ:SmBDgqC%^xB'/(8صGۢoԞT/,h+8I;`ۢ[ȢXȐJ:GMŅ[աr,N.F3]5e*TYcH
G6o0+”ʈeȇFbs׭`42,Ѹ\Z*GR`X7^R,	f-U\2|HTEf )US8_@Ԫzҭ=+G-czĆgb?G8Cdq.czpqԉ[0U(2cS\˩/;&
=c<TPqC0sBIFFpXDŽIKڒM`Y
x,	fKQgKL88Pd$1n\*Y[gKkhb	)`KL-xK2Vg(;D3M5SΤ83ƱɴIz#st_uR`40 QIJkfGpg505<U;db5֘tU֪d܏Tn~!,	#ec%}j95^˶m6Rx<qj iZapl1$7\SpuUsjG>`0G$u81cSSHop@wNǘFqi`S`V2F^&_pl1Sկ;EUɿ
nNN:mmd;ӍQ7H4k(oX s<}x]|6nN<t(-8Sn(phi=Rݚ^/0ou44V>ctmlZrNC$p	R͑>rpEN?ّפO`H
O;D@L{l$_΀Z&>
y&a8E׹L$EAt`)Nsz4>8aH\#D%̍uoÅsm׍-qۣ/pE?PRHs87DD;Dk[k=#ۈ>f\DVoML Z<x_XDOr'.,'Qg3n\^E4̄oprO#	VKG
ilqQ`F/
_3	vh共%ZDP;zʶp4d`Heg+pLtKRjIZLu9aɃt>&mH<AtKx5Xv
ytpʒcS|J`OuЂ>/zd
=(}xw-czt%{g-GZ$0L@hz?Is-_ TQ[L#oV>Y'FJMJ(8؜{wZ/&P04Mr0ď}}πGp]ts,	y/󙊅kp/
g~1-VeOX!	ti!ÆB(q"ʼnKrF)9D(Cq?bn
E8Qq&͚6Vk't(ѢF"Mt)ӦN
_4ިLMN$68@Զn+w.ݺvKjDOi1[us0Mq#[䐔S:z;6|0?CiMzuԩJ%J6cW6~ݸEUhղe-|8Ə#ˋF=ۥ3uڦf$(y#N(wd):œ '>'
9ީAFݔ#1ZARX6>SÌ(HEOb‚c:miB90
T#^m*@IW
8x8SRYC=P9H7Vԑw!5I)*ǖu	̕{BH;N$AXe&8[Z٨B+>
tJ2Id70ci{0=dHtCIhnd+Uݠ(p"SE\`=ФjuaE%ݨe,}B9HlO4&"PN9َD>˨\pHMhs0Ka|+^)j[HWsjۤ.9}_c0#F/T_GO*ܳn}iC2Ղ,"Fp{e6o:(:޽XnIO.#O}ώ)?T`h7w76_IPbh4pmF%Q<xSdY+q"7C>IލjL$YSTF,,N0/EWZCMybȲ%*,C`@s6mV)
Z..1L|g-*)&E'
wdS*E\RAjM[J_5<Q5`j0S.*\xd]E?
D44%n:@`Fkܔ(vwh4ȝŠ#Z	gq
ܖ$Yl}"8!lalYj:0`DC5HқQhA~h%REHKu$Q;>K2\(XAOfd@GWHR
DwYO9AJ$tГ*䈁@UNvGg&9˩G@@~
	p9X

t+<+q{#]9|5+bqSg
'я|#L̀+jz$)02~]XAIcRQ|x	d@:ԫb)
\?A
h".	L S_ܢf^@8ḃh")Pk!"s@Bj>C?*;sPPkB`tA +?q
hT4ikэ}Ea@ç=j!T
v=,fmXQJ7Wi=d+XG;r|ôoZc@\ $n ͠Bm-Ѕ@J7Y=@r%"(4h^tA
-?0Lv*(L\޳e\;Ϫ,tI-4aם0oz0lF@-1ѸlZp\/=p?
iݻ<dy`B;RZTzsRB,8	HA#%>`sHaKF4	ΐ*=E3`
R=mjJW4EuO];Eg
Æ{_;6mc#;^6gC;Ҟ6mm K6
p7mhFʺnq;mw;B	ouGѷy#<ȩ7o{;NG;q0x+qC_9Wü.WGr)[=Ni9s~s}F:O~pC=D)~nky	?=bNYfO;=r;n;GIF89a9p,904448<<<<@@DH LP$P(P$U(U,U,Y0Yae4]8]i8a8a<ay@e8iDiuHmLm y@uPqPu0YyY}L8Paae@iYi] $qLaeuy0y8}m}΁@a@Dq慡҉LPqUҍ֑U]}a֕aei֝څޡmqu}ުޮ	H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8s$c?w
JѣHǟAJJիX;F}*pk֯`ÊKV@:ڵm׵hʝKݻig\~L/
4p෍#L	[澟1M\QAo^
:װcΉZ<ͻNȓ+_μУKNسk}rNy@bA˟W4?(	=XH#S}HWC-,26g#h"vаhͥŽ? cX<-X#H&;x2ҡᠰ
(喯DM=t(
;U^%lXe7dN15n*(]::L4GXw#Jz5:襘^
ڔ6Ř@)9Q6b?klM9G:f^ʫ8ޱf_	c8F>Lҡ0(<+H^Ʃ͜`~!8l#:4&ELiL`#Ųq+ # 7
Nh
0%2|l#T;@G:|ܰc3w8魚(M)H1`'⬪$Ag^죊߆G:u3tuݦT$⬿6C3}$]s(]ӆ zc^@$0D5Tnm/P9
LIT0{J3+ ~J.-0cށ~Hl^gl;!q$B׽/.59-4(B9фoʛQ&-pO@FЄ 
uhC!~h+P:`@8a{LX*ԡ 0F?`ф>: 	)6\sЁ hp'f(_`$EsaC/ޕpGNи'j>p7g=$r#/<БG^5l*P	s-p1H	vWC>8/.r!!t’%Q
yl-r-%jQӐ9"lH,/S/S Pe:\1
Z}l0!@?lQħB=ԋwaKt/zAeT9>721E
@yM-`##<CLiJqr"U"6ոwv@"e$h@ hNGQ<#c|Lx+	W׊
oA Ѷ0gíVo3 5Hh_#k]+-Cv@`#h@^h5:z9$)Z,AI 4ѯ|4nn?ȁ	lbыp<ʀHxcl#:`M(a1>_+7NAZݭ@m`ϑBCMoQFr8b
$bV(}
0VJ
oEoey˻
)Gg\־mE2)`cVPJ/[3;4];A, }='нY
ZTXP_ZFTc	^&?>ilm4CL}9rfNEqC"S#RqektGɏߺ(mneyax`aE&hİhSq@ČYTnQ
kz %Y۷pϦG22NSgy@k[Ƶt=.iLq՘G0MI_
n_;۹~q׶IEwj+E>U淵,m}Mnh,튪Q)myS[wųo|GtdJ~"eBM->ǜ蛱ѧ;9,E6eSc8Q<#櫱_~u}Րmc= 1H2c{DlC/ސczR0
{XO.(2vzW+u$EZ9E9v
D@<f[QU!{111,
IrcvLX2u
9Z(#:j7?lufCXnv7ͬ;rwwdQԀ\\
R'n1Np@w+4ev[Pt[>¢uUIe#\G3
iQ+P50|a	0;) VT"mpV9
p~BtaTRTIp(؁7b৅y^bp0)PYqA%dʴwVS'GpsW0pjh3UUfXp!_³h)`V‡.XLPUaޠHJg(#^'V8%
tLc@Y؉x3y`Aw&` uUqje!fvp(M)k]
&]p4ln~ҸU
gm`-L%S鸑@MY!R 1,X`1b)g׏88~Ԏ
FŐ`w  V񊱈HY STI"iPX[׳y/!WZR
 c4\P>IwyO@IyDjGy#9Д,hW[\I"yyORF`4"i0sS9yOGYMyR)´
0
&ęN9yٓ)ؕ|tՔ+uڀ
7]^ڰg3٧X9#I$y	\0D}` 5$
,@j	+i霰YZC'Xa~Lr@F
pj+
rǐXЉ*4z)LR}q@
)E`
9`JSAVwiɑVVA-w'Xl_bpoi3C֋G)#)W*5:vͩS`y :5! JL*V<yd0d*r+N03"tUJ)/PYщ3ZiVI!MbOڨIx	-jO,`2рpI
(/Vzq*Z^ʪW:{W
&ګ){f16&1"ls8`2@:U:EbAz+뺤̰:௥]3֦@hOzT۱G(x굪dتc+y ;v.;7i
#6
VG;D{Fk5V0M	{dS+2(≠0`hygxCKZ <.
a!')JJ2'.D.D؀;z,!
j
h`6hDѶp)zNPb'rT+0Z)4bF80.`:5	`~FY@	+i[Dq9VʻϹ_nkQ(yW=&DK\+;s^SkBqd@AcJK+pkawK)VA
i:a65)եRĕ2;+BqJktJڕD|O :3+>3plZ+zªcڰ^ź?0LPr3<My5pGCa'(l_"!+,KeJ	#D2dGuڪI:C4f9`UVk},I)v.ƷڠQ`Qr|u|*l\ܿ:v5G[|늠:p:d0q̲1LJb*PZ~Ǐ-5`8ɧ]̿-c\+!d'`MR<k;:(pHx`a+1d96Q
/F]s橢"<Hy@<
f݊(5P+ͮi`L *!QӲfE12$0
2[٢x$̎IX*Օ\ta`0pPx(BT\cc-@HGֺ
2rmbr-640F-E"mipAFp:PRՖ	A[[u~ {ۊ
eoTeP]\Ǣ+ݲ
q[@]
G4YQA
LCdlbݙ}go7<|,]hpQD:	1kqm<ma 7=mHPGw8@M"1փ`8)0.N䝈-Z ޱ>dA!<<:	ٰh]#
Z_l0`&r
5
EB:˻MP:pD@[pPt[>vpp$n}肒}~d*έNN>q
d@4=ʙdT
z+?`ƱĐ	[ھQp7@Wa-[ aݸAbB@Z肎ޗ a
LBiaP1 XK,
(Xks+cp
er~ĀFt=[a!锎\
Uefd0IlVZ=[Sٶ^|?ϖ›`f^(o_Ȯ"F4
;G`/]<6^Ac3Jq!Þճ16Y}@;`QN.
: V/Iu,4uJ6@E7P @
p AOƒ@ND{bPcπpFz[N|`Ou+utFa
p/0C+
pܠ	JS$a*@{DPB
>QD
	?~:~DF%MDReI~[=0oN=}{Qh*ETRPFs`dŊYݺBӘmsÙ&FWIF>zŏU.jY<$ ʹd-_ƼY
h͜]lz`7mR=՘ְ8˳uV鼤]k?d?gr/_6W]=OM}r#}ksA
i?aH`"`ŽA0‰,9gLN'jtX.Jh %Ş~"` pQ@yE	D! A'4%H)&I2$	

MF04d5\l
 z12IK'Ę2Nbc-peQ"QIS-3cBm:Xt12PK}PgK5Im!0WcSm=`L_ZhF4#TF
:5Z*3!7upr3HG_'1zX^Ff0B_
aSHVV1݇5Wȃf0U)#dcف<Şlz Ud &JEIḜ90h#H0)D(Tv+&mW̓ 肓(74:aqǯ}^؍@jrڤW_<[	7ʐ9xCr"c0[:Y1PzوFzqz豧wfHA(Xz{b(Ȯ-<yf^Z.N|c'W3ʋ19YH7S]x((|}
`bd~?PXsKw>p#c'G0@A.K_X>YTQYm4fIi*pPqʨG⽨Y)[*0{[
X9ЎvapCQq
GABXJr%Cia`;HceVaj:LjmI!s
vҲ.a-(`~T|C) Qh+XH6D5>Xb7f	|h[Ttp9Ņ OyaE..ixG]QRI4Odq
~lQiF0lѿ|$ByiAqAD1KedS}:ESAЋ%@Fi%t+oT#	kಅkH*8Zc \
(n@;;`^^cF4"j?m}XI#9
L3 ^ňTjK|ՊB^U2ҲE;ڥ"F2ɎtaYm~<Cq@@ЁE,bX\Avw%dgq
P$@R,cY:'
M(\p&#Hk TBDHsJew%lи=C,?0괡֭`@F;&¸?b
K@VՁxGуaq
&d/^:X
18)(azD&voIx$-|ݦ͕FiY-hU=9$HH &>j0B:d&jP4vՂ*{	0C>NX$*CIzCRU/eG=1#Mz8[4R'x.O_Wܢ=F
bd|zML'gz|8ȹӽu/ܫ^"lNQ&&Q){U2Cv@
rصڂu5N*NjӟFe"mVƕC|17	dnt<o>|>x2BP
)k<2*XL<Ϻ15PPaq[SPK`LR/|HLI!
>om7W^ݭf9O8C/H@@ptK\hB,jRXuZG<(8|gb};RnxJ$|cyOa cR<BZ
~'K?tOc;Ib'/ ^I@PC#%,[Y%#>)qڂi[,l;
(*9+s7ȋK7FgT؇uP)z7 @S:@bؚX@\b@#*B@)%Q2MX(R\"3	SAIY3乡A>d>Z؇lȗG#;8VZ;F ($_
P@[BRBi-@%3Dˈi541HyQ|pCoSR"~`1J	SrqVZ	 DiF*h_:CI6@*Cohi¯ؕ(ؼx
|@~w$F1'Xp|[u*#CLBÆ6<t/3˅ةÓ8Xb@vP
KR ;bc@Do\ƒp(0@ZbJ$0
],z 1S0%
r;KhnXF؆uA"dªtEE*B)+[exh$@H~D4tpPÈ)**Mf≁0?2AxL@|F+ɚ$M³Ll*Ԅ~{k3Ax	yl	<!nh{=Z,Ѓ׋'ZI@U"r>gl˅D	bKEKwOD	3P>:@`[8B2h[4
=rwQذ5	)6mf84=ϊIiD-_ZA [XS;X8W`ʇQQd‰j<Sp3tȅyK;EFcS@Y`Ya;DcX*C-FP
EH5}ȅ~,ȶMӒ%bQ
=:(ȈY?@@WB뜫r]$`k
]qM$5S؇9ƓH46{EQ$DeR8[a.y]]QI͌shM4LPരSWP1E
YI~@ଜ X_:4o ڢ5ڣEڤ0zcӻˠH
QYǚ$QuІThKCqXR2	)jЊۼ۽[%@EZc	[ۿH˭q*ctP͇Np,؍lpՒ}Hz)I9`Uݏh$]cy	ܿP*wŸ8}P݊Ppo43|UdI;,B%+	رe,͕`+]T4ll2yȅ(83{0dLX	l?"!MY<BN|ȃ(a$Ըx4SY( #(=i}	Z?F`jQF
5	M0<}HmPx. HC@[ኸ+8aQ@	p$Єop(2}PQH{IL>cVuFI!5vF3֚ 0tKc1Q;bE5-dx6LnJK!C]ƚM
݊	#X3aVᇉ\W;Fw򜌁@ye_xq~dݱpm^:(Q.H~儰X |0dR,4Q=Ty<c%5g*tV熸+IN+34mI
8|ئy'zȆ ^atL~x3)ԋPҍfJL]EI[6y3Fȗ#hvv8D12tk軦hB
CUj9Tuꅀj
,hH5}SJ}P
'HnI|xI1F<k춈jM(-5Pڔ"?Mvyx!.&njӮ뼶nmΡn@VhC d2Ć#&g^tҤ
hfvhykfX
V^EY0&dZS61Zс/j^m_GFGOxcC
-ohQ'q&p`ofq6?,Pp?'*Q>h)i^
'o(wV#r/ߏ0sE)N^#/#$"38Jsn1o-<Pfȭ5qj8,HJ_w}0i:/qLtNtMuRFItZtU1KF)_V" vI߀Kx;PZ*qsuBt)"ONۺ)6(~hv;2Ф6@wWutnwmj[[J|fQwY(zd_Thd@vp,Ȃ= y`6vGov&l'@ig>
7@~`JS~:o7w'y
ɟ7<kh
`q#bst2Hz@	pzyXIgh {0@{)΀d1/g{q{bC‚Stl
-4Z}6wB/Ŕ}-w//g(K||wOz/tUmІ#۶HEזُ™}݇|'xP|$~z1aQˊԑ鏁]s~}y{D'w0<͢'Rh"ƌ5߿Yh$ʔ*WlY5@Ҭi&Μ:w'PDsi(ҤJ-zB+Nu,Z|`8$)-m6V(‡PA
:(~"q	Ȓ'Bf̚7stȒGӨ`îVX3ulٳp4Wʸs\צ<C,
hIeL</o<ND}ojS#1aBQ>Y"?מptgI.oDECAAԁGpxb{D">1(xtQE:0U~S͡&Q5&^p5HHmD8XB=xd)-,F	4̛yJOx'1-zV#TTS3!3d:$1S҇\8J`A\v( Gv,a>)YS
R:,9U2*%dk+#Oǚ1CbU5m?˶%%jb
"HĘӘ;F͊`	+SAI0HF3Qm.Y׀{>lˮ_.1L  Md7*( M;]"uo
8MT	 2%U$Tp0Trr 8#6
*4G1tы싸XlU08
%LNosB}m($0MXWr;_ΜUcjT*2k3CH8cDTrI<w߽3qЁ1p
&hAdS$tLZKB9ѽu;(h9|0?𧿅:6QLhTh(g5
A"bE
t`ѸפP%y~<gE$1<G,:xJ$-Ɏ~52VPz'mhÌ)g}P!qtX,I$׌qRڦ4"b0x@RBX0g\&!DcG<;Y 
r<H
F" (F!Mn2pZ	L$O 9McFmG"RXd	.Dri
!`.?*Y<#GGd?ňd1"đ*F<Pq|D*KۀN.;eLD(]PDb2IrZG,R`$C!3a2zy%%TD
{{&0E~KF"1I
slh8`NbAT4 z'g.0'ihb0RyS*_=Ő֩&稒Ҵ
LC`ܢ+7a8|6" SY	'sXlA]DcaQބ;e/x\/MƛfD0E0=?`c3`M'B
>A$+Mjĭ@'i3;p%<@$D=-/-"
vhovdS7х-ч,8_9\Q1Fb3D衍ǒ Sy:T'i<yj0EH6uP"4sup@>oEnpؠyMSLa,]d؈*:Y;Fї3	
@gID'V|(c!1@QhaSf3%q 
Ɍc)xFM/7OA-܁ 1UgB*.<\#0.X;^{3@\"%GGV	iwS!q;>iEDi?a#!	9rdj
tqVZ2}RR*̑
cAp4B]{C'a̐N4C~HъVr#!xKe0B$-*K{wcHk`hzjr:}։±u՛JXceܘ}EDcwf	w_:H$a!p!~'O$҈h4|X䧊Kyp*P7\^FDh<DFG;DXC$4ueTE>ֽke@9.%l8pH$;=DdY@M<pG#HC<<
z_ϴ_e\
WO4C%[/C \XoDHӹ$E.BI\-89>.HX@| gT|[Լa*C*:fɁ1y`4@Ѓ2$H:
?)=t⠏P>؃yH3D^≍A:7`A#H;ol?K!Rc]Kx-*x?dhě<8\1@"."y$O $(;&EX$CƕbTF9 CbgO3bR`Ũ
;pL@i<.H\>_w4B#KH#6rY5!J`?8C<<Vt܋T=cF@Y
=*bT#@$R@r'=CbPE4D!yiddhd<J̥CYH5M̚Ƀ;`iX?QORM#K=.8SH@<=`]"PV#4>q>E1Y$k̃Z2bXZBgnT|A[VH/j|=LgOLHDA?t$?Md5V&6*A9D`&/Hxy52<
&tWRmbnnf)f[Np%EvF r-DuGjE=^A*U_D?oX>yOZfeExHXX$FfB=
hW0&Ano'
Lh\Z!dh[xhTH[`A<xNOlAB?l;L>GXWe~)t?CeQi!]F`NEevAҁNE})\\ǯCFJRydTxM:|`:6Bm9hH4@!=cF>*BgrȥF.@ZGlF@'@)'XڪS(lʦ6#(^|dPP֠
0?/l[=P%M52a荜kX&2$I*HdBq>k3v߂R:gvFT"E)TÆl<D,UhggC<Qw2?8B';C6LQ<CrH#5HQ洩.irȆJë5Em@\p&jӊJ0N-jPddQX9gX8<P*h٢-yPnǎC?+*xDX-DfF{VR
Z.H$REk=fI-T.|^.P&
'A) kRaS@0!!DI"hC)k1ܟ&gA
#dC=?C9
3l=C?$=1TA?C~%?P$l*l|>1Gq%5@@yO X/k
pOd:'Fk?DxA>\k,B0t³1l
P/{@'$"'K/qtlC<tX8w>O A/1_JG#Hq,2-2Ζ*(~)Uxӂqp*;ز2۲<q@SqJ0ge1-SE͒X"0Cq@M-L<7d ?1MLN2+%&@*OwOd2+0112/Hr3;sd3PJX6p=@Bd+?-0,"<?R-6ldL/C?{j'ѯ\\BBH"1HOP4/Yt$Fw_G3ժ.PRf]4GK{BhB>kN3@@y@$?/\o6;3m;UbgGS%n)k<LgWWs51lfm5r[[P\GwS0R?HŦG>2ұЃ-`!.yY't3
*-!
8vr;uׄXV+rifj'dCZgѶ3GnuEgq[DC'])Q}-;,+z..ԃ?/8//pyC=#xvurHN|*0<#~btmk:$px8y<`,F@u?MAצKh.:DA"3C=3"x@yO7`w8*׷{L9l#(k7h?CusfI9|dYo*^<tBW1A8::0zN${3)k8Vwlg%[/:H4:@frR(<oT|m9sz93,C4|&,.; :
w0}ǐ0Kn/d:ܻB;ES,`A$P9Z6p#w#jZS:p@yo":DCg?uֆıUl~XE>k}|Og{+V<TwWDIv<ϣĘϣA&mRy9<
Vq/6o
A0|I	(6/~G,.;Gzg};D<
H|
p=e(rb茎Olt{W(>Z]f=|{u/!ũ 7G+9dB4߄>9}zK^x'(
n0T
;Hbk?@8`A&<h!@c F8bE!
O=0dɑYxeK+BkB?ܕ|n;x(=xgÈ>hByFfHCMz-[~n]w)L8`:~\itNysÙ&ռsgϟApKUQ#G+B4շjE0ݘ@G57B~[)y1+/sAxf/^Z7@w{Bb:aW$WHp2COlAΙ	U೫>M6 (d/o@ۀˁ=IjΦşx6 mEl<Q%q{(#̉{	z9?H5Č1,LP0q&[5
KšD><6_!9, 埴
BƶA
<sK1X"&JVp,9Qe?!;LPYiA?x'L'""a6HW2a"xЈixgq/&O1,R-5 ^321W}݂ȅӞjؑEVـ-r2(kkDH7Vb`~x#,VAi[8fAd@@:Lq"HN)iZlaMAxSUHHѤ=rRߧn[A#`Fy,w*E-pp"q-Iog E&u#VcRpxmc9Q!ڎvq&Ag-R]hBۉHfc3G1C:/[ȧX}g:B3ߌ	P;_i~,|yPW0l>B|Nѹ1h# ڗ@!+^# 9Sj0L=!́n.|^ӉP|j `6fYJ8_!kM@HlM<Dπ'~5(13=1rmr9A$2qHH!xdxBrn汙0-iVH#
^1эܗI"LGXƒ1,gł,Rԥ.4LbS82v`i1!yUL|]C+,&ɽ򖹔%.rK`%ydB+r& (pf[#b| !Mm.jxc=u1<'/wGZL$.7*vFShXJ2#cxV/DkQ1Mc'4dЄ0d'FTIS\I>T8TO1Ƙ0ɮPxA29ĩN \X[32
$5NҮyի,?j׻2x(0Ut=tHȘ9H%A2V

h%piU2Hm.tDעZ|fU^: -@p։#sѓJ5--^)Auw$[Z.y0FAg0C<
``B
.FxP"y
*x^il`vm#H
?!>CcTA5C|z0`3"p1wKA
f9Yz?@t-Vhl5!#3i1O0݃[|wd0f)15~΍.HxC$=vݜ_:Ӫ9F)٨q9u>=^x8t:\aVQZ =]ig:>&6ߜ=קCP@y4bAq7;D@h)m8f3yyDXu8x|2Tlhץ0j773kr1.<gk8~%P2Yit*BMu(o'1NuHH0R>g\5pE:`^¢:CܢuEao@uE?Q)8ɹ虩Ꞝ a+mF'$.Fԧ;D4<t"b=~'`ШˌOǃ0,vB:hŃ;!y
"}vM"2섰mf7}͍(loRNt
pm8 .냙ɰ|
-ch{Jߞ26O:Pb4@$h~@!,!:,(0/،،M.-VcZ)x{~
dB0004B~BjtȦ!:pJcvPfOFTa50MX@Lp-@ރ+M=OG (,!X
k#HFKѿ$Hd`qcJNp
!
@Ѓ<	! C`#Kc
-
=zbvpAEXp!"d40?`PmxıwL!,t10<]
dd 0!
6a
0.RwmZa">B0rczJ17ʰ>ҼDr&@(-)1h	R*1_Cv^bR+P~C~`!*Ɍ'6r#A(i~	銊r*;*pR2rrX*phJ.㲳(2rR/+ꢒ|0S+\Ҫ10,k1/3k3>342%˩/+`+ }5!*6g6kNe<"qK ʡ#485S+8Va$tӨމ5sR_53'dR1>PaK:b#$7ɳ6&Mv!8HSJ* uSv
:y5N?l۬c{dAk.# &ak=u}FgLqJ?D&XH}"|DQ:<EKTQLсP!-:@C%D;K]Aʹ :A?(B,w`&PF`Pu$rHF!Ubt]e<U!tXqPJUpQ]@j&a7L,sPseOcDIOUD3p|!QR%灬#Z bU+ZvARDAo^
KbtcPPA@Q`ʆTA|sVLA8xGEMS;{!`@V1%Wad 
`S+`csteu
:"@advIC+tL9+8*>Q9!B/e! q+WË	t{:TvMa ``v0I>R1h AØDP#[Œ&q]a h(nu
*N+8A6VPbsjN*42dq0.nfUvVed\b(khUx 
nW@0ֿj%s%ѶQ׏fVAPt mk@,'\z5!(2l!Ķ%!`	7>w}
X}]h@v@wm]E; kO99w׏ nA}	j;p)0jwtQV4Q"Pv&9fldAl&K1u
@@	@[
,kB'aj`=
BQPjC6!@$rBHWL!
Hy992	.YY- @-F]G0$*s:9pa6ub6	9y 6yMckF`
XB,sz9OAL` n;:Uz#/4A
FB2yq:qRF栰	p*zu:xs;U.rAz:L[i:acV%֚G鵫_,PyN
N{ắ:ZbCCm{9A^C
{9{
#
F;;U;u݁-g{Wm>.
^'4{O8NZ{[R`!V%: b2:$M{F~<$ {[Ach zۻQzb<*[f!O\*<1Hy)w7<*:\25:?)<	'm74Y\h|U\ZjƉA~C<geD‹|gɃi}|Ý|r|]\9ߨ2üKu|TG<|4;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Federation Designs</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) supports federated identity designs (also referred to as federation scenarios) that use Web Services Federation (WS-Federation), WS-Federation Passive Requestor Profile (WS-F PRP), and WS-Federation Passive Requestor Interoperability Profile specifications. The AD FS solution helps administrators deal with federated identity management challenges by making it possible for organizations to securely share a user's identity information over federation trusts. The following three descriptions of deployment designs illustrate how you can use a combination of AD FS server roles to federate identities, depending on the needs of your organization. For more information about the various server roles, see <maml:navigationLink><maml:linkText>Understanding AD FS Role Services</maml:linkText><maml:uri href="mshelp://windows/?id=7bb63cfd-b17e-4a03-9619-f948e295dfbb"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Federated Web SSO</maml:title><maml:introduction>
<maml:para>The Federated Web Single Sign-On (SSO) design involves secure communication that often spans multiple firewalls, perimeter networks, and name resolution servers, in addition to the entire Internet routing infrastructure. Communication over a federated Web SSO environment can help foster more efficient and secure online transactions between organizations that are joined by federation trust relationships.</maml:para>

<maml:para>As shown in the following illustration, a federation trust relationship can be established between two businesses. In this design, federation servers route authentication requests from user accounts in Tailspin Toys to Web-based applications that are located in the network of Online Retailer.</maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=f02e9737-1985-4abc-84a0-c55184b0660b" mimeType="image/gif"><maml:summary>Federated Web SSO scenario</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>Federation servers authenticate requests from trusted partners based on the credentials of the partners. Representations of the credentials are exchanged in the form of security tokens.</maml:para>

<maml:para>For enhanced security, federation server proxies can be used to relay requests to federation servers that are not directly accessible from the Internet.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Federated Web SSO with Forest Trust</maml:title><maml:introduction>
<maml:para>The Federated Web SSO with Forest Trust design involves two Active Directory forests in a single organization, as shown in the following illustration. One of the forests is located in the organization's perimeter network (also known as a demilitarized zone, extranet, or screened subnet). The other forest is located in the internal network. A one-way, forest trust is established so that the forest in the perimeter network trusts the forest in the internal network. Federation servers are deployed in both networks. A federation trust is established so that accounts in the internal forest can be used to access a Web-based application in the perimeter network, whether the accounts access the site from the intranet forest or from the Internet. </maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=8c328949-1021-498f-944d-e61113778c7b" mimeType="image/gif"><maml:summary>Federated Web SSO with Forest Trust scenario</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>In this design, external users, such as customers, can access the Web application by authenticating to the external account federation server, which is located in the perimeter network. External users have user accounts in the perimeter-network Active Directory forest. Internal users, such as employees, can also access the Web application by authenticating to the internal account federation server, which is located in the internal network. Internal users have accounts in the internal Active Directory forest.</maml:para>

<maml:para>If the Web-based application is a Windows NT token–based application, the AD FS Web Agent that is running on the Web application server intercepts requests and creates Windows NT security tokens, which are required by the Web application to make authorization decisions. For external users, this is possible because the AD FS-enabled Web server that hosts the Windows NT token-based application is joined to the domain in the external forest. For internal users, this is enabled through the forest trust relationship that exists between the perimeter forest and the internal forest.</maml:para>

<maml:para>If the Web-based application is a claims-aware application, the AD FS Web Agent that is running on the Web application server does not have to create Windows NT security tokens for the user. The AD FS Web agent can expose the claims that come across, which makes it possible for the application to make authorization decisions based on the contents of the security token that is provided by the account federation server. As a result, when it deploys claims-aware applications, the AD FS-enabled Web server does not have to be joined to the domain, and the external-forest-to-internal-forest trust is not required. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Web SSO</maml:title><maml:introduction>
<maml:para>In the AD FS Web SSO design, users must authenticate only once to access multiple Web-based applications. In this design all users are external, and no federation trust exists. Because the AD FS-enabled Web servers must be Internet accessible and also joined to the Active Directory domain, they are connected to two networks; that is, they are multihomed. The first network is Internet facing (the perimeter network) to provide the needed connectivity. The second network contains the Active Directory forest (the protected network), which is not directly Internet accessible. The federation server proxy is also multihomed to provide the necessary connectivity to the federation server and the Internet. In this design, placing the federation server on a network that is not directly accessible from the Internet greatly reduces the risk to the federation server. </maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=9a246800-9d1a-446a-be01-5c650d9b0f3b" mimeType="image/gif"><maml:summary>Web SSO scenario</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Resource Partner - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enable this partner</maml:ui>—Select this check box to enable the resource partner. Clear this check box to disable the resource partner. A resource partner uses security tokens that are produced by the account partner to make authorization decisions.</maml:para>

<maml:para><maml:ui>Display name</maml:ui>—Provides a space for you to type the friendly name of the resource partner. </maml:para>

<maml:para><maml:ui>Federation Service URI</maml:ui>—Provides a space for you to type the Uniform Resource Identifier (URI) of your resource partner, for example, urn:federation:treyresearch. A URI is a compact string of characters that identifies an abstract resource or physical resource.</maml:para>

<maml:para><maml:ui>Federation Service endpoint URL</maml:ui>—Provides a space for you to type the endpoint Uniform Resource Locator (URL) of the Federation Service that partner organizations and applications will send requests and responses to, for example, http://sales.treyresearch.net/adfs/ls/.</maml:para>

<maml:para><maml:ui>Use Windows trust relationship for this partner</maml:ui>—Specifies whether or not the resource partner and the Federation Service are separated by a firewall and whether or not they need Windows security identifiers (SIDs).</maml:para>

<maml:para>Clear the check box if the resource partner does not require native Windows SIDs or if it has an unfiltered network connection. An unfiltered network connection exists between your organization and your resource partner if devices such as firewalls are not filtering network traffic between your organization and your resource partner.</maml:para>

<maml:para>Select the check box if your resource partner requires native Windows SIDs or if it has a filtered network connection. A filtered network connection exists between your organization and your resource partner if devices such as firewalls are filtering network traffic between your organization and your resource partner.</maml:para>

<maml:para><maml:ui>Enable enhanced identity privacy</maml:ui>—Specifies whether identity privacy is enabled or disabled. Select this check box to enable the discovery of the user portion of the identity claim that Active Directory Federation Services (AD FS) sends in security tokens.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Adding Partners to the Federation Service</maml:title><maml:introduction>
<maml:para>This section provides the following conceptual and procedural information necessary to add federation partners to the Federation Service: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add a Resource Partner</maml:linkText><maml:uri href="mshelp://windows/?id=f60ca0a1-aace-4877-8b4d-40f06090d5c3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add an Account Partner</maml:linkText><maml:uri href="mshelp://windows/?id=8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Windows NT Token-Based Application</maml:title><maml:introduction>
<maml:para>A Windows NT token–based application is an Internet Information Services (IIS) application that has been written to use traditional Windows native authorization mechanisms. This type of application is not able to consume Active Directory Federation Services (AD FS) claims.</maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> local group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>You can use the following procedure to add a Windows NT token–based application to the Federation Service trust policy.</maml:para>

<maml:procedure><maml:title>To add a Windows NT token–based application </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>My Organization</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Applications</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Application</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Application Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Application Type</maml:ui> page, click <maml:ui>Windows NT token–based application</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Application Details</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>In <maml:ui>Application display name</maml:ui>, type the name of the application.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Application URL</maml:ui>, type the Uniform Resource Locator (URL) of the application.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>This URL must match the return URL that is configured in the AD FS Web Agent for this application.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Accepted Identity Claim</maml:ui> page, select an identity claim type that the application will use to make authorization decisions, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the application requires user principal name (UPN) identity claims to make authorization decisions, click <maml:ui>User principal name (UPN)</maml:ui>. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the application requires e-mail identity claims to make authorization decisions, click <maml:ui>E-mail</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you do not want to enable the Windows NT token–based application now, on the <maml:ui>Enable this Application</maml:ui> page, clear the <maml:ui>Enable this application</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new Windows NT token–based application and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para></maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual>GIF89ap,048<<@@DDDH]maLLLU LU$P(P(Ue$Y0Ye0] 4]$m,ai8a}@e}8i0]$@uHmLm y@uPq<a$}LuPu }UyYyY}L]}PaaUe@i iL} ]$qL},Uu]yy0Ye4y}}}<@m@Dqyq慡LLPU}}֑yU]a֕ayi֝mqډڍu楺}ށޅ	H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8s	G)4ϢC*]T%O=E4$ԨRVʵWT
ȣeӪ]ԠGj;U[
u߹pKa}ޥmW]~B̹Cǀ<6b1vpѨc˞]q̤ۦPn?̻\qVL4أO+{uӫ_Ͼ˟OO*/Hp<kF85
*thbFE#X0¨@#E!Wю6гF<x@<7.7Иa1V@c[Pʑ
3`ihB:@`S$8sO%`P&7P
by(pC_)*a"HE"̨~:/A$U>>LB64QvcSQNgPPħ*@hɧ>p%#t Ä,&O78L.o:Ӎ9T#]+b?r.Sb蓋ld.@)a>9;*RmJ]?t󌽮ltSj/tQD0D
E"v&𘳳-`-6إ"R0pKElJR-Zh? ې:t+R[<\(E@5k*&33ʴ2|׬AuLo7آ	)HO5{o;sM6ܯ<ij^
pr#*WKX޵s^#KLkh{{n՘~)F>;
ILr7a2lr[h~GC=0*؂
ai#sVAq
S@431J!" >$A9!6:aI NqB/<>1JiHz2Pt߹ȅ׌DZuB6ġ7бQAF,*$b=@:TQ+/
2m(? *87/=D=F;iD"ёmM.E=11034!^q?ӓ>ԁ\ԃE83xx'y&C

chވ=3źia`O
+Q
4{3!+y;G=H'dH&|8xu(<aMBڀUȗ,.8.ѢĺB”"PjԪ0GNU|2q9<U-4=,=G1*<F=\7B*MBErHCyV-3G6ULtM&a#D5X,8)V(?փ	hG@`AvU\疆l®;@y(/YZTbfk
iȢ"ra(
æ
&uz+G፻ij
}jdV$6	<V%%(&vh>8p9~a#hNސ	(\ɄVdcS?`tw>K7)an\<-8FT2iૉ-saS!W(q[+чM$!iV~
F|

S09q2JZ-ci6q%|O.]هpk<4&E5!'D9\ZP`|7pŃ:pQD-ǎh 65\^ͨl%1+KAEFf{˝FKdC[w<a>@.-Pp!>G&0f?[$æ
®(
bl!mƩ/e_LHhHuޞ]-~P{](3~ܡeOoИ$phU(MLW
m}E]n|@o܆P}5s*kxa瀎zۊ:]8ҧ:pErVZ{sk I9bj<S&,6š8-'9c|ԽV	=Pu4?M!5aG6ŕp+īPFh+R	PV{nxxO[!w<֚M~GȂwqy2pixq\gZvW<g|[v~5p[uJ@
yp1RʀY
ipW\4|wV	YSA+
`2e<b~w dGJfls#Ift6p`=
=^+'g
3g`qni?!7LJЀct
^Hw0xZ/w`}yha
271qv*P
%
Ї!g8~J`skyRW
`hpxZpX epHr 
A@.aU
XB~hfk
$SE{<dׅgt{{vPws֘a_>gJ9wFp{zRKDž
p.hyt9oGHY *p0 -ܘ>h]E^
`6
[RQW<htxI
a'ɓ}, @ %Fk 4><sbٓX\'rszb@Gw^[O 
~t;Ff@S4y)CpSPDlX&
y26 YV.0
0[ـ[7JVZ4EiI |8>xț5	b+ُ7א!1T	S
` tPiB[L{	W.OK{#xA	p @KacNPC
Zry$
s,rT=vZ(dw
q5187 	p^Y"
	V$%6x)C
ԍ$# w}4r#@kOI4o8IJQ0ƅ
S\JQ@
U/r ]:6_B0ry
`q*Cy}y>VX5 GP
D"1
wedVh C
w@.ﰙaM0
6ج_ǔGZ v|
1
":C60'd)*C${vF1簭({I~-5sQIqvt0+,p`	g~֯ZDpv PatIbN{`9~-xF
`ݚv`F&W\pW
|V6%	OȲ
P<˳>H0b0
6>0	<pssm<pc
j#j0UkTJqZɵ;`ąi;
/rHwPbCذ
@kZ!!m v20
|$07-t>!ҝEE[
 eÂ
97gpSzxqv~zw`$.Cv{
P ePD8K6p?=ˬ>Z(\1W
h`Ĺ2RTvIV<;
0;@y`oPl6
D˸U{: ] @+`(d#CA<ysTwd[wr@8		$V=@
ؙh2:G;w 
`n dl|	9"q[D@`_%@5~l;۾[8Db܅pgL09=d̝xVPP
b`t
!<25,@L;3L}sp|慐)!K70<1-aw#@
p x=άAqyo\DJ{Te˓-L' 9jN`ˎ 57~llspsW 	`^J
a(›#`;D6{i@flӍt̀5!Mp14ʔ5jIԓ_c{M=621uW ^1,`\81ꩈ`VTP 	*

J
`
Pg|~H<:9:<m>4غ6#;YcRtvg۪{}xt c*Unظ=­[ŝLp1ظ,Cj_sT+=	 «ݖ!g|Wd4İK#h0?'me
'eǍ=ܓEħ-K P0@0+K cS߽͜
VZBxT㔸"ilJ0t@zR, rήH
!^ض|@9	0ayb
@N1
p0u!h+
	}?}>=	~L\ Oܵk;	,0$@o[ДꓠP_>Lo6M^3.IwE_nM>$ep.J^eb2
;- P(O_6@0:)_	!7۔
w|
^Q r4`
`cq
>VP`-p/I^L] π$?zv} 65]'gGwx`t)1)S6~gVT2XP`}0^c_<γSMb̐9L,P+:	op_sY^N,t
R2w>t d"!s@b_
e0
QĀk'Cl@
4	>QD-l!@=~ ʸ6asLosԠ] }T@"T>TTrΆ\N4`B#.
0mݾ{

ͳS)LhDr@X50;S	]@=LfΝ={~7'ĥM(,}Cv0gƿ=/ΞKwmϏ?>FPȭ_RS2	uksJg(eرe!
|n=vʾ02CȚHA	'B/Ї C%Ĝ5VRgAqA$8V:G8x.GP)~¸F⥕f&%H;KVI=GqC1żρKԹɆ>xcLl"Br:ˊ P),B:JF
fգ}@f ~La0e)@*XT"+Ӡ&+=.
#1
Za*qNc+iG	I,27\q%8E4WFi^+!BQǏNMVRY=Nee	*E\z0	9M#VpR*+Ekˠ\Ct_gr>YPt"Z
a&*g
 \LDl&
2NGS.Z}ѣ2@k6f1qQ;]+-	Ƙh'z  zY=r%20bpPIP%lLxAkA%-(b-7{\7]?hL›h2+Rۧ=%d+,ōha?I>wHHIĠF+f`5οtD)T,P>H(1ߝFǩu#A8ǣ`/?
./W k; h‚0 QI}0h`Fc4W@p`ұS,%,\wx!jB10j9LQ<ݰ:ܘ%{f,AR╓W*F
gaPЈd|L⑗|YF&Ơ	/Ha28C/n	#
@0
z6ˈݣaH:t81l}#
U
K/e.cJN9II1-1H6Mv9

yh12)V,
~ 'BL!zc9+67&UQB+Ɓ
5*^d@Kcl10@&9`uU"Q-U_:<pHsQ2M4iTИDIx0`>Ԋ_SzTKLfj*K,:B¯'jр` ='摎8R5j#ڇ3HamsUc2
HGaO~b}VD`Q$&\rfah[:y|hƌyw`B%&y$&Y@18jv0GiW{[䪨mip;	;X"h$=FR»pjE
;m=QR2iE2Hdy\Ru2Kˢ!@BBncM@Am$͈,TF0!S0&ha8Q"7$شT-[=xīՑ}0hcP9ݩ|*XSC:<LFxIPRd'
MJan"GfpG0#	Jp0cAbQK>rKD+!!\թ::¶u4
J1m<޸tΦmA\Q^FӜ@=-gx>U1@yʑ@p؇%P EyUQ潚ъa0ưaߏDƩ0@	sg[NC\t3KgC#0i,U|,CGrMwZ
tj3΍D7SExyI|x-~
jkd{U.$^++<`P*xNUۀɉ!Gܹ5V~tyU=D~ȑLn>d0\P懜sNwYWcN&TZA2H׉\5zx
1)^ȲcbɩjӃ
sr8l3n{o=R:E=?+pS-J7p{6(:
>>󾸃z'S8ǂ	
}7L҆3[i<H,TPz	I1[p2
(bt(4A:lDDHt:Ĉ9{808#C4B+$TB%dB((L	3!Dȃ
+Q)I%.$4稆M'Sx6r؇,h
'&s=4<3C19תwPzxDm;K:rKAêsGzlA(Y N|y`z 9D<·PU\V|PRSdpX(_XQĤzȃbPȷ9Zi`} )Ph;,Cj`udv:4vS"RʋX vP\ȆdLJH$P˵dKh`K6K))1K`K6`xKǴ˸$舶L)|KKȤ010L̾LK\L)ǤLu(IXLulJٻJHP@=IN@񚮴F8S@<	L84	T8tOz82)aʦ3E|xEJ3KAC@mHJXNN
=0O\OO
QEQOx'SJ+Ɇ!PMMڃaJ5GrRxy`
m%M&O*eORR)EO-UB,)UϠp25;Pnx	QvDG:J7؈4;#PPT,&5ER,5GR/TK
HԷM%QF\Qhߨ+S9E:+;n-IX>Շ $N%JAұDTEg]EuTM,UkR+RIPNTnMqϮ(@! | N885N:ъUnc']
- +_`%04<ZVD$ ׆%OqVjlLXIԋ*
Uل[؇tE8 NZ:t
[7r:G*#ԕfEeڈ}OVX؊Ԩ֬ZZZْ%ttdyzטJtDǢGYWhcVh?u֯uR(jTǵXnXW%װȲ]JuY=ޫUu>)JU`S@[hQm0R18|8ZCMRD=EU޳,(uNj ]pCT}yS؀XUSF T%5]W ؀7
=}Ym[쵽F3]`ӰH"iyU5_H0eV8v_hY+]ǷY\53$
h
VX^ŴL0M4M)plM̼,K)PL|M1&262>L|1pTM-v+٬ͺ<݄	>*݋Qa]	!&b51EPⷣH_Yd4{	sŠ4+y}䈨7ŸsPw0.؇2^Y1!?(@dEրg
ĘX^X`L>M.\⅋O8M~{1U`k()ey+16d
}<~(d^fuaЍft@fCjȄ![qr.=N]gӥȈhpjS zh推j.
u<nLFIh8|υ*@CЈ'ZSPA@u8&!.gp֙&\Sc(-؈28j\q"(ky$Q1th]klh
=5$,h|H[QL"Ա6\(jLŇc`rl7 ֎Np2I}0LKWYQG
{Gw8ZfងK<{
*0oț*`,􂓘+m2o,4Fjh7܁c+NhkغmD@<`$hfk6-xS-p.B>AwlG)u^p&/_H&R+<B!m0>@>AF2Hl)veڦ(zBRhxrt1"pj/7&sXIbN-nMo@Pz9RA8$|:o@WŎgCr.bԦo'&(@ǪفJofs}.
VG]0w؇5uLЇO	u"%8bneFgv~$R;z&vl V6kT,Y5y}A{,tW@[[+*"ӇPX>9m~eWyPm$S(8Z)lVupF@q73̽GUv[fF.ԇ$8 ?x}$'HHqF*b/4	jN󎸁énDC'A={hujT| PW.2:gh!<|NWL'}%>Y\h{&,?%}/}/sOJЇQx;ƺ<b@"K	a/8„`BrΑ
"o߀rM*i$ʔ0ɲ˗0[\Is&N+mҼ&(0Uwq̢s	@&'"aT L,k,ڴjײm֧QC`DzoI[u`(F!4h9¾JoY,ML'UԉZhp#zL3'R#*	5¬["@bIl:v΄z5
pǓ/}>cpܵ29?4oZH`c(!YP.47C; >F1ȡW}]yuSu"Zd_(x#+@RO}%F6\c;Y]O'9W=<ua%"C@
p;DU}7<jyK5VvRPE}BM8S(uPR6<$5LfC
@)^jI|OC
0He>"Dj"rN(n'Ba&hM'<mK!($¤?
Ϩ3Q(xqQFV.tY|R.PTJ"UlBC;0kB.Hsk
Zvug
74WNHN㥘㎍֛>(fB3?#E6P](Y8j&&u?Qk{TԸBLrNC9\"~anN6+Q"걜5UtvGP,̧	1u$Zo=1̀h?XP[vA!Cr#	CsUʂjk7-{cuxf1Zj83~k9[)
)BFhHS쪶?nv>ŗJCw*?{,Qjp<>u}xKHqQ.0hV?~Y7v*FtXfN̖
	sdo e!,e)
%pMJGRX<TĶ)nFј
l89A*샆Pd
%2r<5+أ=aג(R2ń]Dhx}bah)>8Jԣ0fG1e
!ThE0h)dW̒ZֺJCm|,TҊ0`Ai*bQo\xQ6Wڰe_:Q.es0ՃLjiNDŽHG)ҶL#dY1܏|$X>@F)P,PfD&D}XAbSI'"xЇ@c}2D%dS٨;>EsUp5-B]Ehdiy(XsrQ42
i*4LE*~G!Zl8?U,7	vCk|aBP,&C"3\.>usd[[WL1$n#JU:d5iPy7ir3GPЄZbȂ? cȪ[:
~0Vmn2LdPC	fQa0@:WE>0wK7CJRlR)x<SȆ+Ư+d]`
uDŋEBQ_X`X	
#ibp4氊b
fn9Tj0R;oY "`
sW(9
Ƞ6Uv;ft\k0q=G)A[D!	oj+]IX%+gpVqILQG-@h5u$svRx"J^AWhqB%@Dr667͚W9x4L}ܝsg!rN% gl+%pporcr2	sBZA
.iP
onԆׂՌ}gL_qkf3=m}ㄕ&1\M]Bs6A}eJlrnP|]G	R!eƣiHzZɎ
X69[Yi[T\rq;͕Q yT;6<hPBDnL*4',qG8-?j*:`&u2;;8Px5{} ~D.Ca15p*$QZHѴ0[L,ԈF5ر9_L0QFMKr]XKԄ9C<&`nHdx4WB\A0d$
]`^M[̔^p 	P`Dax$,N^2=O!]	>L`D74ՋYLqaTB9J_BWŵK^u_ܟml$f@= (cd!-KBpA0LֲCXˆB$i`ybaRS5Tôd@a~)|آբ:"aq4LL_U*2+FL(AN&͟٥E%pË3n颅+Ky7L#H"_MO+5|
.PAU05(C㻔2LKX"XQ2MŠ4@Zbf<eElL3\cHN%242(d:#Dpe<$5d5%Z.MV7@+)d$"GR%baTdW
B6"<^8Jq4PT
T\H?6N^J#\}0Ч(a&o1yC
Mc@d0%nehl A"1Dm4De1-oDYQ,{"OQ2CC<TBsAnA"P5zFB*x犨%aL$KCDDoT.|Vj7R0"O.l͏E\4%-DN>$B(TB4$j;CH_F	XF(MF,84C+\fD
ôFg(#.)D5H>(Ґ	,Zdz~J38|hcDES<D3ç>P}iDQBH)O_Bv@i_a&&)A+T"Ć
\C&*-
 Ԉ:d$$	L3DLZ%d(q_ufǬfyc#B?
:N&**A<"I+p]ELފƚ@Vk_\dkHn(d	bc_k7`98*Ryd{+PDFD.LMKD%ʛb+bn+&@h_E)TC1b7唇.S+ (,=>dCxC(
l(lZ-*,1eP5*({!A LcA%8^ZmF<Fz.
ݦ+m[Ђ#¾0W%x.+ժƎ	"ă7$d2.;b0d,>
=B-AyYT4`{ƒu7t1b	aYIo7}.;,D̉0tVk'pQ@)
~IhB7P(k*$.]&xz/HNC$I>Dæ@5,)(CxVl*&$+æeab(aD6xH<n($`ɒ0U.
AF].b>PT4
OB%C/R/(Ci%$(aA;Fq.9ƃa;Q+6]A7ښ8Xﮐ5<11B9FbhT	!!N).7:8M(RTIx/{].fm8x\(Rp+p6e
.We 1L̓!"N!Q254\kB7f@pq/?d.vk-n1Q:MD3L/"ij:C-Ah%4t@FC6
8)*tC#Щ4"D`/deJFHJ!<,'`9x́9VPB9PPtS{@C3#c'H,PLAlߑfy"P)pY6(y%\`B7`9A,)@#CU%86]p+٧>}}fGԢ6cڀ~B*fE4hrB7{
tm<00B7xtu1ClVtHP=$QmOk6NBU0ܛ3H6840æQ\i&CKӕ)HC94Ag_bRqD(r{+xI7L-:3dt8Ȃia(1(B7Ft*1]*	T817Bէ:0b:A,ŃG%=EbyP½@4@1C#lA;dA-!C+ʕ˹@EG#è8)N>{	9<8Ë-<<g@fKfU
4B>NC5tZL%*VƇ||J00DPͳM|Jgw-943GΩ&f̩6z967|CA "cj
!>ڄC.r:aA|\#C78+^0H=/E@xsk+4ú.!~N`F?$e3ȼ8';3>XH%3tC#HwS9A=3䂑3X?0KX\7<|.uv}~?dEX5W0l@
,Cɟ<yh-T=?B@k}}}#p4Cɋ
;*3HC7K;Ò<bNz; jSf]\7>7K3*,Yt*wucBzd~[9,B/e@I~5D;ti?@OV.7Fkt	8bE1f81Ex	f$I/԰Q!dlӠ]qԹgϋ*cCɹ;Cԣ9%=ՓĔ

F𹕫as~D`8v.d؍m[go۲'=]Rt˰BB׺<}wotqV{+3p~,t!n&yچK4mz=;ʈcuFpJyVjbBM2\ۡSG0ĔEj?bڷ_8`č-@?.4.1j[>XSBDCC
A-~APT`"aqk@e-psd)JP0؂=Nl8J*ʆ gXC\NqRs_,S9s#Jvc8G$V@;5l#d4lВ! 41KTM9
715Ɖ!4SDB>SKtAHW
Va圣?ؑ`HUb,FEXSŘsLh
Wq}'"8ђ†%WrB jxi29~W	7hvՂa\XGlؗƄc`y>+
dHXڅ:huP(?Q"A!4[MNyΠ@y:y<%"izG0'&dFA<<z[>z裣.:n軕n&Z[o_O4qTGs`eT67Ad@'G6pӞOdF}oqrQ{"e=v6]vȅ|'
<F*/gGeh!r
Y'we?Y=Νw孝?_>ىœp^} J`!7χG-x]
Wѯ{>q`ڧ>}Q'X)b6
ρoF
Lxߛ>Ї샡SD	=(ziXBv`{ƨ:$*bV<11I7/}HA4!HE.t#!Amb$1).f &f
(KCxLXNzcX҂&xKWz7$-8Z.9„%C*R1DHDđ#3iOZQts}Lo
f7E(
1l8	uSTکO~npޤ=Ꙁ3:t:N^Q}eFj&(鸙űk'(GQ&+]ST5MqS=O;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Federation Trusts</maml:title><maml:introduction>
<maml:para>You can use Active Directory Federation Services (AD FS) to enable efficient and secure online transactions between partner organizations that are joined by federation trust relationships. In other words, a federation trust is the embodiment of a business-level agreement or partnership between two organizations.</maml:para>

<maml:para>As shown in the following illustration, you can establish federation trust relationships between two partner organizations when both of the organizations deploy at least one AD FS federation server and they configure their Federation Service settings appropriately. The one-way arrow signifies the direction of the trust, which—like the direction of Windows trusts—always points to the account side of the forest. This means that authentication flows from the account partner organization to the resource partner organization.</maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=c72d956f-d07c-46ce-9cce-c65657259edc" mimeType="image/gif"><maml:summary>Federation trust linking partner organizations</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Unlike Windows trusts, which require a constantly connected secure channel between two or more domains to function, federation trusts do not require this channel because no direct communication occurs over the network between the account Federation Service and the resource Federation Service when you establish the federation trust.</maml:para>
</maml:alertSet>

<maml:para>After you create the federation trust, users who are located in the account partner organization can send authentication requests successfully through the federation trust to the AD FS-enabled Web server in the resource partner organization. A federation trust is created when the account partner organization and the resource partner organization both install the Federation Service component of AD FS and they both use the Active Directory Federation Services snap-in to configure the account partner and resource partner appropriately.</maml:para>

<maml:para>If one side of a federation trust (either the account partner or the resource partner) is not configured or if it is configured incorrectly by the administrator for either organization, the federation trust will not be created successfully. For detailed information about how to create federation trusts, look for AD FS step-by-step or deployment content on the Active Directory Federation Services home page (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91867</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91867"></maml:uri></maml:navigationLink>).</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Federation trusts are not used in the AD FS Web Single-Sign-On (SSO) design. For more information about the Web SSO design, see <maml:navigationLink><maml:linkText>Understanding Federation Designs</maml:linkText><maml:uri href="mshelp://windows/?id=1a17d8ac-4ac6-418c-845c-a4251376e1e9"></maml:uri></maml:navigationLink>.</maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Group Claim - Resource Group</maml:title><maml:introduction>
<maml:para><maml:ui>Map this claim to the following resource group</maml:ui>—Specifies that this group claim will map to the Active Directory Domain Services (AD DS) group that is specified in the <maml:ui>Group</maml:ui> box.</maml:para>

<maml:para><maml:ui>Group</maml:ui>—Provides a space for you to type or locate—using the <maml:ui>…</maml:ui> button—the AD DS group that will map to this group claim.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Account Partner - Resource Accounts</maml:linkText><maml:uri href="mshelp://windows/?id=ccdd7180-42a3-43b0-a8af-27972f5be619"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Requirements for AD FS</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) has the following hardware and software requirements.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Hardware requirements</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Processor speed: 133 megahertz (MHz) for x86-based computers</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Recommended minimum RAM: 256 megabytes (MB)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Free disk space for setup: 10 MB</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Software requirements</maml:title><maml:introduction>
<maml:para>AD FS relies on server functionality that is built into Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2. The Federation Service, Federation Service Proxy, and AD FS Web Agent role services cannot run on earlier operating systems. This section describes the software requirements for each AD FS role service. It also describes the overall software configurations that are necessary for AD FS in your network environment.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The Federation Service and Federation Service Proxy role services cannot coexist on the same computer.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Federation Service</maml:title><maml:introduction>
<maml:para>Computers running the Federation Service must have the following software installed:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Windows Server 2003 R2 Enterprise Edition, Windows Server 2003 R2 Datacenter Edition, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or Windows Server 2008 R2 Datacenter</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Internet Information Services (IIS)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Microsoft ASP.NET 2.0</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Microsoft .NET Framework 2.0 </maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>After the Federation Service installation is completed, a default Web site in IIS must be configured with Transport Layer Security / Secure Sockets Layer (TLS/SSL).</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>AD DS and AD LDS account store requirements</maml:title><maml:introduction>
<maml:para>AD FS requires the presence of user accounts in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) for the account Federation Service. AD DS domain controllers or computers hosting the account stores must have one of the following operating systems installed:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Windows Server 2008 R2</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows Server 2008</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows Server 2003 R2</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows Server 2003</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows 2000 with Service Pack 4 (SP4) with critical updates</maml:para>
</maml:listItem>
</maml:list>

<maml:para>AD FS does not require schema changes or functional-level modifications to AD DS. To ensure that AD LDS works with AD FS, install the version of AD LDS that comes with Windows Server 2008.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>

<maml:section>
<maml:title>Federation Service Proxy</maml:title><maml:introduction>
<maml:para>Computers running the Federation Service Proxy must have the following software installed:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Windows Server 2003 R2 Enterprise Edition, Windows Server 2003 R2 Datacenter Edition, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or Windows Server 2008 R2 Datacenter</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>IIS</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>ASP.NET 2.0</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Microsoft .NET Framework 2.0</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>After the Federation Service Proxy installation is completed, a default Web site in IIS must be configured with TLS/SSL.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>

<maml:section>
<maml:title>AD FS Web Agent</maml:title><maml:introduction>
<maml:para>Computers running the AD FS Web Agent—either the claims-aware agent or the Windows token-based agent—must have the following software installed:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Windows Server 2003 R2 Standard Edition, Windows Server 2003 R2 Enterprise Edition, Windows Server 2003 R2 Datacenter Edition, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or Windows Server 2008 R2 Datacenter</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>IIS</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>ASP.NET 2.0</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Microsoft .NET Framework 2.0</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>After the AD FS Web Agent installation is completed, at least one Web site in IIS must be configured with TLS/SSL so that federated users can access Web-based applications that are hosted on the AD FS-enabled Web server.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Trusted certification authorities</maml:title><maml:introduction>
<maml:para>Because both TLS/SSL and token signing rely on digital certificates, certification authorities (CAs) are an important part of AD FS. Public CAs, such as VeriSign, Inc., represent a mutually trusted third party that allows the identity of the bearer of a certificate to be identified. You can use enterprise CAs, such as Microsoft Certificate Services, for providing token signing and other internal certificate services.</maml:para>

<maml:para>If a client is presented with a server’s authentication certificate, the client computer verifies that the CA that issued the certificate is in the client’s list of trusted CAs and that the CA has not revoked that certificate. This verification ensures that the client has reached the intended server. When a certificate is used for verifying signed tokens, the client uses the certificate to verify that the token was issued by the correct federation server and that the token has not been tampered with. </maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>TCP/IP network connectivity</maml:title><maml:introduction>
<maml:para>For AD FS to function, TCP/IP network connectivity must exist between the client; a domain controller; and the computers that host the Federation Service, the Federation Service Proxy (when it is used), and the AD FS Web Agent. </maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>DNS</maml:title><maml:introduction>
<maml:para>For the purpose of authenticating users in the intranet, internal Domain Name System (DNS) servers in the intranet forest must be configured to return the canonical name (CNAME) of the internal server that is running the Federation Service. For best results, do not use host files with DNS. </maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Web browser</maml:title><maml:introduction>
<maml:para>Although any current Web browser with JScript enabled should work as an AD FS client, only Internet Explorer 8, Internet Explorer 7, Internet Explorer 6, Internet Explorer 5 or 5.5, Mozilla Firefox, and Safari on Apple Macintosh have been tested by Microsoft. For performance reasons, it is highly recommended that JScript be enabled. Cookies must be enabled—or at least trusted—for the federation servers and Web applications that are being accessed.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Understanding AD FS Role Services</maml:linkText><maml:uri href="mshelp://windows/?id=7bb63cfd-b17e-4a03-9619-f948e295dfbb"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Service Proxy - Web Pages</maml:title><maml:introduction>
<maml:para><maml:ui>Client logon page</maml:ui>—Provides a space for you to type the name of the client logon Web page .aspx file. The default client logon page, Clientlogon.aspx, collects user name and password credentials, but it can be customized.</maml:para>

<maml:para><maml:ui>Account partner discovery page</maml:ui>—Provides a space for you to type the name of the account partner discovery Web page .aspx file. The account partner discovery page interacts with clients to determine the client’s home realm. This page may be necessary for federation designs in which the Federation Service Proxy is enabled.</maml:para>

<maml:para><maml:ui>Client logoff page</maml:ui>—Provides a space for you to type the name of the client account partner membership discovery Web page .aspx file. The default client logoff page uses iframes for foreign realms. This client logoff Web page is also used to present a user interface (UI) when local and foreign authentication states are deleted. Your customers can put their own branding and style on this page. The default client logoff Web page is Signout.aspx. The Web page deletes the client's cached cookies from the servers.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using the Active Directory Federation Services Snap-In</maml:title><maml:introduction>
<maml:para>The Active Directory Federation Services (AD FS) Microsoft Management Console (MMC) snap-in is installed when you install the Federation Service component in <maml:ui>Add or Remove Programs</maml:ui> in Windows Server 2003 R2 or when you use the <maml:ui>Add Roles Wizard</maml:ui> in Windows Server 2008 or Windows Server 2008 R2. You can use the Active Directory Federation Services snap-in to:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Configure the Federation Service or federation server farm.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Manage the trust policy that is associated with your Federation Service:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Administer Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) account stores.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Manage account partners and resource partners that will trust your organization.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Manage claims, certificates used by federation servers, and AD FS-protected Web applications.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>
</maml:list>

<maml:para>Settings that you configure in the Active Directory Federation Services snap-in are stored partly in the Web.config file, which is located in the Federation Service virtual directory, and partly in the trust policy file. You can edit the Web.config file directly and push it out to different servers, or you can use the Active Directory Federation Services snap-in to modify the settings. </maml:para>

<maml:para>The trust policy file should not be edited manually. Instead, edit the trust policy file by using the Active Directory Federation Services snap-in, or edit it programmatically by using the AD FS object model.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Scripting support is provided in the AD FS object model. For more information, see Active Directory Federation Services Overview (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91836</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91836"></maml:uri></maml:navigationLink>).</maml:para>
</maml:alertSet>

<maml:para>When you open the Active Directory Federation Services snap-in, the snap-in reads the Web.config file from the Federation Service virtual directory and notes the location of the trust policy file. The snap-in then presents a console tree hierarchy representing the Federation Service and all aspects of the trust policy, including organization claims, partners, account stores, and applications. Each item in this console tree hierarchy has options that you can use to view, modify, add, and delete trust policy entities.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Federation Service node</maml:title><maml:introduction>
<maml:para>The <maml:ui>Federation Service</maml:ui> node in the console tree of the Active Directory Federation Services snap-in represents the local Federation Service that is assigned to the federation server on which you are viewing the snap-in. You control the local federation server configuration through this node in the AD FS snap-in. The local federation server configuration is different from the trust policy configuration in that the trust policy configuration is shared among all the federation servers in the federation server farm. The local federation server configuration is stored in the Web.config file, and it includes the following items:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The path to the trust policy file</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The local certificate to be used for signing tokens</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The Microsoft ASP.NET Web pages</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The debug logging level and the path to the log files directory</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The option to enable anonymous access to organizational group claims</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Outgoing Custom Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Organization custom claims</maml:ui>—Lists the available custom claims.</maml:para>

<maml:para><maml:ui>Outgoing custom claim name</maml:ui>—Provides a space for you to type the friendly name of the outgoing custom claim.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Incoming UPN Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether the account partner provides incoming user principal names (UPNs). Select the check box if the account partner provides UPNs. Clear the check box if the account partner does not provide UPNs.</maml:para>

<maml:para><maml:ui>Accept all domain suffixes</maml:ui>—Specifies that all domain suffixes are accepted for mapping to the UPN claim.</maml:para>

<maml:para><maml:ui>Reject all domain suffixes</maml:ui>—Specifies that all domain suffixes are rejected for mapping to the UPN claim.</maml:para>

<maml:para><maml:ui>Accept some domain suffixes</maml:ui>—Specifies that some domains are accepted for mapping to the UPN claim. To add more domains to this list, type the appropriate domain suffixes.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Outgoing UPN Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether the outgoing user principal name (UPN) claim is enabled. Select the check box to enable the claim. Clear the check box to disable the claim.</maml:para>

<maml:para><maml:ui>Send all domain suffixes</maml:ui>—Specifies that all domain suffixes will pass through.</maml:para>

<maml:para><maml:ui>Replace all domain suffixes with</maml:ui>—Specifies that all domain suffixes will be replaced, and provides a space for you to type the replacement domain suffix. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Claims-Aware Application</maml:title><maml:introduction>
<maml:para>Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users—and understood by both partners in an Active Directory Federation Services (AD FS) federation—that are used for authorization purposes in an application. A claims-aware application is a Microsoft ASP.NET application that has been written using the AD FS class library. This type of application is fully capable of using AD FS claims to make authorization decisions directly. A claims-aware application accepts claims that the Federation Service sends in AD FS security tokens. </maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> local group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>You can use the following procedure to add a claims-aware application to the Federation Service trust policy.</maml:para>

<maml:procedure><maml:title>To add a claims-aware application </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>My Organization</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Applications</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Application</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Application Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Application Type</maml:ui> page, click <maml:ui>Claims-aware application</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Application Details</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>In <maml:ui>Application display name</maml:ui>, type the name of the application.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Application URL</maml:ui>, type the Uniform Resource Locator (URL) of the application.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>This URL must match the return URL that is configured on the AD FS Web Agent for this application.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Accepted Identity Claims</maml:ui> page, select each identity claim type that the application will use to make authorization decisions, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the application requires user principal name (UPN) identity claims to make authorization decisions, select the <maml:ui>User principal name (UPN)</maml:ui> check box. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the application requires e-mail identity claims to make authorization decisions, select the <maml:ui>E-mail</maml:ui> check box.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the application requires common name identity claims to make authorization decisions, select the <maml:ui>Common name</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you do not want to enable the claims-aware application now, on the <maml:ui>Enable this Application</maml:ui> page, clear the <maml:ui>Enable this application</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new claims-aware application and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Choosing a Token-Signing Certificate</maml:title><maml:introduction>
<maml:para>Federation servers require the use of token-signing certificates to prevent attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated resources. Every token-signing certificate contains cryptographic private keys and public keys that are used to digitally sign (by means of the private key) a security token. Later, after they are received by a partner federation server, these keys validate the authenticity (by means of the public key) of the encrypted security token.</maml:para>

<maml:para>When you deploy the first federation server in a new Active Directory Federation Services (AD FS) installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server. You can obtain a token-signing certificate by requesting one from an enterprise certification authority (CA) or a public CA or by creating a self-signed certificate.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Certificates Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Provide Your Users with SSO Access to Your Web Applications by Configuring the Federation Service</maml:title><maml:introduction>
<maml:para>When your deployment goal is to provide single-sign-on (SSO) access for customer accounts to hosted applications that are secured by Active Directory Federation Services (AD FS):</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Customers who are logged on to the Active Directory Lightweight Directory Services (AD LDS) account store, which is hosted in your perimeter network, can access multiple AD FS-secured applications, which are also hosted in your perimeter network, by logging on one time from client computers that are located on the Internet.</maml:para>

<maml:para>In other words, when you host customer accounts to enable access to applications in your perimeter network, customers that you host in an account store can access one or more applications in the perimeter network simply by logging on once to the Federation Service.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Information in the AD LDS account store can be populated into customers' AD FS tokens.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>To set up this environment, you perform administrative tasks for installing a federation server, configuring the Federation Service, and installing an AD FS-enabled Web server. The following table provides links to the checklists that you need to follow to install the first federation server in your organization, configure the Federation Service, and configure an AD FS-enabled Web server for SSO access.</maml:para>

<maml:para><maml:phrase>Preparing and configuring a federation server and AD FS-enabled Web server for SSO access</maml:phrase></maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Read about each of the servers and requirements necessary to implement a Web SSO environment in your organization.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Implementing a Web SSO Design</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91911"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the federation server to work with Domain Name System (DNS), install and configure certificates, and verify that the server is functional.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a federation server</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91901"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the AD FS-enabled Web server to work with DNS, install certificates and the appropriate AD FS Web Agent, and verify that the server is functional.</maml:para>

<maml:para>After you complete the tasks in this checklist, you can set up the AD FS-enabled Web server to host claims-aware applications or Windows NT token–based applications.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing an AD FS-enabled Web server</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91912"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Depending on your organizational needs, install a claims-aware application on the AD FS-enabled Web server and verify that it is operational.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a claims-aware application</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91913"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Depending on your organizational needs, install a Windows NT token–based application on the AD FS-enabled Web server and verify that it is operational.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a Windows NT token–based application</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91914"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Incoming Custom Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Incoming custom claim name</maml:ui>—Provides a space for you to type the friendly name of the incoming custom claim.</maml:para>

<maml:para><maml:ui>Organization custom claim</maml:ui>—Lists the available custom claims.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Service - Web Pages</maml:title><maml:introduction>
<maml:para><maml:ui>Client logon page</maml:ui>—Provides a space for you to type the name of the client logon Web page .aspx file. The default client logon page, Clientlogon.aspx, collects user name and password credentials, but it can be customized.</maml:para>

<maml:para><maml:ui>Account partner discovery page</maml:ui>—Provides a space for you to type the name of the account partner discovery Web page .aspx file. The client account partner discovery page field interacts with a client to determine the client’s account partner membership. This page may be necessary in federation designs in which the Federation Service and the Federation Service Proxy are enabled as a resource Federation Service Proxy. The default client account partner discovery page is in the Federation Service Proxy. This can be customized to add branding or to modify the Web page with a look and feel that is familiar to users. The default client account partner discovery page is Discoverclientrealm.aspx.</maml:para>

<maml:para><maml:ui>Client logoff page</maml:ui>—Provides a space for you to type the name of the client logoff Web page .aspx file. The client logoff Web page presents a user interface (UI) when the local and foreign authentication states are deleted. The default Web page uses iframes so that resource partners can clean up state for their services. Your customers can customize this page and put their own branding and style on this page. The default client logoff Web page is Signout.aspx. The Signout.aspx Web page deletes the client's cached session cookies from the servers for single sign-off.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enable this account store</maml:ui>—Select the check box to enable the Active Directory Domain Services (AD DS) account store. Clear the check box to disable the AD DS account store.</maml:para>

<maml:para>Account stores are used to log on a user with credentials and to extract claims for the user. A single Federation Service may have multiple account stores configured. </maml:para>

<maml:para><maml:ui>Display name</maml:ui>—Provides a space for you to type the friendly name of the AD DS account store.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding the Federation Service Role Service</maml:title><maml:introduction>
<maml:para>The Federation Service is a role service of Active Directory Federation Services (AD FS) that can be installed independently from other AD FS role services. The Federation Service functions as a security token service. The act of installing the Federation Service role service on a computer makes that computer a federation server. It also makes the Active Directory Federation Services snap-in available on the <maml:ui>Administrative Tools</maml:ui> menu on that computer. For more information about the AD FS snap-in, see <maml:navigationLink><maml:linkText>Using the Active Directory Federation Services Snap-In</maml:linkText><maml:uri href="mshelp://windows/?id=3ce10c79-86e8-4afd-97ee-0425d605c0cb"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The Federation Service is designed to use Active Directory Domain Services (AD DS) to provide tokens in response to requests for security tokens. This enables Active Directory domains and forests to function as:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Identity providers that can federate with compliant account partners and resource partners. As an identity provider, the Federation Service can project Active Directory identities across the Internet to interact with applications at compliant service providers.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Service providers that can federate with compliant account partners and resource partners. As a service provider, the Federation Service can allow identities from other organizations to access a partner's Windows-based and ASP.NET-based applications.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Security token providers for applications that are compliant with the WS-Federation Passive Requestor Profile (WS-F PRP) specification.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>As an account partner, the Federation Service allows users to access resources at partner organizations. In response to a request from a resource partner, the Federation Service collects and verifies user credentials against AD DS or an instance of Active Directory Lightweight Directory Services (AD LDS). The Federation Service can populate a set of organization claims that are based on the Lightweight Directory Access Protocol (LDAP) attributes of the user account. The organization claims are then mapped to appropriate claims for the resource partner and packaged into a security token that is signed by the Federation Service’s token-signing certificate. The resultant security token is posted as the response to the resource partner’s original request. The resource partner then uses the token to allow access for the user.</maml:para>

<maml:para>As a resource partner, the Federation Service plays the opposite role. When a user attempts to access an AD FS-protected application, the Federation Service determines which account partner should authenticate the user. It then sends an authentication request to that partner. When the user returns with a security token, the Federation Service verifies that the token has been correctly signed by the partner. It then extracts the claims from the token. The claims are mapped to organization claims, and the filtering policy for the specific application is applied. The filtered organization claims are packaged into a security token that is either signed by the Federation Service’s token-signing certificate or protected by a Kerberos session key for the Web application. The resultant security token is posted back to the original application Uniform Resource Locator (URL). The application then uses the token to allow access for the user.</maml:para>

<maml:para>AD FS uses the WS-F PRP protocol to carry claims in security tokens that are issued by the Federation Service to the Web application. For more information about the WS-F PRP specification, see <maml:navigationLink><maml:linkText>Resources for AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=7458dc18-13f7-495c-b571-33f6b37448cb"></maml:uri></maml:navigationLink>. </maml:para>

<maml:para>These claims are populated initially from account stores, either AD DS or AD LDS account stores. The Federation Service issues tokens based on the credentials that are presented. After the account store verifies a user's credentials, the claims for the user are generated according to the rules of the trust policy. The Federation Service maps the inbound claims into outbound claims that are appropriate for a resource partner. The resulting claim mappings are added to a security token that is issued to the resource partner. For more information about claims, see <maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>After the Federation Service verifies the token, an authentication cookie is issued and written to the client browser. Each time that the client must be authenticated, the Federation Service uses this cookie so that the client does not have to enter credentials again. This enables single sign-on (SSO). For more information about cookies, see <maml:navigationLink><maml:linkText>Understanding Cookies Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Federation Service Web pages</maml:title><maml:introduction>
<maml:para>The Federation Service provides a Web page that prompts the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides a Web page that prompts for the user’s credentials, such as a user name and password for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication.</maml:para>

<maml:para>Behind the Web pages, the Federation Service provides a Microsoft ASP.NET Web service that processes requests from the client or the federation server proxy. The federation server proxy is located in the perimeter network. It acts as an intermediary between an Internet client and a Federation Service in the intranet. For more information about the role of the federation server proxy, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>There are two basic types of requests to which the Federation Service responds:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Requests to issue security tokens</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Requests to retrieve trust policy data</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Account partner discovery</maml:title><maml:introduction>
<maml:para>Account partner discovery is the process by which users can identify what account partner they prefer for authentication in the event that more than a single account partner is configured. The federation server presents this choice to the client browser as a drop box containing the account partner names as they are configured in the trust policy.</maml:para>

<maml:para>One mechanism that you can use to avoid account partner discovery is to include the <maml:codeInline>whr</maml:codeInline> parameter in the query string for the resource being accessed, for example,</maml:para>

<maml:para><maml:codeInline>https://webserver/testapp/testpage.aspx?whr=urn:federation:&lt;accountpartner&gt;</maml:codeInline></maml:para>

<maml:para>where <maml:codeInline>&lt;accountpartner&gt;</maml:codeInline> indicates the account partner realm of the client.</maml:para>

<maml:para>When you use the <maml:codeInline>whr</maml:codeInline> parameter, the resource federation server removes the parameter and writes a cookie to the client browser to remember this setting for future requests. Then, the request proceeds in the same way as if it had not been provided. </maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual>GIF89ap,048<<@@@@DDHDD0@HHLPL LP(P$Ua,Ue$Y0Y(](]e,]m0]8]q,a0a0ai8a<ay4e@eq@i8m8m<mHm<q y@uPqPu0YyY}Y}L]}Paae0i4Uem,iq8 q4Hu8]my(qyH(y4uyƁU0ҁ4aeځ$uօ$8ޅ i}΁@am⾍uڍ(@ qHimPuuY}aցiڅڅmuމyލުޅ	H*\ȰÇ#JHŋ3jȱǏ CIɋ\ɲ)ULy0fL4))ϟ,oIpgC]4$͝6F噳L*T:UY>֦h&+Q<^ ְr5.Xyv[pV*X.Yw;.`˜[1dˉJ}8/WG_V˿UW&iqmeW:lq_&>ygسkνËOH=P˟Աgd+4%}ZM[O(]Ƞ˙GT͆	&g6`[&RA
3SH"}}}ؙl	5R*#;"e0LB`ϐ\b̕6Hi,L:tk8@y杳<iybG.xL9ܲFB*K<";Ȝ 0hzM;l*e jI`6β:먷+O3x.2
;lV<jҖK+֦:XTx#1K6
Ё1lC&,*6|n#`>=ě)4,00<,Ԛ:<@-DSL܃3K
AAXg\w`-T:hzglG!G=-TOD|7!|MF2SM~Wn=	=ؔ9Kxܐ+xgo%`*<31`XsOuGD9'1`7>/pF/o|ʇ/̏78a3CǏo14"Ru#H*&࿄MnsHA%p `Iૠ1O'ӠPy
)g+	<N6Ёt!%uƈIi;	!VpG.pC&B@`Xh+EJ&QJ)Ǵ5cI1?K<,yAń8b,r/ql3Kj@d†`$QA=1$ARKr56SJX¤&
e-͘[X)+_Db	Xz,2;L'%`Pkv fsG<c#\
 [g:g>%@`P50@
BjP@B*jYF9jJB(NRD%ҚJd8]&MGL\RaT<5rCJQI|ČOE^Vy9űsʡ?QfSZAέB*"pf咺	6JjY]jRS2骅EladXְk%c%{'FV,e;ӞzM^jL:le:ukW¶gVk[nJv!m7E+\n)xT6S{UZmuZʞ	YxZ*T\>uov}fWu-|eYDIBpŋHZ`:o~'_oVSv'X
mpn%{YvlzSqBx|9Ax3Y!rxP(J%Ӱ!*+ZHV!=5AS79F$E8q!KogctarIBX7}`#+=iUZ"T~0rnS>p`Zҥfg;2/Tb-6uyj8B$;1p[VNHl5!H(@6+]\ʶnyqAaqN nefACD
ʥ8528},v:T܁}$KmAz@C;UB8Ϲw@B\k܁>\27h5XXϺַ{]5r1r%a>FAo4ȦZDձ_:{qmxwнr_{wi+!9MȻҥsށsG:a~arrB>q@",o&CU'7;_
0Aχn#DCkLsF	dh	UuW,daKw{
Cvg!~w&'H wiyxb}qrxS@@.0$X&x(*,؂.	0Ph!
Ht
hxw9hGgwwz}pNPR8TXVxQx6PR;؃ugt{z7	
 |w&Z(SR҅_xgw
@
H
pmh&D3BA	W}<'Jw8p(R|uu
`8XÉm78^I<88ޠ\rm3[Šg^?ɨ˸H5 gH،b9H{33q\v|(;8QdpYG稌8XG4GDf>ɍ	IrHHz$R^AVEt~phѐ !I"
e^|ՒWCX19(p#P%I\D[Z;0)MA
	X0}	<y vJ\Ւ1Y"k	svpY
fF"1#^Fu	NiuVL 1u`iX9#By	Gtg;(Offx9)wh&ə$A	=T}SY+
ji*)%yda9>i-|y^P	p|X"87P<tyAse430r2F$)yɅdE*9
ʠ&eA\xٚGjJ :*eLy#5\$z	)ʡߡ=J#;
"d#0*)yaQHåiAXejD:cZ'd(>\d%wVat*qxz&z]0_ubs+v1j&z_(va%_ŧyӨR6U$&_ʨma:Xb
aWu>ڪJ_z:ZS*y"YԫÊxR:>:7/zӚQߊP7n"Rzc.a?]z[Օ60d[a8LZAJŰjEz_3:#FqfFՂp²aV&BɃcEƳ)s-k󃱐%b'E:;F=Hb6ū;3Y*VCB7\b:;V}sVZnqاXUbjbb}	yNxZZ6Z:7h{sO}l@#¸j;C뒈7˹uéY:zۻB`;+{_һ{eK5z(*OK+v`v図LRel#ԾԙJƪ*]˯)vYk3a:jX{(7fHu;ŰlKhk&,_+Jl2ba6].<cŴT:,xkZK&r~ֻXܰVz|0d\f|hjefđ7It\v|xz|lI/|aPȆ|ȈȊȌȇEzCȎ\ɖ|ɋȎ:ȘɠȚ̽`7Ȃ@ʬʮʰ˫_P˶|blZʽrʊL	<\|Ȝ<J 
,ɦd	\lPͽ,||JɌ<͍<
˼P<ϚP,,W |[=*|㌷<ъ<m
}ы=ج]ь*Mћɛj!пL,
.)"]7&	 
A9mE(=}?6ּ*H=TC(+]]_;|S
m]֘lմvb\gLo]Q
ן,؛֮"j&_׶׀-g}M*dGqs'zRBcmَЄx"MШ֠
ʂ-£=0ϴYثȭt`Hwٹmɻů
7=܎\ٰܾm9_\ֽ,a7}&{p=]-MŃyݠ+=p<xm-P-hߤm8`v ~>.$^&~$	,.02>/v7^29>/@?XCNђIzD^:Wae\7!QIQV9On`]yţQf&Jz\[~DFs)Kp.A.UF}Y蓙{!~^j.FY.& 0N"삀].2ưf.`V^je2{gRyrnOJSfh0(H0N`f-s'#W *iDERDL$h.'x j2o5*$wi)Ey	n&]0v*-.G].Z^p(t3$$_^!:1'
&0.4S6V]U9<:k0"@Ų/#s;@`o+\Ҁ*c!#/i_RӀu0BZ^Op%B4KjAt?@mg
:"/d@З&=cAssP
4kslp{dF=rl
*-Qp:70C:A42Ooc"=`pd6	QPJO@
DPB
>,-^`F=~#
b``@";C*uN1SNQPEe(QdEK>
Х\iZ]{6OH͞ERMtj*`qWby
V`h.uWs5A׮}fΝ踎2˘z{3h	v'ҽN'Sl$t|_(=X'n\W֭A,w^C;QBpwwRS&ϼ2[@j#>1r鎀G?8ʻex@L#{0EAa:&*
WkT"
Fq/z/>鞀qźzA"42$/L:HJ5eҢ2.x'#6'͌25͊ޓ/NCg1r99%}(f>]PK;"<P<,D!&Ha
*2h	8;=4tqPp5`%Zu^
E`Nlx"i(b%oEWqe7iӅ7k;`z9s+]=t~Mh8
F`+8`-3ފ	x`c7. ߉fc6Yf=9߅u9gyv*[qfaFZm9d8h&]g:i	j-k{)צߑ8e>Ze8lK^]]PqW#pݵy7;
?M?}UWGMvo=ww@`9uة
4@>ygy矇>+	/7{?|'|᠞Vx͇?~Gzu~/~7QD`@6N$8A
ZB_(>E!aE8BЄ'!pjS7C+tZ/5n
0{~X>6щ(DC,1E*V؜~oツ8F2
WCոF)B1Z"h$aX!fqQwGq_G@j#GHDRoad#9#Qҋ$"/8Md!'	PqBc)yxY҇e++JR-<9H\겆/i%Z4%qHe.36f'M!s)fZMmrS	8iyh@4	Dt$--;1Aa=AN| A?HNOgA	c{G*QPTvdEɗюl:G4qTH1:MLFLG`X{LgFޔqET
45sꑤZdMu*Q*UT":V'P[udW7Mok\:WugEk>ں4jG
,GE^E9eOb1؁Uf/Yd;ʐ&5ǰHK7
n1SҮZv-mBB|
pqn}[.w)͝pɆݼnH2	s㎛\u&{q*Qֻȕ/b7q/_YW%/c+Z_
_pJz˵6٥⺛-ĝ5ћEX/.mULc٘8vnv7y26zaGFk1L
ESN{e,[k0S~e?~aSd@y\&sY9Psf9쑐)szO+j9W&oiVEy3bg>NYٌgHkt˴Ӟ;dLӎ=uCm>9c\I)۴׻kYΝ,Mbw2lhWMu9}Q[۰Am7Gu.Q#!շn>mOzכ®Xu>,p|$tsnN	os'>o.X8
-_A\h-fk9{Y7\嬳_.|<7~}@яn'WKHOtSDzկ.ѬC}ҿϰW*1GAh7k9J7sׁ;{vRckC,?[MEj:c3o޸&WXg,lrk1
>[O#=G8	]ӓڸxQWn}mڳ~ރ&Nŋ/ܒg|2[ysÉ9\-}(*@$7󅒊?	 ۹y]{Va|sT	#pЅmȇ.sAp!dctxrh_$ؑ@+y(!ix`]|_8%&87
cdkAH.9:;
\YoX6̉7BYm+oFq0Bp<0D@8	FtD>I\S8{L6Odœ*SJ?<ŮUԅ`(Wl
YBZlD[|Dp~D#^
"؄~)cTDdyxhBsBjcmYZ,5z{=P
PlYЅr؇Sv7|cd,$iBx|xp@HPHwLDYĉFS3ІS0;銐4n,iP: <TF
po8{ċ>P,Ɔ@FJSʑ#Jn	hh+#8u8c{`˹˺˻˼˽K`L<e䈡t`q(a$G1"`XCZJ|0@
$CX6J ȁxXŘz6xvwDDP{5PdtN5hNĀLMoͳ2XKw@H#8h,J|ȟ4IT,O8PMM"\GoʖIO=5l0PS`Кtжʃ`?ʈ%%
сP
0фLQǹP-6G=\H$A:4!1RDQ\(4y+],
x.0mR(A R*aS+/xn.&'-ӢԅԄTIݰ?@](,h@)XЏTULW9-=R@Quj(կ1Չ68\
-ZT[h\RдDMU6XRmfHWZ]WZvHJWWxq)Vl
zPF݉R?rEKwTz׊X=W{IXXJUX$ho͉p?PVuWW؈YxYu|ŶYRX H;qR]GƙmXYڛٍUןXYk\@5MH<zZrZZج[ڎZY]FT^MZ0L|
l?0WYzwmWuY%Z\vձٲ$DžRP(ׄ];ҍ
~PՕ[$8%7]<:e]}?k!g
7=楳TZaYH\Eם
ۜܵ@$5EUe-_^^vڌۼ=g[˽_Wy^XZVϵKڠ\_ߞW_```Ua`Hڮۏ-aK[I%
T~`V6`"F~b\(b&+,-bؘbΡ`
c1&2&ܟec)\6cpiU
6`	a]a@ޝ<9a\ۍaAcE^CddNFW d55d)dVI
d#Z^MV`[WdMe_R!!>WcI^e%:c8eN4<f	h^ie=_9drV`∡fcep&fax^dkuew>wvgڼ*_fy6f[ofNeg~gi^iFevhna-f4&6FV键h=^it藆DiFd>iki.m&jk~hbx&h8Vfx6jk
;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Claims</maml:title><maml:introduction>
<maml:para>Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users—and understood by both partners in an Active Directory Federation Service (AD FS) federation—that are used for authorization purposes in an application.</maml:para>

<maml:para>The AD FS Federation Service brokers trust between many disparate entities. It is designed to allow the trusted exchange of claims that contain arbitrary values. The receiving party (for example, a resource partner) then uses these claims to make authorization decisions. </maml:para>

<maml:para>There are three ways that claims flow through the Federation Service: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>From the account store to the account Federation Service to the resource partner</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>From the account partner to the resource Federation Service to the resource application</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>From the account store to the Federation Service to the resource application</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The Federation Service can be configured to act in all three of these roles. Therefore, one single Federation Service may facilitate all three communication flows. </maml:para>

<maml:para>There are three types of claims that are supported by the Federation Service: identity claims, group claims, and custom claims. The following table describes each of these claim types in more detail.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Claim type</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Identity</maml:para>
</maml:entry>
<maml:entry>
<maml:para>UPN, e-mail, and common name are referred to in AD FS as identity claim types:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>UPN: indicates a Kerberos-style user principal name (UPN), for example: user@realm. Only one claim may be the UPN type. Even if multiple UPN values must be communicated, only one may be of the UPN type. Additional UPNs may be configured as custom claim types.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail: indicates Request for Comments (RFC) 2822–style e-mail names of the form user@domain. Only one claim may be the e-mail type. Even if multiple e-mail values must be communicated, only one may be of e-mail type. Additional e-mails may be configured as custom claim types.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name: indicates an arbitrary string that is used for personalization. Examples include John Smith or Tailspin Toys Employee. Only one claim may have the common name type. It is important to note that there is no mechanism for guaranteeing the uniqueness of the common name claim. Therefore, use caution when you use this claim type for authorization decisions.</maml:para>
</maml:listItem>
</maml:list>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Group</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates membership in a group or role. Administrators define individual claims that have the group type “Group claims.” For example, you might define the following set of group claims: [Developer, Tester, Program Manager]. Each group claim is a separate unit of administration for claim population and mapping. It is useful to think of the value of a group claim as a Boolean value indicating membership.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Custom</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Indicates a claim that contains custom information about a user, for example, an employee ID number. </maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>If more than one of the three identity claim types is present in a token, the identity claims are prioritized in the following order:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>UPN</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name</maml:para>
</maml:listItem>
</maml:list>

<maml:para>At least one of these identity claim types must be present for a token to be issued.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Claim mapping</maml:title><maml:introduction>
<maml:para>AD FS uses the WS-Federation Passive Requester Protocol (WS-F PRP), which carries claims in security tokens that are issued by the Federation Service. The claims are populated initially from account stores, either Active Directory Domain Services (AD DS) account stores or Active Directory Lightweight Directory Services (AD LDS) account stores. </maml:para>

<maml:para>The Federation Service can map claims when they go out to a federation partner or when they come in from a federation partner. Claim mapping is the act of mapping, removing or filtering, or passing incoming claims into outgoing claims. Claim mapping may be different for each federation partner. Defining the population and mapping of these claims is important for the configuration of the federation. Claim mappings use string comparisons that are case sensitive. The following illustration shows the claim mapping process. </maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=916d5d6b-dfac-4cc1-bffb-1870e5280ef4" mimeType="image/gif"><maml:summary>The claim mapping process</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Organization claim sets</maml:title><maml:introduction>
<maml:para>All incoming claims are mapped into organization claims. Organization claims are claims in intermediate or normalized form within an organization's namespace. All internal Federation Service actions are performed on the organization claim set. Organizational claims are consumed by resource applications.</maml:para>

<maml:para>With organization claims, mappings do not have to be administered individually between any two organizations that need to communicate. Each organization defines a single mapping either to or from its organization claims. This reduces the administrative complexity of AD FS. For example, if the federation has</maml:para>

<maml:para><maml:foreignPhrase>x</maml:foreignPhrase> account partners</maml:para>

<maml:para><maml:foreignPhrase>y</maml:foreignPhrase> resource applications</maml:para>

<maml:para>the federation has <maml:foreignPhrase>x</maml:foreignPhrase> + <maml:foreignPhrase>y</maml:foreignPhrase> claim mappings. </maml:para>

<maml:para>This is reduced from a potential <maml:foreignPhrase>x</maml:foreignPhrase> × <maml:foreignPhrase>y</maml:foreignPhrase> claim mappings. As a concrete example, if a Federation Service has:</maml:para>

<maml:para>3 account partners</maml:para>

<maml:para>7 resource applications</maml:para>

<maml:para>The federation needs only 10 claim mappings, as compared to a potential 21 claim mappings, when mapping occurs directly from the incoming claims to the outgoing claims.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>E-mail</maml:title><maml:introduction>
<maml:para>E-mail claim types always map to e-mail claim types. As part of this mapping, on the account Federation Service, the domain suffix may be mapped to a constant value. Mapping the domain suffix to a constant value protects a partner organization from inadvertently providing information about their internal forest structure to another organization. In the resource Federation Service, the domain suffix may be filtered against a list of constant values. </maml:para>

<maml:para>The following example describes an AD FS federation between two organizations, Tailspin Toys and Adventure Works. In this example, Tailspin Toys is the account partner, and Adventure Works is the resource partner.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Tailspin Toys, acting as an account Federation Service, maps the e-mail organization claim to the outgoing e-mail claim for Adventure Works. As part of that mapping, it maps all e-mail suffixes to tailspintoys.com. Given the organization e-mail claim (e-mail=jsmith@sales.tailspintoys.com), the outgoing e-mail claim is (e-mail=jsmith@tailspintoys.com).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Adventure Works, acting as a resource Federation Service, maps the incoming Tailspin Toys e-mail claim to the e-mail organization claim, and, as part of that mapping, it filters the suffix list against tailspintoys.com. Therefore, an incoming Tailspin Toys e-mail claim (e-mail=jsmith@tailspintoys.com) is accepted, but an incoming Tailspin Toys e-mail claim (e-mail=jsmith@adventure-works.com) is rejected.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>UPN</maml:title><maml:introduction>
<maml:para>UPN claim types always map to UPN claim types. They are subject to suffix mappings and filtering in the same way that e-mail claims are. However, because AD DS allows UPNs without the @ symbol, the account Federation Service attaches the @ symbol, followed by the suffix if there is a UPN suffix mapping defined. Otherwise, if any suffix is passed through, the Federation Service passes the UPN as is, without the @ symbol. On the resource side, if any UPN suffix is allowed, the UPN without the @ symbol is accepted. Otherwise, if a specific UPN suffix is allowed, the UPN without the @ symbol is rejected.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Common name</maml:title><maml:introduction>
<maml:para>Common name claim types always map to common name claim types. They are subject to no additional rules.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Custom</maml:title><maml:introduction>
<maml:para>Custom claim types always map to other custom claim types. For example, given an incoming claim set of (UPN, Custom=[EmployeeNumber, TaxPayerID]) and an organization claim set of (UPN, Custom=[Employee, SSN]), you can create mappings from EmployeeNumber to Employee and from TaxPayerID to SSN. </maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Group</maml:title><maml:introduction>
<maml:para>Group claim types always map to other group claim types. For example, given an incoming claim set of (UPN, Group=[One, Two, Three]) and an organization claim set of (UPN, Group=[X,Y,Z]), you can create mappings from One to Y, from Two to X, and from Three to Z.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Group-to-UPN mapping</maml:title><maml:introduction>
<maml:para>In addition to the standard mappings described in the previous sections, you may also use a special group-to-UPN claim mapping. The group-to-UPN claim mapping is supported only on the resource Federation Service when claims are incoming from an account partner. In this case, UPN claim types do not map to UPN claim types. Instead, you provide an ordered list of group-to-UPN claim mappings.</maml:para>

<maml:para>For example, the group-to-UPN list might be:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Dev to developers@internal.tailspintoys.com</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Test to testers@internal.tailspintoys.com</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>PM to progmgrs@internal.tailspintoys.com</maml:para>
</maml:listItem>
</maml:list>

<maml:para>Given an incoming claim set of (Common name=John Smith, Group=[Dev]), the organization claim set contains (Common name=John Smith, UPN=developers@internal.tailspintoys.com). Remember that the list is ordered. Therefore, a claim set of (Common name=John Smith, Group=[Dev,PM]) results in (Common name=John Smith, UPN=developers@internal.tailspintoys.com). Also, if the incoming claim has a UPN, the UPN is overwritten. This special mapping rule specifically supports group-based resource accounts that access legacy resources. The order of the group-to-UPN mappings is specified in the trust policy for the Federation Service.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Auditing claims</maml:title><maml:introduction>
<maml:para>Some group claims and custom claims may be designated as auditable. When auditing is enabled, the audit allows the name of the claim to be exposed in the security event log, but the value of the claim is omitted. An example of an auditable claim is Social Security Number. The claim name Social Security Number is exposed, but the actual number value that is stored in that claim is not exposed. The claim value is not audited when the claim is produced or mapped.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Identity claim types are always auditable.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Overview of AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=f270ef7c-350f-44fe-87cc-3088c9d87971"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add an AD LDS Account Store</maml:title><maml:introduction>
<maml:para>Active Directory Lightweight Directory Services (AD LDS) provides data storage and retrieval for directory-enabled applications, without the dependencies that Active Directory Domain Services (AD DS) requires. AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. Similar to the way in which Active Directory Federation Services (AD FS) uses AD DS account store information, AD FS also retrieves user attributes from AD LDS and authenticates users against AD LDS if you configure AD FS to use AD LDS as the account store.</maml:para>

<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>You can use the following procedure to add an AD LDS account store to your AD FS configuration.</maml:para>

<maml:procedure><maml:title>To add an AD LDS account store </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>My Organization</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Account Stores</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Account Store</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Account Store Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Store Type</maml:ui> page, click <maml:ui>Active Directory Lightweight Directory Services (AD LDS)</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>AD LDS Store Details</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>In <maml:ui>Account store display name</maml:ui>, type the friendly name of the account store.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Account store URI</maml:ui>, type the Uniform Resource Identifier (URI) for the AD LDS account store.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>AD LDS Server Settings</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>In <maml:ui>AD LDS server name or IP address</maml:ui>, type the name or IP address of the AD LDS server.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Port number</maml:ui>, type the TCP/IP port number for the account service.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>LDAP search base distinguished name</maml:ui>, type the distinguished name, for example, DC=adatum,DC=com.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>User name LDAP attribute</maml:ui>, type the name of the user name attribute, for example, <maml:phrase>userPrincipalName</maml:phrase>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Identity Claims</maml:ui> page, select one or more identity claims that will be provided by the account store, and then click <maml:ui>Next</maml:ui>: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the account store provides UPN identity claims, select the <maml:ui>User Principal Name (UPN)</maml:ui> check box, and then type the Lightweight Directory Access Protocol (LDAP) attribute name.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the account store provides e-mail identity claims, select the <maml:ui>E-mail</maml:ui> check box, and then type the LDAP attribute name.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the account store provides common name identity claims, select the <maml:ui>Common name</maml:ui> check box, and then type the LDAP attribute name.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you do not want to enable this account store now, on the <maml:ui>Enable this Account Store</maml:ui> page, clear the <maml:ui>Enable this account store</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new account store and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>AD FS cannot authenticate AD LDS accounts that use parentheses as part of the account name. Accounts that have an open parenthesis in the user name cause an LDAP search failure as a result of the user name forming an invalid LDAP filter.</maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Certificates Used by AD FS</maml:title><maml:introduction>
<maml:para>In any Active Directory Federation Services (AD FS) design, various certificates must be used to secure communication and facilitate user authentication and authorization requests that are made to federation servers, federation server proxies, and AD FS-enabled Web servers.</maml:para>

<maml:para>For general information about certificates, see Public Key Infrastructure for Windows Server 2003 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=19936</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=19936"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Certificates used by federation servers</maml:title><maml:introduction>
<maml:para>Each federation server is required to have a server authentication certificate and a token-signing certificate before it can participate in AD FS communications. The trust policy requires an associated certificate, known as a verification certificate, which is the public key portion of the token-signing certificate.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Server authentication certificates</maml:title><maml:introduction>
<maml:para>The federation server uses Secure Sockets Layer (SSL) server authentication certificates to secure Web services traffic for communication with Web clients or the federation server proxy. These certificates are requested and installed through the Internet Information Services (IIS) snap-in.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Token-signing certificates</maml:title><maml:introduction>
<maml:para>Each federation server uses a token-signing certificate to digitally sign all security tokens that it produces. Because each security token is digitally signed by the account partner, the resource partner can verify that the security token was in fact issued by the account partner and that it was not modified. This helps prevent attackers from forging or modifying security tokens to gain unauthorized access to resources.</maml:para>

<maml:para>Digital signatures on security tokens are also used in the account partner when there is more than one federation server. In this situation, the digital signatures verify the origin and integrity of security tokens that are issued by other federation servers in the account partner. The digital signatures are verified with verification certificates.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Each token-signing certificate contains a private key that is associated with the certificate. </maml:para>
</maml:alertSet>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Verification certificates</maml:title><maml:introduction>
<maml:para>Verification certificates verify that a security token was issued by a valid federation server and that it was not modified. Verification certificates are actually the token-signing certificates of other federation servers.</maml:para>

<maml:para>To verify that a security token was issued by a given federation server and not modified, the federation server must have a verification certificate for the federation server that issued the security token. For example, if federation server A issues a security token and sends the security token to federation server B, federation server B must have a verification certificate (federation server A's token-signing certificate) for federation server A.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Unlike a token-signing certificate, a verification certificate does not contain the private key that is associated with the certificate.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Certificates used by federation server proxies</maml:title><maml:introduction>
<maml:para>Servers that are running the Federation Service Proxy role service are required to use a client authentication certificate and a server authentication certificate.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Client authentication certificates</maml:title><maml:introduction>
<maml:para>Each federation server proxy uses an SSL client authentication certificate to authenticate to the Federation Service. Any certificate with client authentication extended key usage (EKU) can be used as a federation server proxy client authentication certificate. A copy of the federation server proxy client authentication certificate is stored on both the federation server proxy and in the trust policy of the federation server. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The Trust Policy user interface (UI) in the Active Directory Federation Services snap-in refers to client authentication certificates as Federation Service Proxy (FSP) certificates.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Server authentication certificates</maml:title><maml:introduction>
<maml:para>The federation server proxy uses SSL server authentication certificates to secure Web services traffic for communication with Web clients. These certificates are requested and installed through the Internet Information Services (IIS) Manager snap-in.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Certificates used by AD FS-enabled Web servers</maml:title><maml:introduction>
<maml:para>Each AD FS-enabled Web server that hosts an AD FS Web Agent uses SSL server authentication certificates to securely communicate with Web clients. These certificates are requested and installed through the Internet Information Services (IIS) Manager snap-in.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>UPN Claim Filtering - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether this user principal name (UPN) claim is enabled. Select the check box to enable the UPN name claim. Clear the check box to disable the UPN name claim.</maml:para>

<maml:para><maml:ui>Claim name</maml:ui>—The friendly name of this claim. </maml:para>

<maml:para><maml:ui>Claim type</maml:ui>—E-mail, UPN, and common name are referred to as identity claim types. If more than one of these claim types is present in a token, the identity claims are populated in the following order:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>UPN</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name</maml:para>
</maml:listItem>
</maml:list>

<maml:para><maml:ui>Limit auditing</maml:ui>—Specifies whether the claim value is audited or shared when the claim is produced or mapped. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Service - General</maml:title><maml:introduction>
<maml:para><maml:ui>Trust policy file</maml:ui>—Provides a space for you to type or browse to the path of the trust policy file for this Federation Service.</maml:para>

<maml:para><maml:ui>View</maml:ui>—Click to view information about the token-signing certificate that is used with this Federation Service.</maml:para>

<maml:para><maml:ui>Select</maml:ui>—Click to select the token-signing certificate that you want to use with this Federation Service.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Outgoing Common Name Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether the outgoing common name claim is enabled. Select the check box to enable the claim. Clear the check box to disable the claim.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding AD FS Terminology</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), and Web Services (WS-*). The following table describes these terms.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Term</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>account federation server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The federation server that is located in the corporate network of the account partner organization. The account federation server issues security tokens to users based on user authentication. The server authenticates a user, pulls the relevant attributes and group membership information out of the account store, and generates and signs a security token to return to the user—either to be used in its own organization or to be sent to a partner organization.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>account federation server proxy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The federation server proxy that is located in the perimeter network of the account partner organization. The account federation server proxy collects authentication credentials from a client that logs on over the Internet (or from the perimeter network) and passes those credentials to the account federation server. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>account partner</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A federation partner that is trusted by the Federation Service to provide security tokens to its users (that is, users in the account partner organization) so that they can access Web-based applications in the resource partner.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Active Directory Federation Services (AD FS)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A component in Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. AD FS supports the WS-Federation Passive Requestor Profile (WS-F PRP).</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>AD FS Web Agent</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An installable role service of AD FS that is used to create an AD FS-enabled Web server. An AD FS Web Agent consumes incoming security tokens and authentication cookies that are signed by a valid federation server—to either allow or deny a user access to the protected application—while taking into consideration application-specific access control settings.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>AD FS-enabled Web server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A Web server running Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 that is configured with the appropriate AD FS Web Agent software—either the claims-aware agent or the Windows token–based agent—which is necessary for authenticating and authorizing federated access to locally hosted, Web-based applications.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>claim</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>claims-aware application</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A Microsoft ASP.NET application that performs authorization based on the claims that are present in an AD FS security token.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>claim mapping</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The act of mapping, removing or filtering, or passing claims between various claim sets.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>client account partner discovery Web page</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The Web page that interacts with the user to determine which account partner the user belongs to when AD FS cannot automatically determine which of the account partners should authenticate the user.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>client authentication certificate</maml:para>
</maml:entry>
<maml:entry>
<maml:para>In AD FS, a certificate that federation server proxies use to authenticate a client to the Federation Service. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>client logoff Web page</maml:para>
</maml:entry>
<maml:entry>
<maml:para>When AD FS performs a logoff operation, a Web page that is started to provide visual feedback to the user that the logoff has occurred.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>client logon Web page</maml:para>
</maml:entry>
<maml:entry>
<maml:para>When AD FS collects client credentials, a Web page that is started to perform the user interaction. The client logon Web page may use any necessary business logic to determine the type of credentials to collect.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>federated application</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A Web-based application that is AD FS-enabled, which means that federated users can access it.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>federated user</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A user, whose account resides in an account partner organization, who can access federated applications that reside in a resource partner organization.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>federation</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A pair of realms or domains that have established a federation trust.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>federation server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A computer running Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 that has been configured to host the Federation Service component of AD FS. Federation servers can authenticate or route requests from user accounts in other organizations and from clients that can be located anywhere on the Internet.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>federation server proxy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A computer running Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 that has been configured to host the Federation Service Proxy component of AD FS. Federation server proxies provide intermediary proxy services between an Internet client and a federation server that is located behind a firewall on a corporate network.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Federation Service </maml:para>
</maml:entry>
<maml:entry>
<maml:para>An installable role service of AD FS that is used to create a federation server. When it is installed, the Federation Service provides tokens in response to requests for security tokens. Multiple federation servers can be configured to provide fault tolerance and load balancing for a single Federation Service.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Federation Service Proxy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An installable role service of AD FS that is used to create a federation server proxy. When it is installed, the Federation Service Proxy role service uses WS-F PRP protocols to collect user credential information from browser clients and Web applications and send the information to the Federation Service on their behalf.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>organization claims</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Claims in intermediate or normalized form within an organization's namespace.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>passive client</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A Hypertext Transfer Protocol (HTTP) browser, which is capable of broadly supported HTTP, that can use cookies. AD FS in Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 supports only passive clients, and it adheres to the WS-F PRP specification.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>resource account</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A single security principal—usually a user account—that is created in AD DS and used to map to a single federated user. A resource account is required when you federate Windows NT token–based applications because the Windows token–based agent must refer to an Active Directory security principal in the resource partner forest to build the Windows NT access token and thereby enforce access control permissions on the application.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>resource federation server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The federation server in the resource partner organization. The resource federation server typically issues security tokens to users based on a security token that is issued by an account federation server. The server:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Receives the security token.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Verifies the signature.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Transforms the organizational claims based on its trust policy.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Generates a new security token based on information in the incoming security token.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Signs the new token to return to the user and ultimately to the Web application.</maml:para>
</maml:listItem>
</maml:list>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>resource federation server proxy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The federation server proxy that is located in the perimeter network of the resource partner organization. The resource federation server proxy performs account partner discovery for Internet clients, and it redirects incoming security tokens to the resource federation server.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>resource group</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A single security group, which is created in AD DS, that incoming group claims (AD FS group claims from the account partner) are mapped to. After federated users have been mapped to a resource group, AD FS-enabled Web servers can make authorization decisions to Windows NT token–based applications based on the access permissions that are assigned to the security identifier (SID) for the resource group.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>resource partner</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A federation partner that trusts the Federation Service to issue claims-based security tokens for Web-based applications (that is, applications in the resource partner organization) that users in the account partner can access.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>security token</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A cryptographically signed data unit that expresses one or more claims. In AD FS, a signed security token indicates that the federation server that issues the security token has successfully verified the authenticity of the federated user.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>security token service (STS)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A Web service that issues security tokens. An STS makes assertions, based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature to prove knowledge of a security token or a set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. This forms the basis of trust brokering. In AD FS, the Federation Service is an STS.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>server authentication certificate</maml:para>
</maml:entry>
<maml:entry>
<maml:para>AD FS-enabled Web servers, federation servers, and federation server proxies use server authentication certificates to secure Web services traffic for communication among themselves as well as with Web clients.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>server farm</maml:para>
</maml:entry>
<maml:entry>
<maml:para>In AD FS, a collection of load-balanced federation servers, federation server proxies, or Web servers that host the AD FS Web Agent.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>single sign-on (SSO)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An optimization of the authentication sequence to remove the burden of repeated logon actions by an end user. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>token-signing certificate</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An X.509 certificate whose associated public/private key pair is used by federation servers to digitally sign all security tokens that the federation servers produce.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Uniform Resource Identifier (URI)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A compact string of characters that identifies an abstract resource or physical resource. URIs are explained in Request for Comments (RFC) 2396 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=48289</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=48289"></maml:uri></maml:navigationLink>). In AD FS, URIs are used to uniquely identify partners and account stores.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>verification certificate</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A certificate that represents the public key portion of a token-signing certificate. A verification certificate is stored in the trust policy and used by the federation server in one organization to verify that incoming security tokens have been issued by valid federation servers in the organization's farm and in other organizations.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Web Services </maml:para>

<maml:para>(WS-*)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business solutions for the extended enterprise, including the ability to manage federated identity and security. </maml:para>

<maml:para>The Web services model is based on the idea that enterprise systems are written in different languages, with different programming models, which run on and are accessed from many different types of devices. Web services are a means of building distributed systems that can connect and interact with one another easily and efficiently across the Internet, regardless of what language they are written in or what platform they run on.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Web Services Security (WS-Security)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WS-Security describes how to attach security tokens, including binary security tokens, such as X.509 certificates and Kerberos tickets, to messages. In AD FS, WS-Security is used when Kerberos signs security tokens.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Windows NT token–based application</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A Windows application that relies on a Windows NT token to perform authorization of users.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>WS-Federation</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A specification that defines a model and a set of messages for brokering trust and the federation of identity and authentication information across different trust realms.</maml:para>

<maml:para>The WS-Federation specification identifies two sources of identity and authentication requests across trust realms: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Active requestors, such as SOAP-enabled applications</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Passive requestors, which are defined as HTTP browsers that can support broadly supported versions of HTTP, for example, HTTP 1.1</maml:para>
</maml:listItem>
</maml:list>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>WS-Federation Passive Requestor Profile (WS-F PRP)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An implementation of the WS-Federation specification that proposes a standard protocol for how passive clients (such as Web browsers) apply the federation framework. Within this protocol, Web service requestors are expected to accept the new security mechanisms and be capable of interacting with Web service providers.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Overview of AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=f270ef7c-350f-44fe-87cc-3088c9d87971"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Service - Troubleshooting</maml:title><maml:introduction>
<maml:para><maml:ui>Error</maml:ui>—Specifies whether to record events for significant problems to the debug log. Running the <maml:computerOutputInline>dbmon</maml:computerOutputInline> command outputs the debug log to the command prompt.</maml:para>

<maml:para><maml:ui>Warning</maml:ui>—Specifies whether to record events, which are not necessarily significant but that may cause future problems, to the debug log.</maml:para>

<maml:para><maml:ui>Informational</maml:ui>—Specifies whether to record informational events, such as redirects with protocol Uniform Resource Locators (URLs), token validations, or claim mappings, to the debug log.</maml:para>

<maml:para><maml:ui>Verbose</maml:ui>—Specifies whether to record detailed information about events, such as sign-in requests, responses, token contents, Web method calls, and security identifier (SID) information to the debug log.</maml:para>

<maml:para><maml:ui>Audit success</maml:ui>—Specifies whether a security audit is recorded for every successful user authentication or trust policy change that is made to this Federation Service. All success records are logged to the debug log file that is identified in the <maml:ui>Log files directory</maml:ui> box. </maml:para>

<maml:para><maml:ui>Audit failure</maml:ui>—Specifies whether a security audit is recorded for every unsuccessful attempt to change the trust policy for this Federation Service. All audit failure records are logged to the debug log file that is identified in the <maml:ui>Log files directory</maml:ui> field.</maml:para>

<maml:para><maml:ui>Event log entries</maml:ui>—Specifies whether to record all Active Directory Federation Services (AD FS) events to the debug log.</maml:para>

<maml:para><maml:ui>Cookie</maml:ui>—Specifies whether to record cookies to the debug log.</maml:para>

<maml:para><maml:ui>Log files directory</maml:ui>—Provides a space for you to type or browse to the location of the log file that is used to view all information that is generated by the selections that you make on this page.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you choose a directory that is different from the default directory, you must assign <maml:ui>Read</maml:ui>, <maml:ui>Write</maml:ui>, <maml:ui>Create files</maml:ui>, and <maml:ui>List folder</maml:ui> permissions to the identity of the ADFSAppPool that is defined in Internet Information Services (IIS) Manager (by default Network Service) so that the federation server or federation server proxy has the necessary permissions to write to the log files. </maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Troubleshooting AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Incoming Common Name Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether the incoming common name claim is enabled. Select the check box to enable the incoming common name claim. Clear the check box to disable the incoming common name claim.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Resources for AD FS</maml:title><maml:introduction>
<maml:para>You can find detailed documentation about Active Directory Federation Services (AD FS), including documentation about how to evaluate, design, deploy, and manage AD FS, on the Active Directory Federation Services home page (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91867</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91867"></maml:uri></maml:navigationLink>). </maml:para>

<maml:para>For more information about AD FS or for other AD FS-related information, see the following Web resources:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Automate Information Access with Identity Management </maml:para>

<maml:para>(<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=78692</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=78692"></maml:uri></maml:navigationLink>) </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Web Services Specifications (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=44191</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=44191"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Web Services and Other Distributed Technologies (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=44189</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=44189"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Web Services Protocol Workshops (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=44190</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=44190"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Web Services Interoperability Organization (WS-I) (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=34328</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=34328"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Choosing a Client Authentication Certificate</maml:title><maml:introduction>
<maml:para>Each federation server proxy uses a client authentication certificate to authenticate to the Federation Service. You can use any certificate with client authentication extended key usage (EKU) that chains to a trusted root certification authority (CA) on the federation server as a client authentication certificate for the federation server proxy. In addition, you must explicitly add the client authentication certificate to the trust policy. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. You can install a client authentication certificate by connecting to an enterprise CA or by creating a self-signed certificate.</maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Do not use a certificate that was issued by your enterprise CA for client authentication of an Active Directory user (especially a domain administrator) because the private key is stored on the federation server proxy. Storing a private key on the federation server proxy allows an administrator or a successful attacker to assume the identity that the certificate represents.</maml:para>
</maml:alertSet>

<maml:para>For general information about installing client authentication certificates when you use Microsoft Certificate Services as your enterprise CA, see Submit an advanced certificate request via the Web to a Windows Server 2003 CA (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?linkid=64020</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?linkid=64020"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Certificates Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Outgoing E-Mail Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether the outgoing e-mail claim is enabled. Select the check box to enable the claim. Clear the check box to disable the claim.</maml:para>

<maml:para><maml:ui>Send all domain suffixes</maml:ui>—Specifies that all domain suffixes of e-mails will pass through without any modifications.</maml:para>

<maml:para><maml:ui>Replace all domain suffixes with</maml:ui>—Specifies that all domain suffixes of e-mails will be replaced, and provides a space for you to type the replacement domain suffix.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding AD FS Role Services</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) can operate only when the servers running Windows Server 2008 or Windows Server 2008 R2 are configured with the appropriate AD FS role services. AD FS role services are individual AD FS components that you install on servers running Windows Server 2008 or Windows Server 2008 R2. You can install the following AD FS role services with the Add Role Services Wizard:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Federation Service</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Federation Service Proxy</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Claims-aware agent</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows token-based agent</maml:para>
</maml:listItem>
</maml:list>

<maml:para>Depending on the environment in your organization, specific AD FS server roles must be deployed. The following sections describe the server roles that are associated with each of the AD FS role services that you can use to provide an AD FS federated identity management solution.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Federation servers</maml:title><maml:introduction>
<maml:para>Federation servers host the Federation Service role service of AD FS. These servers route authentication requests from user accounts in other organizations (in Federated Web Single-Sign-On (SSO) designs) or from clients that can be located anywhere on the Internet (in the Web SSO design). For more information about the different AD FS designs, see <maml:navigationLink><maml:linkText>Understanding Federation Designs</maml:linkText><maml:uri href="mshelp://windows/?id=1a17d8ac-4ac6-418c-845c-a4251376e1e9"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Federation servers also host a security token service that issues tokens that are based on the credentials (for example, user name and password) that are presented to it. After the credentials are verified (by the user logging on), claims for the user are collected through examination of the attributes for the user that are stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). </maml:para>

<maml:para>For more information about federation servers, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Federation server proxies</maml:title><maml:introduction>
<maml:para>Federation server proxies host the Federation Service Proxy role service of AD FS. You can deploy federation server proxies in your organization's perimeter network (also known as a demilitarized zone, extranet, or screened subnet) to forward requests to federation servers that are not accessible from the Internet.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Although you can deploy separate servers to host the Federation Service Proxy role service, it is not necessary to deploy a separate server to act as a federation server proxy in the intranet forest of either the account partner or the resource partner. A federation server performs this role automatically.</maml:para>
</maml:alertSet>

<maml:para>For more information about federation server proxies, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>ADFS-enabled Web servers</maml:title><maml:introduction>
<maml:para>Web servers that host either the claims-aware or the Windows token-based AD FS Web Agent role service are referred to as AD FS-enabled Web servers. These servers provide secure access to the Web applications that are hosted on those Web servers. The AD FS Web Agent manages security tokens and authentication cookies that are sent to an AD FS-enabled Web server. An AD FS-enabled Web server requires a relationship with a Federation Service so that all authentication tokens come from that Federation Service. </maml:para>

<maml:para>For more information about ADFS-enabled Web servers, see <maml:navigationLink><maml:linkText>Understanding the AD FS Web Agent Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=bb89ffed-4b51-4ce0-99dd-92375eeb600f"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Application - Authentication Methods</maml:title><maml:introduction>
<maml:para><maml:ui>Any—</maml:ui>Specifies whether to accept all forms of authentication methods that are provided to this application.</maml:para>

<maml:para><maml:ui>Windows integrated authentication</maml:ui>—Specifies whether to accept Windows Integrated Authentication.</maml:para>

<maml:para><maml:ui>User name and password authentication</maml:ui>—Specifies whether to accept the user name and password for authentication. </maml:para>

<maml:para><maml:ui>Certificate or TLS/SSL client authentication</maml:ui>—Specifies whether to accept Secure Sockets Layer / Transport Layer Security (SSL/TLS) client authentication.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Incoming UPN Claim Mapping - Groups</maml:title><maml:introduction>
<maml:para><maml:ui>From incoming group</maml:ui>—Provides a space for you to type the name of an incoming group to map to a single user principal name (UPN) value.</maml:para>

<maml:para><maml:ui>To user UPN</maml:ui>—Provides a space for you to type the name of a single UPN value.</maml:para>

<maml:para><maml:ui>... </maml:ui>button—Click to find a new group to map to a UPN. </maml:para>

<maml:para><maml:ui>Add</maml:ui>—Click to add a new group to map to a UPN.</maml:para>

<maml:para><maml:ui>Move Up</maml:ui>—Click to change the order of a group-to-UPN mapping. Select the group-to-UPN mapping to highlight it, and then click <maml:ui>Move Up</maml:ui> or <maml:ui>Move Down</maml:ui>.</maml:para>

<maml:para><maml:ui>Move Down</maml:ui>—Click to change the order of a group-to-UPN map. Select the group-to-UPN mapping to highlight it, and then click <maml:ui>Move Up</maml:ui> or <maml:ui>Move Down</maml:ui>.</maml:para>

<maml:para><maml:ui>Remove</maml:ui>—Click to delete a group-to-UPN mapping.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Custom Claim Filtering - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether this custom claim is enabled. Select the check box to enable the custom claim. Clear the check box to disable the custom claim. </maml:para>

<maml:para><maml:ui>Claim name</maml:ui>—The friendly name of this claim. </maml:para>

<maml:para><maml:ui>Claim type</maml:ui>—Displays the name of the organization claim type.</maml:para>

<maml:para><maml:ui>Limit auditing</maml:ui>—Specifies whether the claim value is audited or shared when the claim is produced or mapped. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Selecting a Trust Policy</maml:title><maml:introduction>
<maml:para>The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.</maml:para>

<maml:para>The act of creating two or more federation servers in the same network, configuring each of them to use the same trust policy file, and adding the public key of each server's token-signing certificates (verification certificates) to the trust policy creates a federation server farm.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>For farmed scenarios, it is important that the trust policy file be shared on a computer that does not also participate as a federation server in that farm. Microsoft Network Load Balancing (NLB) does not allow any of the computers that participate in a farm to communicate with one another.</maml:para>
</maml:alertSet>

<maml:para>After the trustpolicy.xml file has been placed in a shared folder, you protect that share with the appropriate permissions. This means that for each new federation server to successfully share a trust policy file, you must provide at least Read-only access permissions to each of the machine accounts on every federation server in the farm. The administrator of the Federation Service will be able to modify the trust policy file even though the machine accounts have Read-only permissions.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using the Active Directory Federation Services Proxy Snap-In</maml:title><maml:introduction>
<maml:para>The Active Directory Federation Services Proxy Microsoft Management Console (MMC) snap-in is installed when you install the Federation Service Proxy component in <maml:ui>Add or Remove Programs</maml:ui> in Windows Server 2003 R2 or when you use the <maml:ui>Add Roles Wizard</maml:ui> in Windows Server 2008 or Windows Server 2008 R2. You can use the Active Directory Federation Services Proxy snap-in to:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Configure the Federation Service that this federation server proxy is acting as a proxy for.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Determine how to collect user credential information from browser clients and Web applications.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The settings in the Active Directory Federation Services Proxy snap-in are stored in the Web.config file in the Federation Service Proxy virtual directory.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Federation Service Proxy node</maml:title><maml:introduction>
<maml:para>The <maml:ui>Federation Service Proxy</maml:ui> node in the snap-in's console tree hierarchy represents the current federation server proxy settings. You control the local federation server proxy configuration through this node in the Active Directory Federation Services Proxy snap-in. The actual client authentication certificate with the private key is present in the local computer personal certificate store.</maml:para>

<maml:para>Active Directory Federation Services (AD FS) distinguishes between the local configuration for a federation server proxy and the trust policy configuration that is shared among all servers in the federation server farm. The local proxy configuration is stored in the Web.config file, and it includes the following items:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The Federation Service Uniform Resource Locator (URL)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The client authentication certificate to be used by the federation server proxy for Transport Layer Security and Secure Sockets Layer (TLS/SSL) communication with the Federation Service</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Microsoft ASP.NET Web pages</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add an Account Partner</maml:title><maml:introduction>
<maml:para>You can use the Add Account Partner Wizard to add a new account partner manually or by importing a policy file. This action enables user accounts in the account partner to access Web applications that are protected by this Federation Service. To learn more about improved import functionality in this version of Active Directory Federation Services (AD FS), see What's New in AD FS in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=85684</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=85684"></maml:uri></maml:navigationLink>).</maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> local group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Adding an account partner manually</maml:title><maml:introduction>
<maml:para>You can use the following procedure to add an account partner manually.</maml:para>

<maml:procedure><maml:title>To add an account partner manually</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>Partner Organizations</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Account Partners</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Account Partner</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Account Partner Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Import Policy File</maml:ui> page, click <maml:ui>No</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Partner Details</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui> </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>In <maml:ui>Display name</maml:ui>, type the display name of the account partner.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Federation Service URI</maml:ui>, type the Uniform Resource Identifier (URI) of the Federation Service.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Federation Service endpoint URL</maml:ui>, type the Uniform Resource Locator (URL) of the Federation Service.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Partner Verification Certificate</maml:ui> page, type the path to the verification certificate, or browse to it, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Federation Scenario</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you are establishing a federated trust with another organization or you do not want to use an existing forest trust, click <maml:ui>Federated Web SSO</maml:ui>, and then go to step 10.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are establishing a federated trust within the same organization when both sides already share a forest trust, click <maml:ui>Federated Web SSO with Forest Trust</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To accept users in all domains that are trusted by the account partner, click <maml:ui>All AD DS domains and forests</maml:ui>. Any user that can authenticate to the account partner will be accepted. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To accept user accounts that are located in some of the domains that are trusted by the account partner, click <maml:ui>The following AD DS domains and forests</maml:ui>. Then, in <maml:ui>New, trusted AD DS domain or forest</maml:ui>, type the name of a domain or forest, and then click <maml:ui>Add</maml:ui>. Only users from the specified domains will be accepted.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Partner Identity Claims</maml:ui> page, select one or more identity claims to share with the resource partner, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires user principal name (UPN) claims to make authorization decisions, select the <maml:ui>UPN Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>When UPN claims or e-mail claims are used to make authorization decisions, it is essential that each account partner has a unique UPN suffix or e-mail suffix. If two account partners have the same UPN suffix or e-mail suffix, it may not be possible to uniquely identify users. This condition might result in a user from one account partner receiving the permissions that are intended for a user in another account partner. This condition might also introduce a significant security weakness because an administrator could intentionally create user accounts to impersonate users from one of your other account partners.</maml:para>
</maml:alertSet>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> scenario, the <maml:ui>UPN Claim</maml:ui> option is selected and not configurable. This is because UPN claims are required for this scenario.</maml:para>
</maml:alertSet>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires e-mail claims to make authorization decisions, select the <maml:ui>E-mail Claim</maml:ui> check box.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the resource partner requires common name claims to make authorization decisions, select the <maml:ui>Common Name Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>UPN Claim</maml:ui> as an identity claim, on the <maml:ui>Accepted UPN Suffixes</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> option, click <maml:ui>All UPN suffixes</maml:ui> or click <maml:ui>Only suffixes from the following list</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO</maml:ui> option, under <maml:ui>Add a new suffix</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>E-mail Claim</maml:ui> as an identity claim, on the <maml:ui>Accepted E-mail Suffixes</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> option, click <maml:ui>All E-mail suffixes</maml:ui> or click <maml:ui>Only suffixes from the following list</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO</maml:ui> option, under <maml:ui>Add a new suffix</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Common name claims require no additional information.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Enable this Account Partner</maml:ui> page, if you do not want to enable the account partner now, clear the <maml:ui>Enable this account partner</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new account partner and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section>
<maml:title>Adding an account partner by importing a policy file</maml:title><maml:introduction>
<maml:para>You can use the following procedure to add an account partner by importing a policy file.</maml:para>

<maml:procedure><maml:title>To add an account partner by importing a policy file</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>Partner Organizations</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Account Partners</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Account Partner</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Account Partner Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Import Policy File</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Click <maml:ui>Yes</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Partner interoperability policy file</maml:ui>, browse to or type the location of the account partner policy file.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Partner Details</maml:ui> page, under <maml:ui>Display name</maml:ui>, type the display name of the account partner, verify that the additional imported partner settings are correct, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Partner Verification Certificate</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Click <maml:ui>Use the verification certificate in the import policy file</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Use a different verification certificate</maml:ui>, and then type the location of the certificate or click <maml:ui>Browse</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Federation Scenario</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you are establishing a federated trust with another organization or you do not want to use an existing forest trust, click <maml:ui>Federated Web SSO</maml:ui>, and then go to step 10.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are establishing a federated trust within the same organization when both sides already share a forest trust, click <maml:ui>Federated Web SSO with Forest Trust</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Federation Web SSO with Forest Trust</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To accept users in all domains that are trusted by the account partner, click<maml:ui> All AD DS domains and forests</maml:ui>. Any user that can authenticate to the account partner will be accepted. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To accept user accounts that are located in some of the domains that are trusted by the account partner, click <maml:ui>The following AD DS domains and forests</maml:ui>. Then, in <maml:ui>New, trusted AD DS domain or forest</maml:ui>, type the name of the domain or forest, and then click <maml:ui>Add</maml:ui>. Only users from the specified domains will be accepted.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Partner Identity Claims</maml:ui> page, select one or more identity claims that this partner will provide, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires UPN claims to make authorization decisions, select the <maml:ui>UPN Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>When UPN claims or e-mail claims are used to make authorization decisions, it is essential that each account partner has a unique UPN suffix or e-mail suffix. If two account partners have the same UPN suffix or e-mail suffix, it may not be possible to uniquely identify users. This condition might result in a user from one account partner receiving the permissions that are intended for a user in another account partner. This condition might also introduce a significant security weakness because an administrator could intentionally create user accounts to impersonate users from one of your other account partners.</maml:para>
</maml:alertSet>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> scenario, the <maml:ui>UPN Claim</maml:ui> option is selected and not configurable. This is because UPN claims are required for this scenario.</maml:para>
</maml:alertSet>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires e-mail claims to make authorization decisions, select the <maml:ui>E-mail Claim</maml:ui> check box.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the resource partner requires common name claims to make authorization decisions, select the <maml:ui>Common Name Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>UPN Claim</maml:ui> as an identity claim, on the <maml:ui>Accepted UPN Suffixes</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> option, click <maml:ui>All UPN suffixes</maml:ui> or click <maml:ui>Only suffixes from the following list</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO</maml:ui> option, under <maml:ui>Add a new suffix</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>E-mail Claim</maml:ui> as an identity claim, on the <maml:ui>Accepted E-mail Suffixes</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> option, click <maml:ui>All E-mail suffixes</maml:ui> or click <maml:ui>Only suffixes from the following list</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you selected the <maml:ui>Federated Web SSO</maml:ui> option, under <maml:ui>Add a new suffix</maml:ui>, type the accepted suffix, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Enable this Account Partner</maml:ui> page, if you do not want to enable the account partner now, clear the <maml:ui>Enable this account partner</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new account partner and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section>
<maml:title>Renaming an imported account partner</maml:title><maml:introduction>
<maml:para>You can use the following procedure to rename an imported account partner.</maml:para>

<maml:procedure><maml:title>To rename an imported account partner</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, <maml:ui>Partner Organizations</maml:ui>, and <maml:ui>Account Partners</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the account partner, and then click <maml:ui>Rename</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type a new name for the account partner.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Federation Trusts</maml:linkText><maml:uri href="mshelp://windows/?id=31b140ce-1c7a-4b1b-b6fd-c87c8233d07e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Validating the Federation Server</maml:title><maml:introduction>
<maml:para>Clicking the <maml:ui>Validate</maml:ui> button sends an HTTP GET request to the Uniform Resource Locator (URL) that is specified in the <maml:ui>Federation Server</maml:ui> box. If you entered a computer name (for example, FS1 or FS1.adatum.com) in this box, the validation process will create a URL based on that name (for example, https://FS1.adatum.com/adfs/fs/federationserverservice.asmx), and it will check for invalid characters before sending the URL to the federation server. If the HTTP GET request returns an error, validation fails. In the case where validation fails, you can proceed with the installation of this role service and then correct this value at a later time. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Deploy AD FS</maml:title><maml:introduction>
<maml:para>For information about how to plan, design, and deploy Active Directory Federation Services (AD FS) in Windows Server 2008, see the AD FS Design Guide (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91898</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91898"></maml:uri></maml:navigationLink>) and the AD FS Deployment Guide (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91899</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91899"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Adding Web Applications to the Federation Service</maml:title><maml:introduction>
<maml:para>This section provides the following conceptual and procedural information necessary to add references for Web applications to the Federation Service. </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add a Windows NT Token-Based Application</maml:linkText><maml:uri href="mshelp://windows/?id=2d63d1e2-c787-474a-9768-29d8cab6f713"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add a Claims-Aware Application</maml:linkText><maml:uri href="mshelp://windows/?id=42063d6a-ed4a-4c14-8381-bb239fbc606c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Partner Organizations</maml:title><maml:introduction>
<maml:para>When you plan for cross-organizational (federation-based) collaboration using Active Directory Federation Services (AD FS), you first determine whether your organization will host a Web resource to be accessed by other organizations across the Internet—or the reverse. This determination affects how you deploy AD FS, and it is fundamental in the planning of your AD FS infrastructure. </maml:para>

<maml:para>For federation designs such as Federated Web Single Sign-On (SSO) and Federated Web SSO with Forest Trust (but not the Web SSO design), AD FS uses terms such as "account partner" and "resource partner" to help differentiate the organization that hosts the accounts (the account partner) from the organization that hosts the Web-based resources (the resource partner). The term "federation trust" is used in AD FS to characterize the one-way, nontransitive relationship that is established between the account partner and the resource partner.</maml:para>

<maml:para>For more information about AD FS designs, see <maml:navigationLink><maml:linkText>Understanding Federation Designs</maml:linkText><maml:uri href="mshelp://windows/?id=1a17d8ac-4ac6-418c-845c-a4251376e1e9"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The following sections explain some of the concepts that are related to account partners and resource partners.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Account partner</maml:title><maml:introduction>
<maml:para>An account partner represents the organization in the federation trust relationship that physically stores user accounts in either an Active Directory Domain Services (AD DS) store or an Active Directory Lightweight Directory Services (AD LDS) store. The account partner is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. These tokens can then be presented across a federation trust for access to Web-based resources that are located in the resource partner organization.</maml:para>

<maml:para>In other words, an account partner represents the organization for whose users the account-side Federation Service issues security tokens. The Federation Service in the account partner organization authenticates local users and creates security tokens that are used by the resource partner in making authorization decisions. </maml:para>

<maml:para>In relation to AD DS, the account partner in AD FS is conceptually equivalent to a single AD DS forest whose accounts need access to resources that are physically located in another forest. Accounts in this example forest can access resources in the resource forest only when an external trust or forest trust relationship exists between the two forests and the resources to which the users are trying to gain access have been set with the proper authorization permissions. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This analogy is meant strictly to emphasize how the relationship between account and partner organizations in AD FS is similar, in concept, to the relationship between an account forest and a resource forest in AD DS. External trusts and forest trusts are not required for AD FS to function.</maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Producing claims that go to the resource partner</maml:title><maml:introduction>
<maml:para>A claim is a statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client. An account partner produces claims that the resource partner Federation Service consumes. The following list describes the different types of claims that can be configured in the account partner on the resource federation server side:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>UPN claim</maml:para>

<maml:para>When you configure the account partner, you can specify a list of user principal name (UPN) domains and suffixes that may be accepted from the account partner. If a UPN identity is received whose domain part is not in the list, the request is rejected. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail claim</maml:para>

<maml:para>When you configure the account partner, you can specify a list of e-mail domains and suffixes that may be accepted from the account partner. As with the UPN claim, if an e-mail identity is received whose domain part is not in the list, the request is rejected. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name claim</maml:para>

<maml:para>When you configure the account partner, you can specify whether common name claims can be received from the account partner. This type of claim may not be mapped; it is simply passed through if it is enabled. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group claims</maml:para>

<maml:para>When you configure the account partner, you can specify a set of incoming group claims that may be accepted from the partner. You can then associate each possible incoming group with an organization group claim. Note that this creates a group mapping. If an incoming group is encountered that has no mapping, it is discarded. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Custom claims</maml:para>

<maml:para>When you configure the account partner, you can specify a set of incoming names of custom claims that are accepted from the partner. You can then map each possible incoming name to an organization custom claim. Note that this creates a name mapping. If an incoming custom claim is encountered that has no mapping, it is discarded. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Resource partner</maml:title><maml:introduction>
<maml:para>A resource partner is the second organizational partner in the federation trust relationship. A resource partner is the organization where the AD FS-enabled Web servers that host one or more Web-based applications (the resources) reside. The resource partner trusts the account partner to authenticate users. Therefore, to make authorization decisions, the resource partner consumes the claims that are packaged in security tokens coming from users in the account partner. </maml:para>

<maml:para>In other words, a resource partner represents the organization whose AD FS-enabled Web servers are protected by the resource-side Federation Service. The Federation Service at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for AD FS-enabled Web servers that are located in the resource partner. </maml:para>

<maml:para>To function as an AD FS resource, an AD FS-enabled Web server in the resource partner organization must have the AD FS Web Agent component of AD FS installed. Web servers that function as an AD FS resource can host either claims-aware applications or Windows NT token–based applications. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If the application that is hosted on the AD FS-enabled Web server is a Windows NT token–based application, a resource account may be required for the AD DS forest in the resource partner organization. </maml:para>
</maml:alertSet>

<maml:para>In relation to AD DS, the resource partner is conceptually equivalent to a single forest whose resources are made available over an external trust or forest trust relationship to accounts that are physically stored in another forest. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This analogy is meant strictly to emphasize how the relationship between account and partner organizations in AD FS is similar, in concept, to the relationship between an account forest and a resource forest in AD DS. External trusts and forest trusts are not required for AD FS to function. </maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Consuming claims that come from the account partner</maml:title><maml:introduction>
<maml:para>A resource partner consumes claims that the account partner Federation Service produces and packages in security tokens. The following list describes how claims can be sent to the resource partner:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>UPN claim</maml:para>

<maml:para>When you configure the resource partner, you can specify whether a UPN claim is to be sent to the resource partner. You can also specify a suffix mapping so that any suffix is mapped into a specified outgoing suffix. For example, julianp@sales.tailspintoys.com can be mapped to julianp@tailspintoys.com. Note that only one outgoing suffix may be specified. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail claim</maml:para>

<maml:para>When you configure the resource partner, you can specify whether an e-mail claim is to be sent to the resource partner. You can also specify a suffix mapping so that any suffix is mapped into a specified suffix. For example, vernettep@sales.tailspintoys.com can be mapped to vernettep@tailspintoys.com. Note that only one outgoing suffix may be specified. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name claim</maml:para>

<maml:para>When you configure the resource partner, you can specify whether common name claims can be sent to the resource partner. This type of claim may not be mapped; it is simply passed through to the resource partner if it is enabled. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group claims</maml:para>

<maml:para>When you configure the resource partner, you can specify a set of outgoing group claims that will be accepted by the resource partner. You can then associate each possible outgoing group claim to organization group claims. Note that this creates a set of group mappings. Organization group claims that do not match an outgoing group claim are not created. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Custom claims</maml:para>

<maml:para>When you configure the resource partner, you can specify a set of outgoing custom claims that are accepted by the resource partner. You can map each possible outgoing custom claim to an organization custom claim. Note that this creates a set of name mappings. Organization custom claims that do not match an outgoing custom claim are not created. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Enhanced identity privacy</maml:title><maml:introduction>
<maml:para><maml:ui>Enhanced identity privacy</maml:ui> is an optional setting that you can configure on a resource partner in the trust policy. If the <maml:ui>Enhanced identity privacy</maml:ui> option is enabled, this setting hashes the user-name portion of outgoing UPN claims and e-mail claims. It substitutes the common name with a random value. </maml:para>

<maml:para>The purpose of this feature is to prevent:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The resource partner from correlating identity claims to personally identifiable user information.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Collusion between partners in correlating identity claims to personally identifiable user information. This setting creates a unique hash per partner so that identity claim values are different across different trusting realm partners but consistent across sessions for a single partner. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Simple dictionary attacks against the hash by "salting" the user value with data that is in the trust policy—data that is not known by the resource partners. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Group Claim - General</maml:title><maml:introduction>
<maml:para><maml:ui>Claim name</maml:ui>—Provides a space for you to type the name of the organization group claim.</maml:para>

<maml:para>Use the <maml:ui>Claim name</maml:ui> field to communicate any authorization information that is not one of the other claim types. You must specify a fixed set of custom subtypes. For example, you can extend the <maml:ui>Claim name</maml:ui> by specifying details such as Employee Number, first name, and last name. Each custom subtype is a separate unit of administration for claim population and mapping. The value of a specific custom subtype claim is an arbitrary string that is exposed to the end application.</maml:para>

<maml:para><maml:ui>Limit the auditing of this claim</maml:ui>—Specifies whether the claim name is to be audited or shared when the claim is produced or mapped. The audit indicates the name of the claim, but the value of the claim is omitted.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Application - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies that the application is enabled. Clear the check box to disable the application.</maml:para>

<maml:para><maml:ui>Display name</maml:ui>—Provides a space for you to type the friendly name of the application.</maml:para>

<maml:para><maml:ui>Application URL</maml:ui>—Provides a space for you to type the Uniform Resource Locator (URL) for the application. The application URL is generally the root of the tree of Active Directory Federation Services (AD FS)–protected content. The configured value must match the return URL, which is configured in the AD FS Web Agent.</maml:para>

<maml:para><maml:ui>Public Key Infrastructure (PKI)</maml:ui>—When you select this option, the Federation Service uses its token-signing certificate to protect security tokens for this application.</maml:para>

<maml:para><maml:ui>Domain service account</maml:ui>—When you select this option, the Federation Service uses a Kerberos request to protect security tokens for this application. If you select this option, you must specify a service principal name (SPN) for the target service account. </maml:para>

<maml:para>For the AD FS Web Agent for claims-aware applications, the SPN must be registered for the application pool identity for the protected application, for example, www/sales.treyresearch.net.</maml:para>

<maml:para>For the AD FS Web Agent for Windows NT token–based applications, the SPN must be registered for the service account of the AD FS Web Agent Authentication Service (typically, the machine account, except in farmed designs), for example, host/sales.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the AD FS Web Agent Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=bb89ffed-4b51-4ce0-99dd-92375eeb600f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - Advanced</maml:title><maml:introduction>
<maml:para><maml:ui>Token lifetime (minutes)</maml:ui>—Provides a space for you to type a new Security Assertions Markup Language (SAML) token lifetime setting. This is the lifetime for a Logon Accelerator Token (LAT), also known as a cookie. You can click the up or down arrows to select a new setting. The Federation Service builds SAML tokens that are valid only for a certain period. The SAML token lifetime defines how long a security token is valid after it is created. The minimum value for this field is one minute. The default value is 600 minutes.</maml:para>

<maml:para><maml:ui>Trust policy refresh period (minutes)</maml:ui>—Provides a space for you to type a new setting for the trust policy refresh period. You can also click the up or down arrows to select a new setting. The trust policy refresh period specifies how often the Federation Service checks whether the trust policy has changed and loads the trust policy if it is new. The minimum value for this field is 5 minutes. The default value is 60 minutes.</maml:para>

<maml:para><maml:ui>Windows domain trust cache refresh period (minutes)</maml:ui>—Provides a space for you to type a new setting for the Windows domain trust cache refresh period. You can also click the up or down arrows to select a new setting. The refresh period of the security identifier (SID) filtering cache specifies how often the Federation Service refreshes Windows trust information. The default value is 60 minutes. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - FSP Certificates</maml:title><maml:introduction>
<maml:para><maml:ui>Add</maml:ui>—Click to add a certificate file to the list of Federation Service Proxy certificates. The Federation Service uses these certificates (using this trust policy) for authenticating federation server proxies.</maml:para>

<maml:para><maml:ui>Remove</maml:ui>—Click to delete the highlighted certificate from the list of Federation Service Proxy certificates. </maml:para>

<maml:para><maml:ui>View</maml:ui>—Click to view the details of the highlighted certificate in the list of Federation Service Proxy certificates.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Account Partner - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enable this partner</maml:ui>—Specifies whether the account partner is enabled or disabled. An account partner is a federation partner that is trusted by the Federation Service to provide claims-based security tokens.</maml:para>

<maml:para><maml:ui>Display name</maml:ui>—Provides a space for you to type the friendly name of the account partner.</maml:para>

<maml:para><maml:ui>Federation Service URI</maml:ui>—Provides a space for you to type the Uniform Resource Identifier (URI) for the account partner. A URI is a compact string of characters that is used to identify an abstract or physical resource, for example, https://sales.adatum.com/adfs/.</maml:para>

<maml:para><maml:ui>Federation Service endpoint URL</maml:ui>—Provides a space for you to type the endpoint Uniform Resource Locator (URL) of the Federation Service that partner organizations and applications send requests and responses to, for example, http://sales.adatum.com/adfs/ls/.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy</maml:title><maml:introduction>
<maml:para>The <maml:ui>Trust Policy</maml:ui> node in the Active Directory Federation Services snap-in represents the trust policy configuration information that is stored in the trust policy file. The trust policy file is stored in an .xml file format. It is created during setup of the first federation server in the federation server farm. The trust policy file path is configured in the local Web.config file. When possible, store the trust policy file on a network share so that it can be accessed by all the computers in the federation server farm.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>We strongly recommend that you use the <maml:ui>Trust Policy</maml:ui> node to edit trust policy configuration information. You cannot edit the trust policy configuration information in the file manually. </maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Selecting a Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=823f77eb-a4aa-4a46-9513-ecd582b038f8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure the Account Store Priority</maml:title><maml:introduction>
<maml:para>When you add more than one account store to your Active Directory Federation Services (AD FS) configuration, account-store priority determines the order in which AD FS uses account stores. AD FS attempts to authenticate users beginning with the first account store. Only when authentication fails for a user does AD FS attempt to authenticate the user with the next account store in the priority list. AD FS tries to authenticate a user until the user is successfully authenticated or until all account stores have been tried. AD FS stops trying additional account stores as soon as one account store successfully authenticates a user. </maml:para>

<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>You can use the following procedure to configure the account store priority.</maml:para>

<maml:procedure><maml:title>To configure the account store priority</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>My Organization</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Account Stores</maml:ui>, and then click <maml:ui>Store Priority</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Account Store Prioritization</maml:ui> dialog box, select an account store, use the <maml:ui>Up</maml:ui> and <maml:ui>Down</maml:ui> buttons to move the account store in the priority list, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Group Claim Filtering - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether this group claim is enabled. Select the check box to enable the group claim. Clear the check box to disable the group claim.</maml:para>

<maml:para><maml:ui>Claim name</maml:ui>—Displays the name of the group claim.</maml:para>

<maml:para><maml:ui>Claim type</maml:ui>—Displays the name of the organization claim type.</maml:para>

<maml:para><maml:ui>Limit auditing</maml:ui>—Displays whether the claim value is audited or shared when the claim is produced or mapped. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Incoming E-Mail Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether the incoming e-mail claim is enabled. Select the check box to enable the incoming e-mail claim. Clear the check box to disable the incoming e-mail claim.</maml:para>

<maml:para>The e-mail claim type indicates Request for Comments (RFC) 2822–style e-mail names in the format user@domain. Only one claim can have the e-mail type. If multiple e-mail values must be communicated, only one claim can be of the e-mail type; additional e-mails can be configured as custom claim types.</maml:para>

<maml:para><maml:ui>Accept all domain suffixes</maml:ui>—Specifies that all domains are accepted for mapping to the e-mail claim.</maml:para>

<maml:para><maml:ui>Accept some domain suffixes</maml:ui>—Specifies that some domains are accepted for mapping to the e-mail claim. To add more domains to this list, type the appropriate domain suffixes.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>User Interface: AD FS</maml:title><maml:introduction><maml:para>The topics in this section are designed to be read while viewing the associated window in the Active Directory Federation Services (AD FS) snap-in.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Account Partner - General</maml:linkText><maml:uri href="mshelp://windows/?id=96b523c7-5eb0-4a08-b699-1f7856066c59"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Account Partner - Resource Accounts</maml:linkText><maml:uri href="mshelp://windows/?id=ccdd7180-42a3-43b0-a8af-27972f5be619"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Account Partner - Verification Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=05232cd5-b2eb-4a13-9e75-0992677383c7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Account Partner - Windows Trust</maml:linkText><maml:uri href="mshelp://windows/?id=bdb04181-d340-4929-9a63-a852b1765542"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory - General</maml:linkText><maml:uri href="mshelp://windows/?id=4bc380ae-866d-43fa-9571-9cf2a45830ed"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>AD LDS - General</maml:linkText><maml:uri href="mshelp://windows/?id=f3badc17-abb5-49be-a1a2-2119140dafb1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>AD LDS - Settings</maml:linkText><maml:uri href="mshelp://windows/?id=f61b6a1d-c704-484b-8787-f27de22c700b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>AD FS Windows Token-Based Agent</maml:linkText><maml:uri href="mshelp://windows/?id=1856eba5-b7e8-48b4-9027-5fd14d45a29d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application - Advanced</maml:linkText><maml:uri href="mshelp://windows/?id=feb4e99e-eb67-4562-8baa-aec24e7f4902"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application - Authentication Methods</maml:linkText><maml:uri href="mshelp://windows/?id=7cbc0c4c-1037-4fc7-80d4-d093ff64e644"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application - General</maml:linkText><maml:uri href="mshelp://windows/?id=92c69ace-8d1e-41e3-9db8-85bdb28d28f0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Claim Extraction - General</maml:linkText><maml:uri href="mshelp://windows/?id=b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Common Name Claim Filtering - General</maml:linkText><maml:uri href="mshelp://windows/?id=ae860c09-45c5-4a1a-9d83-ff4f4d2046cc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Create a New Organization Claim</maml:linkText><maml:uri href="mshelp://windows/?id=e49d6f9d-b576-4a15-81d8-93b646bfea05"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Custom Claim - General</maml:linkText><maml:uri href="mshelp://windows/?id=13f8e318-dbe0-4967-aaad-ad5ccdee426b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Custom Claim Filtering - General</maml:linkText><maml:uri href="mshelp://windows/?id=80cfa5bd-44ad-4dbe-bae5-0633d2de1de7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploy AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=90002538-e292-403c-b4d4-01a3810c7fed"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>E-Mail Claim Filtering - General</maml:linkText><maml:uri href="mshelp://windows/?id=e61ad0bd-8dd7-416f-ae03-c7aa4569d147"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Evaluate AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=eefe0c5d-c756-4410-814e-b2dfb913cd32"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Service - Advanced</maml:linkText><maml:uri href="mshelp://windows/?id=068aee1f-882f-45f1-a70a-452b6352c15d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Service - General</maml:linkText><maml:uri href="mshelp://windows/?id=567f02b7-100c-4cac-bb39-2afea3a8d776"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Service - Troubleshooting</maml:linkText><maml:uri href="mshelp://windows/?id=64180160-5e21-4e7b-a61d-a3e27c5ca5a2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Service - Web Pages</maml:linkText><maml:uri href="mshelp://windows/?id=4afa2480-1414-4579-8448-1913ababd20d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Service Proxy - General</maml:linkText><maml:uri href="mshelp://windows/?id=b2163266-aea9-4251-8dfb-7c844233bced"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Service Proxy - Web Pages</maml:linkText><maml:uri href="mshelp://windows/?id=3922aeaa-b2b7-4b29-b406-f6f5ddee0f10"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Federation Services URL</maml:linkText><maml:uri href="mshelp://windows/?id=f60cc74f-d34b-45cc-9460-2d9127948238"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Group Claim - General</maml:linkText><maml:uri href="mshelp://windows/?id=91a4e9e4-ecf1-471d-8734-7474c8899c8a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Group Claim - Resource Group</maml:linkText><maml:uri href="mshelp://windows/?id=31c2332d-7739-430a-aed4-25fc1ac9e640"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Group Claim Filtering - General</maml:linkText><maml:uri href="mshelp://windows/?id=9fc7f8d8-1345-4400-b8b5-a6f637099d03"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Incoming Common Name Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=6fc4b2a8-6bbe-4996-85cb-e27a873a6c66"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Incoming Custom Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=4a88f9fc-8379-417e-88f6-ee7db530e9b6"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Incoming E-Mail Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=a2280f6f-45ef-47cd-b158-9bacfe1a2600"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Incoming Group Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=030f3abf-b6c9-406a-9149-e7ae9a5f620c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Incoming UPN Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=3da0b27b-3d5c-4117-9ba1-60ccee5c5965"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Incoming UPN Claim Mapping - Groups</maml:linkText><maml:uri href="mshelp://windows/?id=8088c79c-eafe-4306-ac20-f43c4b23ccee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Choosing a Certificate for SSL Encryption</maml:linkText><maml:uri href="mshelp://windows/?id=ecf794aa-82fc-4f59-b951-c36870753892"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Choosing a Client Authentication Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=798e37db-46a0-443b-b7a8-f96cbd8cf12c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Choosing a Token-Signing Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4619d451-71da-4063-95c7-02fb9790bd58"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Selecting a Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=823f77eb-a4aa-4a46-9513-ecd582b038f8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Specifying the Federation Server</maml:linkText><maml:uri href="mshelp://windows/?id=ac922f38-12db-4f2f-bfd8-edc05f2a9978"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Validating the Federation Server</maml:linkText><maml:uri href="mshelp://windows/?id=8fbc984b-e639-49e2-b038-ee4aec3bc357"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>My Organization</maml:linkText><maml:uri href="mshelp://windows/?id=e9d785ca-5159-4df0-8573-ac73b9a94f5f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Outgoing Common Name Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Outgoing Custom Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Outgoing E-Mail Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=7b17fda1-f53e-4800-b629-cccd26344141"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Outgoing Group Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=eae03733-b48d-43fe-a172-6e497efdf6df"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Outgoing UPN Claim Mapping - General</maml:linkText><maml:uri href="mshelp://windows/?id=3fb68347-837b-4e40-9a7f-5fd7e90f1d77"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Provide Your Users with Access to Federated Applications by Configuring the Federation Service</maml:linkText><maml:uri href="mshelp://windows/?id=0ad590fe-6f85-4af8-b88a-4c2cebfb036e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Provide Federated Users with Access to Your Web Applications by Configuring the Federation Service</maml:linkText><maml:uri href="mshelp://windows/?id=f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Provide Your Users with SSO Access to Your Web Applications by Configuring the Federation Service</maml:linkText><maml:uri href="mshelp://windows/?id=4737022f-1c54-472a-82ee-99d0306ddccf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Provide Federated Users with Access to Your Web Applications by Configuring an AD FS-Enabled Web Server</maml:linkText><maml:uri href="mshelp://windows/?id=07149786-09f3-4159-87f1-308feea5d774"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Resource Partner - Advanced</maml:linkText><maml:uri href="mshelp://windows/?id=0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Resource Partner - General</maml:linkText><maml:uri href="mshelp://windows/?id=23be4d60-fe62-4aab-871e-649f147be7d7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - Advanced</maml:linkText><maml:uri href="mshelp://windows/?id=93795b81-918e-41ba-aa1f-aa68150b86b3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - Display Name</maml:linkText><maml:uri href="mshelp://windows/?id=a6ef154c-075e-4427-95f2-aed04595958e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - Event Log</maml:linkText><maml:uri href="mshelp://windows/?id=d87ee269-ff2e-486d-8401-db4325ffaa54"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - FSP Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=94b3daed-71af-48ca-a2f7-29dc47074c7f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - General</maml:linkText><maml:uri href="mshelp://windows/?id=f01bd12f-85c0-445c-b6bf-645ab66ac0e8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - Transform Module</maml:linkText><maml:uri href="mshelp://windows/?id=c7cc7c1d-aff4-44a5-85f6-e18404591f9c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy - Verification Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=f702106d-2002-4123-b4a2-01676fcbcdcd"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>UPN Claim Filtering - General</maml:linkText><maml:uri href="mshelp://windows/?id=54ffb525-5197-4a9e-a58b-654493cf983a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - Display Name</maml:title><maml:introduction>
<maml:para><maml:ui>Display name for this trust policy</maml:ui>—Provides a space for you to type the friendly name that is stored in the trust policy file.</maml:para>

<maml:para><maml:ui>Additional display names</maml:ui>—Provides a space for you to add or remove additional display names that will be associated with this trust policy.</maml:para>

<maml:para><maml:ui>Add</maml:ui>—Click to add the value that is typed in <maml:ui>Additional display names</maml:ui> to the list of display names that will be associated with this trust policy. These names will be used for functions such as account partner discovery.</maml:para>

<maml:para><maml:ui>Remove</maml:ui>—Click to remove the highlighted display name that appears in the list.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Specifying the Federation Server</maml:title><maml:introduction>
<maml:para>Both the Windows token-based agent and the Federation Service Proxy role services require a Uniform Resource Locator (URL) that specifies the location of a valid federation server. This is necessary so that credentials and tokens can be successfully routed from the role service to the federation server for processing. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the AD FS Web Agent Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=bb89ffed-4b51-4ce0-99dd-92375eeb600f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Common Name Claim Filtering - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether this common name claim is enabled. Select the check box to enable the common name claim. Clear the check box to disable the common name claim.</maml:para>

<maml:para><maml:ui>Claim name</maml:ui>—The friendly name of this claim. </maml:para>

<maml:para><maml:ui>Claim type</maml:ui>—A common name is an arbitrary string that is used to personalize a claim. A security token may contain only one common name claim. It is important to note that there is no mechanism to guarantee the uniqueness of the common name claim or a particular partner’s authority for asserting a given common name. Therefore, use caution when using this claim type in authorization decisions. </maml:para>

<maml:para>Identity claim types include e-mail, user principal name (UPN), and common name. If more than one of these identity claim types is present in a token, the identity claims are populated in the following order:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>UPN</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name</maml:para>
</maml:listItem>
</maml:list>

<maml:para><maml:ui>Limit auditing</maml:ui>—Specifies whether the claim value is audited or shared when the claim is produced or mapped.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Claim Extraction - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether this identity claim is enabled. Select the check box to enable the identity claim. Clear the check box to disable the identity claim.</maml:para>

<maml:para><maml:ui>LDAP attribute</maml:ui>—Provides a space for you to type the name of the Lightweight Directory Access Protocol (LDAP) value from which you can populate this identity claim for users. </maml:para>

<maml:para>LDAP is an open network protocol standard that is designed to provide access to distributed directories. LDAP provides a mechanism for querying and modifying information that resides in a directory information tree.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Service Proxy - General</maml:title><maml:introduction>
<maml:para><maml:ui>Federation Service URL</maml:ui>—Provides a space for you to type the Uniform Resource Locator (URL) for the Federation Service.</maml:para>

<maml:para><maml:ui>View</maml:ui>—Click to view a list of certificates that are already configured. The local certificate should be used for Transport Layer Security / Secure Sockets Layer (TLS/SSL) client authentication.</maml:para>

<maml:para><maml:ui>Select</maml:ui>—Click to select the certificate from a list of Federation Service Proxy certificates. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding the AD FS Web Agent Role Service</maml:title><maml:introduction>
<maml:para>The Active Directory Federation Services (AD FS) Web Agent is a role service of AD FS that you can install independently from other AD FS role services. The act of installing the AD FS Web Agent role service on a computer makes that computer an AD FS-enabled Web server. </maml:para>

<maml:para>AD FS-enabled Web servers consume security tokens and either allow or deny a user access to a Web application. To accomplish this, the AD FS-enabled Web server requires a relationship with a resource Federation Service so that it can direct the user to the Federation Service as needed. </maml:para>

<maml:para>The AD FS Web Agent can be used for two different types of applications:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Claims-aware applications: a Microsoft ASP.NET application that is written to published AD FS objects that allow the querying of AD FS security token claims. The applications make authorization decisions based on these claims. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows NT token–based applications: an application that uses Windows-based authorization mechanisms. The AD FS Web Agent supports conversion from an AD FS security token to an impersonation-level Windows NT® access token.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The AD FS-enabled Web server also stores Hypertext Transfer Protocol (HTTP) cookies on clients where the cookies are necessary to facilitate single sign-on (SSO). The AD FS Web Agent comprises two separate components:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>AD FS Windows Token-Based Agent Extension</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>AD FS Web Agent Authentication Service</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>AD FS Windows Token-Based Agent Extension</maml:title><maml:introduction>
<maml:para>The AD FS Windows Token-Based Agent Extension is an Internet Server Application Programming Interface (ISAPI) extension that you can use to configure information in the Internet Information Services (IIS) metabase. In IIS Manager you can use the <maml:ui>Federation Services URL</maml:ui> and <maml:ui>AD FS Web Agent</maml:ui> property pages to administer policy and certificates that verify the AD FS security token and cookies. </maml:para>

<maml:para>The AD FS Web Agent properties in the following table are inheritable. These properties are required on an IIS resource if the ISAPI extension is going to support the WS-Federation Passive Requestor Profile (WS-F PRP) protocol.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Properties</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Federation Service URL</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The Uniform Resource Locator (URL) of the Federation Service. This URL is required so that it may be queried for trust information. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Cookie path</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The path that is specified when the authentication cookie is written. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Cookie domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The domain for which the cookie is valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Return URL</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The URL that the token from the Federation Service comes back to after authentication at the Federation Service. This URL should match the Audience element of the token. The check against the Audience element is performed by the Windows service. </maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section><maml:section>
<maml:title>AD FS Web Agent Authentication Service</maml:title><maml:introduction>
<maml:para>The AD FS Web Agent Authentication Service validates incoming tokens and cookies. It runs as Local System to generate a token by using either Service-for-User (S4U), which allows you to obtain a Windows token for the client by supplying a user principal name (UPN) without a password, or the AD FS authentication package. However, the IIS application pool is not required to run as Local System.</maml:para>

<maml:para>The AD FS Web Agent Authentication Service has interfaces that may be called only with local remote procedure call (LRPC), not remote procedure call (RPC). This service returns an impersonation Windows NT access token if it is given an AD FS security token or an AD FS cookie.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Understanding AD FS Role Services</maml:linkText><maml:uri href="mshelp://windows/?id=7bb63cfd-b17e-4a03-9619-f948e295dfbb"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Account Stores</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Active Directory Domain Services (AD DS)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Active Directory Lightweight Directory Services (AD LDS)</maml:para>
</maml:listItem>
</maml:list>

<maml:para>AD FS works with both enterprise-wide deployments of AD DS or instances of AD LDS. When it works with AD DS, AD FS can take advantage of the strong authentication technologies in AD DS, including Kerberos, X.509 digital certificates, and smart cards. When it works with AD LDS, AD FS uses LDAP Bind as a means to authenticate users. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>AD DS account stores</maml:title><maml:introduction>
<maml:para>AD FS is tightly integrated with AD DS. AD FS retrieves user attributes and authenticates users against AD DS. AD FS also uses Windows Integrated Authentication and security tokens that AD DS creates. </maml:para>

<maml:para>For a user to log on to AD DS, a user name must be in the user principal name (UPN) format (user@adatum.com) or in the Security Accounts Manager (SAM) account name format (adatum\user). </maml:para>

<maml:para>Access tokens are generated when a user logs on. They contain the security identifiers (SIDs) for the user and any groups that the user belongs to. A copy of the access token is assigned to every process that the user starts. </maml:para>

<maml:para>After the user is logged on and impersonated, user SIDs are enumerated from the access token. The SIDs are then mapped to organization group claims. </maml:para>

<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>When you enable the Windows trust option in the account Federation Service, you are sending actual SIDs to the resource partner organization over the Internet, which may be a security risk. These SIDs are packaged in the AD FS Security Assertion Markup Language (SAML) token. Therefore, enable this option only when you are using the Federated Web SSO with Forest Trust design. This design is meant to establish secure communication within the same organization.</maml:para>
</maml:alertSet>

<maml:para>E-mail claims, common name claims, and custom claims can be extracted from user object attributes that are defined in AD DS when the Federation Service account is used to perform an LDAP search of an object. </maml:para>

<maml:para>The Federation Service account must have access to the user object. If the user object resides in a domain different from the domain where the Federation Service account resides, the former domain must have in place an AD DS domain trust to the latter domain.</maml:para>

<maml:para>There is no direct way of determining whether any given user name exists in AD DS and in all directories that it trusts (either directly or transitively). AD DS returns an authoritative failure only if the logon attempt fails as a result of policy restrictions. Examples of policy restriction failures include the following:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The account is disabled.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The account password has expired.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The account is not allowed to log on to this computer.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The account has logon time restrictions and is not allowed to log on at this time.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>Otherwise, AD DS account store logon failures are always nonauthoritative, and the next-priority account store is tried. For more information about account store logon failures, see <maml:navigationLink><maml:linkText>Troubleshooting AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>AD LDS account stores</maml:title><maml:introduction>
<maml:para>AD LDS provides data storage and retrieval for directory-enabled applications, without the dependencies that AD DS requires. AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. Similar to the way in which AD FS uses AD DS account store information, AD FS can also retrieve user attributes and authenticate users with AD LDS.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>AD FS cannot authenticate AD LDS accounts that use parentheses as part of the account name. Accounts that have an open parenthesis in the user name cause an LDAP search failure as a result of the user name forming an invalid LDAP filter.</maml:para>
</maml:alertSet>

<maml:para>The Federation Service account obtains the claims that are used to perform an LDAP search for the object. For more information, see <maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink>. This is a two-step process:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>First, the Federation Service account finds the user object through a search for the object whose configured attribute is equal to the supplied user name. The Federation Service account uses Kerberos authentication or NTLM encryption to protect this communication.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This process requires the AD LDS server to be joined to a domain that trusts the domain that the Federation Service is a member of.</maml:para>
</maml:alertSet>
</maml:listItem>

<maml:listItem>
<maml:para>Next, the user credentials are validated through an LDAP bind to the found user object with the supplied password. If Transport Layer Security and Secure Sockets Layer (TLS/SSL) are configured for the AD LDS account store properties in the trust policy, the user credentials are protected.</maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>We strongly recommend that the traffic between the AD LDS server and the federation server be protected by TLS/SSL or other means, such as Internet Protocol security (IPsec).</maml:para>
</maml:alertSet>
</maml:listItem>
</maml:list>

<maml:para>If more than one object is returned from the LDAP query with the supplied user name, this is considered an authentication failure. </maml:para>

<maml:para>The user account is looked up first in the AD LDS account store if it is configured, and then the other LDAP stores are configured in that order. If any of the stores find the user account, it does an authoritative logon of the user, and no other account store is called to process the user logon request. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Determining the priority order of user logon requests</maml:title><maml:introduction>
<maml:para>When a user makes a logon request to either AD DS or AD LDS through an AD FS client, the request passes immediately to the specified account store. However, if the account store Uniform Resource Identifier (URI) is not specified, the Federation Service tries each store in priority order to log on the user. The authentication result is returned if:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>There is only one store configured and credential verification information is returned.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The store URI was specified in the logon request and credential verification information is returned.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The authentication result by one of the stores is authoritative.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Authentication by one of the stores is successful.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Disabling account stores</maml:title><maml:introduction>
<maml:para>You can mark each account store as enabled or disabled. If an account store is disabled, it does not participate in any account-store-related operations. Cookies with claims that originate from a currently disabled account store are discarded or deleted, and the client is directed to the logon page.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Account Partner - Windows Trust</maml:title><maml:introduction>
<maml:para><maml:ui>Use Windows trust relationship</maml:ui>—Specifies whether or not the account partner can use a Windows trust relationship. </maml:para>

<maml:para>Clear the check box if the account partner does not have a Windows trust relationship with this organization. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Selecting this check box enables the Federated Web SSO with Forest Trust design.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>All Active Directory Domain Services domains and forests</maml:ui>—Specifies that the users can belong to any Active Directory Domain Services (AD DS) domain or forest that is trusted by this account partner.</maml:para>

<maml:para><maml:ui>Specified Active Directory Domain Services domains and forests</maml:ui>—Specifies that you want to choose which AD DS domains or forests that are trusted by this account partner are allowed. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Troubleshooting AD FS</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>What problem are you having?</maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Setup issues</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I receive a Web browser error page with the message “This page cannot be displayed,” “Cannot find server," or "DNS Error”</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_1"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>When I try to connect to the application, I get a Web browser error page with the message “This page cannot be found” or “HTTP Error 404 – File or directory not found”</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_2"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>After setting up a Windows NT token–based application, I attempt to connect to it but I am not prompted to choose a host realm and login credentials</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_3"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Logging issues</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I want to enable logging on the account federation server</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_4"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Package</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_5"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I want to enable logging on the AD FS-enabled Web server for the AD FS Windows Token–Based Agent Extension</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_6"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Service</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_7"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I want to know where the logs are located</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_8"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>AD LDS issues</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>After my user accounts are created in Active Directory Lightweight Directory Services (AD LDS) and the trust policy is configured with information about the AD LDS store, the Federation Service is not able to validate users in the AD LDS store</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_9"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I have enabled an AD LDS account store, but the Federation Service is not able to retrieve any claims</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_10"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Configuration issues</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I am receiving a server error</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_11"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I am receiving a validation error</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb#BKMK_12"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Setup issues</maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_1">
<maml:title>I receive a Web browser error page with the message “This page cannot be displayed,” “Cannot find server," or "DNS Error.”</maml:title><maml:introduction>
<maml:para>There are a few things that can cause this problem:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Verify that all federation servers have a server authentication certificate issued to the default Web site.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Verify that all AD FS-enabled Web servers have a server authentication certificate issued to the Web site where the application resides.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If there is an external account partner Federation Service Proxy involved, verify that the correct Federation Service host name was used during installation.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are using a Windows NT token–based application, verify that the Federation Service Uniform Resource Locator (URL) in the Internet Information Services (IIS) Manager snap-in (under &lt;computer name&gt;\Federation Services URL) is configured correctly.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_2">
<maml:title>When I try to connect to the application, I get a Web browser error page with the message “This page cannot be found” or “HTTP Error 404 – File or directory not found.”</maml:title><maml:introduction>
<maml:para>This issue might be caused by the following configuration problems:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Verify that the Web application is properly configured in Internet Information Services (IIS).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Verify that the Web application URL is properly named in the Active Directory Federation Services snap-in.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Verify that Microsoft ASP.NET is installed on the AD FS-enabled Web server and in the Federation Service.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are connecting to a Windows NT token–based application that uses ASP and you receive the 404 error after supplying your credentials, verify that the ASPClassic handler in IIS is enabled and configured to handle *.asp pages. Verify also that the ASP feature is installed for IIS.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_3">
<maml:title>After setting up a Windows NT token–based application, I attempt to connect to it but you I am not prompted to choose a host realm and login credentials.</maml:title><maml:introduction>
<maml:para>Verify that the virtual directory of the Windows NT token–based application is set up to use the Ifsext.dll Internet Server Application Programming Interface (ISAPI) extension. </maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Logging issues</maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_4">
<maml:title>I want to enable logging on the account federation server.</maml:title><maml:introduction>
<maml:para>The account federation server uses an authentication package for mapping client certificates. To enable logging for the account federation server authentication package, perform the following tasks in order:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>If it is not already installed, install the Federation Service component of Active Directory Federation Services (AD FS).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Set the following registry key: <maml:phrase>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\WebSso\Parameters]</maml:phrase></maml:para>

<maml:para><maml:phrase>"DebugLevel"=dword:ffffffff</maml:phrase></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_5">
<maml:title>I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Package.</maml:title><maml:introduction>
<maml:para>The AD FS Web Agent authentication package is used by Windows NT token–based applications for generating tokens when Service-for-User (S4U) is not available. It is also used when the token contains security identifiers (SIDs), such as in scenarios that use resource groups or the <maml:ui>Windows Trust</maml:ui> option.</maml:para>

<maml:para><maml:phrase>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\WebSso\Parameters]</maml:phrase></maml:para>

<maml:para><maml:phrase>"DebugLevel"=dword:ffffffff</maml:phrase></maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_6">
<maml:title>I want to enable logging on the AD FS-enabled Web server for the AD FS Windows Token-Based Agent Extension.</maml:title><maml:introduction>
<maml:para>The AD FS Windows Token-Based Agent Extension handles the protocols that are used by AD FS to authenticate requests.</maml:para>

<maml:para><maml:phrase>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\WebServerAgent]</maml:phrase></maml:para>

<maml:para><maml:phrase>"DebugPrintLevel"=dword:ffffffff</maml:phrase></maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_7">
<maml:title>I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Service.</maml:title><maml:introduction>
<maml:para>The AD FS Web Agent Authentication Service validates incoming tokens and cookies.</maml:para>

<maml:para><maml:phrase>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IFSSVC\Parameters]</maml:phrase></maml:para>

<maml:para><maml:phrase>"DebugPrintLevel"=dword:ffffffff</maml:phrase></maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_8">
<maml:title>I want to know where the logs are located.</maml:title><maml:introduction>
<maml:para>They are located in %systemroot%\SystemData\ADFS\logs.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>AD LDS issues</maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_9">
<maml:title>After my user accounts are created in Active Directory Lightweight Directory Services (AD LDS) and the trust policy is configured with information about the AD LDS store, the Federation Service is not able to validate users in the AD LDS store.</maml:title><maml:introduction>
<maml:para><maml:phrase>Solution</maml:phrase>: Use caution when you create user accounts with the AD LDS ADSI Edit snap-in. Always create a user account with a password. If you create a user account without a password, use ADSI Edit to reset the password for the user account. Most importantly, check the value of the <maml:phrase>msDS-UserAccountDisabled</maml:phrase> property of the user account. This property should not have the value <maml:phrase>True</maml:phrase>. The value should be either <maml:phrase>False</maml:phrase> or <maml:phrase>Not set</maml:phrase>. If the value of <maml:phrase>msDS-UserAccountDisabled</maml:phrase> property is <maml:phrase>True</maml:phrase>, it means that the user account is disabled and the Federation Service cannot validate credentials for this AD LDS user account.</maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_10">
<maml:title>I have enabled an AD LDS account store, but the Federation Service is not able to retrieve any claims.</maml:title><maml:introduction>
<maml:para>If the Federation Service is running as Local System, you must add the machine account of the computer hosting the Federation Service to the Readers group in the AD LDS store.</maml:para>

<maml:para>If the Federation Service is running as Network Service, you must add the domain account to the Readers group in the AD LDS store.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Configuration issues</maml:title><maml:introduction>
<maml:para>The following section covers some of the known issues with AD FS configuration.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_11">
<maml:title>I am receiving a server error.</maml:title><maml:introduction>
<maml:para><maml:phrase>Error:</maml:phrase> The token request for the application with URL https://... cannot be fulfilled because the Uniform Resource Locator (URL) does not identify any known trusting application</maml:para>

<maml:para><maml:phrase>Solution:</maml:phrase> This error is returned by the resource Federation Service when the application URL does not identify any known application. Make sure that the application has been added to the trust policy for the Federation Service.</maml:para>

<maml:para>For a claims-aware application, verify that the return URL is typed correctly in the application’s Web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service.</maml:para>

<maml:para>For a Windows NT token–based application, verify that the return URL is typed correctly in the Internet Information Services (IIS) Manager snap-in (under &lt;Web site name&gt;\Authentication\AD FS Windows Token-Based Agent and that it matches the application URL in the trust policy of the Federation Service.</maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_12">
<maml:title>I am receiving a validation error.</maml:title><maml:introduction>
<maml:para><maml:phrase>Error:</maml:phrase> Validation of viewstate media access control (MAC) failed. If this application is hosted by a Web farm or cluster, ensure that &lt;machineKey&gt; configuration specifies the same validationKey and validation algorithm. </maml:para>

<maml:para><maml:phrase>AutoGenerate</maml:phrase> cannot be used in a cluster. An unhandled exception occurred during the running of the current Web request. Review the stack trace for more information about the error and where it originated in the code. </maml:para>

<maml:para>Or</maml:para>

<maml:para><maml:phrase>Error: </maml:phrase>An unhandled exception was generated during the running of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</maml:para>

<maml:para><maml:phrase>Solution:</maml:phrase> Using a text editor, add the following setting to the Web.config file on the computer hosting either the Federation Service, Federation Service Proxy, or AD FS Web Agent that will be farmed:</maml:para>

<maml:para><maml:codeInline>&lt;system.web&gt;</maml:codeInline></maml:para>

<maml:para><maml:codeInline>     &lt;machineKey&gt;</maml:codeInline></maml:para>

<maml:para><maml:codeInline>&lt;machineKey validationKey="specify key for the appropriate algorithm"</maml:codeInline></maml:para>

<maml:para><maml:codeInline>            decryptionKey="specify key"</maml:codeInline></maml:para>

<maml:para><maml:codeInline>            validation="SHA1|MD5|3DES"/&gt;</maml:codeInline></maml:para>

<maml:para>Or</maml:para>

<maml:para><maml:phrase>Solution:</maml:phrase> Add the following element in the &lt;system.web&gt; section of the Web.config file on the computers hosting the Federation Service, Federation Service Proxy, or AD FS Web Agent that are set up in the farm:</maml:para>

<maml:para><maml:codeInline>&lt;pages enableViewStateMac="false"/&gt;</maml:codeInline></maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Understanding AD FS Role Services</maml:linkText><maml:uri href="mshelp://windows/?id=7bb63cfd-b17e-4a03-9619-f948e295dfbb"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - Transform Module</maml:title><maml:introduction>
<maml:para><maml:ui>DLL file</maml:ui>—Provides a space for you to type the name of the dynamic-link library (DLL) that implements the claim transform module. This must be a managed code assembly.</maml:para>

<maml:para><maml:ui>Browse</maml:ui>—Click to find the location of the DLL of the claim transform module.</maml:para>

<maml:para><maml:ui>Class name</maml:ui>—Provides a space for you to type the namespace-qualified class name that implements the claim transform interface.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Account Partner - Resource Accounts</maml:title><maml:introduction>
<maml:para>In Active Directory Federation Services (AD FS), a resource account is a user account that is stored in one Active Directory forest (the resource partner forest) for the sole purpose of impersonating a user account that is actively used, for example, by an employee and stored in another Active Directory forest (the account partner forest). </maml:para>

<maml:para>Resource accounts must be created in the resource partner forest so that the employee, whose user account is located in the account partner forest, can access Web-based, Windows NT token–based applications through AD FS. Resource accounts and resource groups are also necessary for claims-aware applications.</maml:para>

<maml:para>The Web resource on the resource side is protected with access control lists (ACLs) of user accounts or groups on the resource partner forest. The administrator has to create the resource accounts and add ACLs for any of the resource accounts to the resource.</maml:para>

<maml:para>To reduce administrative overhead, the resource-side administrator may configure one or more security groups, which are created in Active Directory Domain Services (AD DS), that will be used to map to incoming group claims from their account partners. A security group that is mapped to an incoming group claim that is used by AD FS is called a resource group. </maml:para>

<maml:para>You can use the following procedure to configure resource groups.</maml:para>

<maml:procedure><maml:title>To configure a resource group</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Active Directory Users and Computers snap-in on a domain controller in the resource partner forest, create a new security group.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Assign the appropriate access to this security group from the Web resource that is protected by AD FS.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Active Directory Federation Services snap-in, create a new group claim, and in the newly created claim's properties page, click the <maml:ui>Resource Group</maml:ui> tab. Click the <maml:ui>…</maml:ui> button to map the new security group in AD DS to the new group claim. At this point the new security group is referred to as a "resource group."</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Federation Service\Trust Policy\Partner Organizations\Account Partners\&lt;accountpartnername&gt;\</maml:ui>, create a new incoming group claim mapping to map the new group claim and its associated resource group to any incoming group claims that come from the account partner forest.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para>When you map an incoming group claim to a resource group, it is no longer necessary for an administrator in the resource partner forest to create a resource account for each user in the account partner forest who needs access to the Windows NT token–based application that is protected by AD FS. </maml:para>

<maml:para>By default, AD FS configures account partner properties so that a resource partner administrator can map incoming group claims to one or more resource groups. However, you can change this default behavior by selecting one of the following resource account options:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Resource accounts exist for all users</maml:ui>—Specifies that a resource account is configured for each user from the account partner that needs access to the resource. In this case, incoming group claims are not mapped to resource groups even if resource groups are configured.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>Resource accounts exist for some users (prefer resource account)</maml:ui>—Specifies whether or not resource groups should be used for some user accounts. This means that some users may have individual resource accounts created, while others may have been configured to use resource groups. When this option is selected, AD FS first looks for resource accounts that match the UPN/E-mail claim that is specified in the incoming token. AD FS uses those resource accounts if they are found. Otherwise, if the token has a group claim that is mapped to a resource group, it uses the resource group.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>Resource accounts exist for some users (prefer groups in token)</maml:ui>—This is the default setting. Specifies that AD FS can use its logic to determine if each incoming token should map to a resource group or if it should look for a resource account. When this option is selected, AD FS first looks in the token for incoming group claims that can be mapped to a resource group. If they are found, AD FS uses the resource group. If no such incoming group claim exists, AD FS looks for a resource account to use.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>No resource accounts exist for this account partner</maml:ui>—Specifies that one or more resource groups will be used for all users in this account partner. This means that every token that is issued from this account partner will be required to contain one or more group claims that map to one or more resource groups in the resource partner forest.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding AD FS Terminology</maml:linkText><maml:uri href="mshelp://windows/?id=5fbf02b0-8e55-4635-8bd3-525fe8adfe18"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - Event Log</maml:title><maml:introduction>
<maml:para><maml:ui>Error</maml:ui>—Specifies whether to record events that are logged by significant problems to the event log.</maml:para>

<maml:para><maml:ui>Warning</maml:ui>—Specifies whether to record events, which are not necessarily significant but that may cause future problems, to the event log.</maml:para>

<maml:para><maml:ui>Informational</maml:ui>—Specifies whether to record informational events that are logged, such as redirects with protocol Uniform Resource Locators (URLs), token validations, or claim mappings.</maml:para>

<maml:para><maml:ui>Success audit</maml:ui>—Specifies whether a security audit will be recorded for every successful authentication or trust policy change that is made to this Federation Service. All success records will be logged to the event log. In addition to this setting, the system auditing policy must be configured appropriately to accept the audits into the Security log. </maml:para>

<maml:para><maml:ui>Failure audit</maml:ui>—Specifies whether a security audit will be recorded for every unsuccessful attempt to change the trust policy for this Federation Service. All audit failure records will be logged to the Security log.</maml:para>

<maml:para><maml:ui>Detailed success</maml:ui>—Specifies whether a detailed security audit will be recorded for successful authentications.</maml:para>

<maml:para><maml:ui>Detailed failure</maml:ui>—Specifies whether a detailed security audit will be recorded for failed authentications.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Federation Services</maml:title><maml:introduction>
<maml:para>Active Directory® Federation Services (AD FS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. AD FS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Overview of AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=f270ef7c-350f-44fe-87cc-3088c9d87971"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Requirements for AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=34f010d7-0c78-4412-a7ef-6a52653a4443"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Adding Partners to the Federation Service</maml:linkText><maml:uri href="mshelp://windows/?id=277dfde3-8d89-41d1-98df-50fc35048ae7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Adding and Configuring Account Stores in the Federation Service</maml:linkText><maml:uri href="mshelp://windows/?id=e4e26582-bde4-45f3-bc6f-b537e8d0f54c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Adding Web Applications to the Federation Service</maml:linkText><maml:uri href="mshelp://windows/?id=913b46b6-7d47-42c7-84b3-06d53d191af4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Troubleshooting AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Resources for AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=7458dc18-13f7-495c-b571-33f6b37448cb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>User Interface: AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=a23af311-766a-4b90-ac60-d2f0680ca339"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add an AD DS Account Store</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) is tightly integrated with Active Directory Domain Services (AD DS). When your AD FS configuration uses AD DS as an account store, AD FS retrieves user attributes from AD DS and authenticates users against AD DS. AD FS also uses Windows Integrated Authentication and the security tokens that AD DS creates. </maml:para>

<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>You can use the following procedure to add an AD DS account store to your AD FS configuration.</maml:para>

<maml:procedure><maml:title>To add an AD DS account store </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>My Organization</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Account Stores</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Account Store</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Account Store Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Account Store Type</maml:ui> page, click <maml:ui>Active Directory Domain Services (AD DS)</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can have only one AD DS store that is associated with a Federation Service. If the <maml:ui>Active Directory Domain Services</maml:ui> option is not available, it is because an AD DS store has already been created for this Federation Service.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you do not want to enable this account store now, on the <maml:ui>Enable this Account Store</maml:ui> page, clear the <maml:ui>Enable this account store</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new account store and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Create a New Organization Claim</maml:title><maml:introduction>
<maml:para><maml:ui>Claim name</maml:ui>—Provides a space for you to type the name of the new organization claim.</maml:para>

<maml:para>Use the <maml:ui>Claim name</maml:ui> field to communicate any authorization information that is not one of the other claim types. You must specify a fixed set of custom subtypes; for example, you can extend <maml:ui>Claim name</maml:ui> by specifying details such as employee number, first name, and last name. Each custom subtype is a separate unit of administration for claim population and mapping. The value of a specific custom subtype claim is an arbitrary string that is exposed to the end application.</maml:para>

<maml:para><maml:ui>Limit the auditing of this claim</maml:ui>—Specifies whether the claim value is audited or shared when the claim is produced or mapped. The audit indicates the name of the claim, but the value of the claim is omitted. An example of a limited claim is Social Security Number.</maml:para>

<maml:para><maml:ui>Group claim</maml:ui>—Select this option if you want this organization claim to be a group claim type.</maml:para>

<maml:para><maml:ui>Custom claim</maml:ui>—Select this option if you want this organization claim to be a custom claim type.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Adding and Configuring Account Stores in the Federation Service</maml:title><maml:introduction>
<maml:para>This section provides the following conceptual and procedural information necessary to add and configure account stores: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add an AD DS Account Store</maml:linkText><maml:uri href="mshelp://windows/?id=e3c91285-4edf-4bd4-b762-60694f6bbcbc"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add an AD LDS Account Store</maml:linkText><maml:uri href="mshelp://windows/?id=5036aaaa-56cd-4da4-b210-5c789091da37"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure the Account Store Priority</maml:linkText><maml:uri href="mshelp://windows/?id=9d06f526-fdd0-477c-85f9-29674c2e4d68"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>E-Mail Claim Filtering - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enabled</maml:ui>—Specifies whether this e-mail claim is enabled. Select the check box to enable the e-mail claim. Clear the check box to disable the e-mail claim.</maml:para>

<maml:para><maml:ui>Claim name</maml:ui>—The friendly name of this claim.</maml:para>

<maml:para><maml:ui>Claim type</maml:ui>—E-mail, user principal name (UPN), and common name are referred to as identity claim types. If more than one of these claim types is present in a token, the identity claims are populated in the following order:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>UPN</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>E-mail</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Common name</maml:para>
</maml:listItem>
</maml:list>

<maml:para><maml:ui>Limit auditing</maml:ui>—Specifies whether the claim value is audited or shared when the claim is produced or mapped. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>My Organization</maml:title><maml:introduction>
<maml:para>The <maml:ui>My Organization</maml:ui> node in the console tree of the Active Directory Federation Services snap-in provides a user interface (UI) that you can use to configure trust policy settings in the Federation Service for which your organization has administrative control. </maml:para>

<maml:para>For more detailed information about each of the folders under <maml:ui>My Organization</maml:ui>, see the following topics:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Outgoing Group Claim Mapping - General</maml:title><maml:introduction>
<maml:para><maml:ui>Organization group claims</maml:ui>—Lists the available organization group claims.</maml:para>

<maml:para><maml:ui>Outgoing group claim name</maml:ui>—Provides a space for you to type the friendly name of the outgoing group claim.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Choosing a Certificate for SSL Encryption</maml:title><maml:introduction>
<maml:para>Federation servers and federation server proxies require the use of server authentication certificates for different reasons. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Federation servers</maml:title><maml:introduction>
<maml:para>Federation servers require server authentication certificates so that clients can establish the server's identity because the federation server presents the client with a server authentication certificate that discloses its source. In this way, a client can verify that the data that is transmitted is usable only by the organization that is identified by the certificate. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Federation server proxies</maml:title><maml:introduction>
<maml:para>Federation server proxies require server authentication certificates to secure Web server traffic communication with Web clients. Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). Therefore, when possible use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, Verisign.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Proxy Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Certificates Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Evaluate AD FS</maml:title><maml:introduction>
<maml:para>For information about how to set up and evaluate Active Directory Federation Services (AD FS) using a test lab environment, see the AD FS in Windows Server 2008 R2 Step-by-Step Guide (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=133009</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=133009"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - General</maml:title><maml:introduction>
<maml:para><maml:ui>Federation Service URI</maml:ui>—Provides a space for you to type the Federation Service Uniform Resource Identifier (URI). A URI is a compact string of characters that is used to identify an abstract resource or physical resource. You can type any URI, including Hypertext Transfer Protocol (HTTP) URLs. Specifically, the URI that you configure here is the unique name or location for the realm that is hosted by this Federation Service (farm). A URI consists of a scheme name, followed by a colon, followed by some scheme-specific data. Uniform Resource Names (URNs) such as the name in the example on this property page, are valid URIs. All Uniform Resource Locators (URLs), such as http, ldap, gopher, and ftp, are also valid URIs. You can also use your own custom URI format, for example, fed://identity-sts.</maml:para>

<maml:para><maml:ui>Federation Service endpoint URL</maml:ui>—Provides a space for you to type the endpoint URL of the Federation Service that partner organizations and applications will send requests and responses to.</maml:para>

<maml:para><maml:ui>Trust policy version</maml:ui>—Displays the trust policy version number that uniquely identifies this trust policy. When notification of a trust policy file change is received, a newer version number tells other servers in the federation server farm that a new version of the trust policy must be loaded. The trust policy version number is incremented each time that the trust policy is updated.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Overview of AD FS</maml:title><maml:introduction>
<maml:para>Active Directory Federation Services (AD FS) is a feature in the Windows Server® 2003 R2, Windows Server 2008, and Windows Server 2008 R2 operating systems that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Features in AD FS</maml:title><maml:introduction>
<maml:para>In Windows Server 2008 and Windows Server 2008 R2, AD FS includes new features that were not available in Windows Server 2003 R2. To learn more about these new features, see What's New in AD FS in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=85684</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=85684"></maml:uri></maml:navigationLink>).</maml:para>

<maml:para>The following are some of the key features of AD FS: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Federation and Web SSO</maml:para>

<maml:para>When an organization uses Active Directory Domain Services (AD DS), it experiences the benefit of SSO functionality through Windows Integrated Authentication within the organization's security or enterprise boundaries. AD FS extends this functionality to Internet-facing applications. This makes it possible for customers, partners, and suppliers to have a similar, streamlined, Web SSO user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations. For more information about AD FS federation, see <maml:navigationLink><maml:linkText>Understanding Federation Designs</maml:linkText><maml:uri href="mshelp://windows/?id=1a17d8ac-4ac6-418c-845c-a4251376e1e9"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Web Services (WS)-* interoperability</maml:para>

<maml:para>AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Microsoft® Windows® identity model to federate with Windows environments. For more information about WS-* specifications, see <maml:navigationLink><maml:linkText>Resources for AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=7458dc18-13f7-495c-b571-33f6b37448cb"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Extensible architecture</maml:para>

<maml:para>AD FS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with Forest Trust design). AD FS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see <maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Extending AD DS to the Internet</maml:title><maml:introduction>
<maml:para>AD DS serves as a primary identity and authentication service in many organizations. With Windows Server 2003 Active Directory and Windows Server 2008 and Windows Server 2008 R2 AD DS, forest trusts can be created between two or more Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forests to provide access to resources that are located in different business units or organizations. For more information about forest trusts, see How Domain and Forest Trusts Work (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=35356</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=35356"></maml:uri></maml:navigationLink>).</maml:para>

<maml:para>However, there are designs in which forest trusts are not a viable option. For example, access across organizations may have to be limited to only a small subset of individuals, not every member of a forest.</maml:para>

<maml:para>By employing AD FS, organizations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization. </maml:para>

<maml:para>AD FS supports distributed authentication and authorization over the Internet. AD FS can be integrated into an organization's or department’s existing access management solution to translate the claims that are used in the organization into claims that are agreed on as part of a federation. AD FS can create, secure, and verify the claims that move between organizations. It can also audit and monitor the communication activity between organizations and departments to help ensure secure transactions.</maml:para>

<maml:para>For more overview information about AD FS, see the following topics:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding AD FS Role Services</maml:linkText><maml:uri href="mshelp://windows/?id=7bb63cfd-b17e-4a03-9619-f948e295dfbb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding AD FS Terminology</maml:linkText><maml:uri href="mshelp://windows/?id=5fbf02b0-8e55-4635-8bd3-525fe8adfe18"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Federation Trusts</maml:linkText><maml:uri href="mshelp://windows/?id=31b140ce-1c7a-4b1b-b6fd-c87c8233d07e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Federation Designs</maml:linkText><maml:uri href="mshelp://windows/?id=1a17d8ac-4ac6-418c-845c-a4251376e1e9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Cookies Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Certificates Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Provide Federated Users with Access to Your Web Applications by Configuring the Federation Service</maml:title><maml:introduction>
<maml:para>When you are the resource partner administrator and you have a deployment goal to provide federated access to an application that resides in your organization (the resource partner organization), federated users both in your organization and in organizations that have configured a federation trust to your organization can access the Active Directory Federation Services (AD FS)–secured application that is hosted by your organization. </maml:para>

<maml:para>To set up this environment, you perform administrative tasks for installing a federation server and configuring the Federation Service in the resource partner organization. The following table provides links to the checklists that you need to follow to install the first federation server in your organization, configure the Federation Service, and set up a federation trust with an account partner.</maml:para>

<maml:para><maml:phrase>Preparing and configuring a federation server for federation</maml:phrase></maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the federation server to work with DNS, install and configure certificates, and verify that the server is functional.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Installing a federation server</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91901"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the federation trust with an account partner organization.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Checklist: Configuring the resource partner organization</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91910"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>AD LDS - General</maml:title><maml:introduction>
<maml:para><maml:ui>Enable this account store</maml:ui>—Specifies whether the Active Directory Lightweight Directory Services (AD LDS) account store is enabled or disabled. Select the check box to enable the AD LDS account store. Clear the check box to disable the AD LDS account store.</maml:para>

<maml:para>Account stores are used to log on a user with credentials and to extract security claims for the user. </maml:para>

<maml:para><maml:ui>Display name</maml:ui>—Provides a space for you to type the friendly name of the AD LDS account store.</maml:para>

<maml:para><maml:ui>URI</maml:ui>—Provides a space for you to type the Uniform Resource Identifier (URI) for the AD LDS account store. A URI is a compact string of characters that is used to identify an abstract resource or physical resource. A URI consists of a scheme name, followed by a colon, followed by some scheme-specific data. URLs such as http, ldap, gopher, and ftp are valid URIs, and Uniform Resource Names (URNs) such as urn:fed:companyname are also valid. You can also use your own custom URI format, for example, fed://identity-sts.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Resource Partner</maml:title><maml:introduction>
<maml:para>You can use the Add Resource Partner Wizard to add a new resource partner manually or by importing a policy file. To learn more about the improved import functionality in this version of Active Directory Federation Services (AD FS), see What's New for AD FS in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=85684</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=85684"></maml:uri></maml:navigationLink>).</maml:para>

<maml:para>Use this wizard to add a resource partner that will provide a Web application to users who have accounts in your account store: Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).</maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> local group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Adding a resource partner manually</maml:title><maml:introduction>
<maml:para>You can use the following procedure to add a resource partner manually.</maml:para>

<maml:procedure><maml:title>To add a resource partner manually</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>Partner Organizations</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Resource Partners</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Resource Partner</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Resource Partner Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Import Policy File</maml:ui> page, ensure that <maml:ui>No</maml:ui> is selected, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Resource Partner Details</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>In <maml:ui>Display name</maml:ui>, type the name of the resource partner.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Federation Service URI</maml:ui>, type the Uniform Resource Identifier (URI) for the resource partner.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Federation Service endpoint URL</maml:ui>, type the Uniform Resource Locator (URL) of the Federation Service.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Federation Scenario</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you are establishing a federated trust with another organization or you do not want to use an existing forest trust, click <maml:ui>Federated Web SSO</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are establishing a federated trust within the same organization when both sides already share a forest trust, click <maml:ui>Federated Web SSO with Forest Trust</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Resource Partner Identity Claims</maml:ui> page, select one or more identity claims to share with the resource partner, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires user principal name (UPN) claims to make authorization decisions, select the <maml:ui>UPN Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> scenario, the <maml:ui>UPN Claim</maml:ui> option is selected and not configurable. This is because UPN claims are required for this scenario.</maml:para>
</maml:alertSet>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires e-mail claims to make authorization decisions, select the <maml:ui>E-mail Claim</maml:ui> check box.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the resource partner requires common name claims to make authorization decisions, select the <maml:ui>Common Name Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>UPN Claim</maml:ui> as an identity claim, on the <maml:ui>Select UPN Suffix</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To pass all UPN suffixes through without replacing them, click <maml:ui>Pass all UPN suffixes through unchanged</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To replace all UPN suffixes with a different suffix, click <maml:ui>Replace all UPN suffixes with the following</maml:ui>, and then type the suffix that you want to use to replace all UPN suffixes. </maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>E-mail Claim</maml:ui> as an identity claim, on the <maml:ui>Select E-mail Suffix</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To pass all e-mail suffixes without replacing them, click <maml:ui>Pass all E-mail suffixes through unchanged</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To replace all e-mail suffixes with a different suffix, click <maml:ui>Replace all E-mail suffixes with</maml:ui>, and then type the suffix that you want to use to replace all e-mail suffixes.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Common name claims require no additional information.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Enable this Resource Partner</maml:ui> page, if you do not want to enable the resource partner now, clear the <maml:ui>Enable this resource partner</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new resource partner and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section>
<maml:title>Adding a resource partner by importing a policy file</maml:title><maml:introduction>
<maml:para>You can use the following procedure to add a resource partner by importing a policy file.</maml:para>

<maml:procedure><maml:title>To add a resource partner by importing a policy file</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Federation Services</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Federation Service</maml:ui>, <maml:ui>Trust Policy</maml:ui>, and <maml:ui>Partner Organizations</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Resource Partners</maml:ui>, point to <maml:ui>New</maml:ui>, and then click <maml:ui>Resource Partner</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Welcome to the Add Resource Partner Wizard</maml:ui> page, click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Import Policy File</maml:ui> page, do the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Click <maml:ui>Yes</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In <maml:ui>Partner interoperability policy file</maml:ui>, browse to or type the location of the resource partner policy file.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Resource Partner Details</maml:ui> page, under <maml:ui>Display name</maml:ui>, type the display name of the resource partner, verify that the additional imported partner settings are correct, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Federation Scenario</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If you are establishing a federated trust with another organization or you do not want to use an existing forest trust, click <maml:ui>Federated Web SSO</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are establishing a federated trust within the same organization when both sides already share a forest trust, click <maml:ui>Federated Web SSO with Forest Trust</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Resource Partner Identity Claims</maml:ui> page, select one or more identity claims that the account partner will provide to the resource partner, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires UPN claims to make authorization decisions, select the <maml:ui>UPN Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you selected the <maml:ui>Federated Web SSO with Forest Trust</maml:ui> scenario, the <maml:ui>UPN Claim</maml:ui> option is selected and not configurable. This is because UPN claims are required for this scenario.</maml:para>
</maml:alertSet>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the resource partner requires e-mail claims to make authorization decisions, select the <maml:ui>E-mail Claim</maml:ui> check box.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the resource partner requires common name claims to make authorization decisions, select the <maml:ui>Common Name Claim</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>UPN Claim</maml:ui> as an identity claim, on the <maml:ui>Select UPN Suffix</maml:ui> page, select one of the following, and then click <maml:ui>Next</maml:ui>.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To pass all UPN suffixes through without replacing them, click <maml:ui>Pass all UPN suffixes through unchanged</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To replace all UPN suffixes with a different suffix, click <maml:ui>Replace all UPN domain suffixes with the following</maml:ui>, type the suffix that you want to use to replace all UPN suffixes, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you selected <maml:ui>E-mail Claim</maml:ui> as an identity claim, on the <maml:ui>Select E-mail Suffix</maml:ui> page, do one of the following, and then click <maml:ui>Next</maml:ui>:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To pass all e-mail suffixes without replacing them, click <maml:ui>Pass all e-mail suffixes through unchanged</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To replace all UPN suffixes with a different suffix, click <maml:ui>Replace all E-mail suffixes with</maml:ui>, and then type the suffix that you want to use to replace all e-mail suffixes.</maml:para>
</maml:listItem>
</maml:list>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Common name claims require no additional information.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Enable this Resource Partner</maml:ui> page, if you do not want to enable the resource partner now, clear the <maml:ui>Enable this resource partner</maml:ui> check box, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To add the new resource partner and close the wizard, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Partner Organizations</maml:linkText><maml:uri href="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Federation Trusts</maml:linkText><maml:uri href="mshelp://windows/?id=31b140ce-1c7a-4b1b-b6fd-c87c8233d07e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Federation Services URL</maml:title><maml:introduction>
<maml:para><maml:ui>Federation Service URL</maml:ui>—Provides a space for you to type the Federation Service Uniform Resource Locator (URL). All Web sites and Web applications on this computer using Active Directory Federation Services (AD FS) use this URL. The URL of the Federation Service is necessary so that you can query trust information. You can use the IIS Manager snap-in to manage settings and edit the Federation Service URL.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>AD LDS - Settings</maml:title><maml:introduction>
<maml:para><maml:ui>Server name or IP address</maml:ui>—Provides a space for you to type the name or IP address of the Active Directory Lightweight Directory Services (AD LDS) server.</maml:para>

<maml:para><maml:ui>Port number</maml:ui>—Provides a space for you to type the TCP/IP port number for the account service. You can also click the up or down arrows to select a new setting. The default port number is 389.</maml:para>

<maml:para><maml:ui>Search base distinguished name</maml:ui>—Provides a space for you to type the base distinguished name for the search. If you specify the base distinguished name, searches are performed on the specified subtree. Otherwise, the entire directory tree is searched.</maml:para>

<maml:para><maml:ui>Search timeout (in seconds)</maml:ui>—Indicates the maximum time that the Federation Service waits for a response from the AD LDS server before timing out the connection. The default search time-out period is five seconds.</maml:para>

<maml:para><maml:ui>User name attribute</maml:ui>—Provides a space for you to log on the user to the AD LDS store. Clients log on to the client logon Web page by providing a user name and password. Active Directory Federation Services (AD FS) attempts to search and bind to the object whose <maml:phrase>username</maml:phrase> attribute value matches the value that is provided by the user.</maml:para>

<maml:para><maml:ui>Enable TLS/SSL protocols</maml:ui>—Specifies whether Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are enabled or disabled. Select the check box to enable these protocols. Clear the check box to disable these protocols.</maml:para>

<maml:para>If TLS/SSL is enabled for the AD LDS account store properties in the trust policy, the user credentials are protected.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>We strongly recommend that the traffic between the AD LDS server and the federation server be protected by TLS/SSL or by other means, such as Internet Protocol security (IPsec).</maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Account Stores</maml:linkText><maml:uri href="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Trust Policy - Verification Certificates</maml:title><maml:introduction>
<maml:para><maml:ui>Add</maml:ui>—Click to add a certificate file to the list of certificates that are used to verify security tokens that are issued by the account partner. Select a DER-encoded, binary, X.509 certificate file (.cer); a PKCS #7 certificate file (.p7b), or a certificate store file (.sst) whose contents are of one of the following types:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>A self-signed certificate (A self-signed certificate is a root certification authority (CA) certificate.)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>All the certificates in the certification path up to the root (In this case, the end certificate is detected automatically.)</maml:para>
</maml:listItem>
</maml:list>

<maml:para><maml:ui>Remove</maml:ui>—Click to delete the highlighted certificate from the list of verification certificates. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The last certificate cannot be deleted because at least one certificate must be present for this Federation Service to validate tokens that are issued by the Federation Service itself.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>View</maml:ui>—Click to view the details of the highlighted certificate in the list of verification certificates.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Revocation settings</maml:title><maml:introduction>
<maml:para><maml:ui>Check the end certificate</maml:ui>—This option checks to see if the end certificate in the certificate chain has been revoked. Selecting this option can increase performance because only the certificate revocation list (CRL) that is associated with the CA that issued the end certificate is checked for revocation status, not any CRLs that are higher in the certificate chain than that end certificate's CA.</maml:para>

<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>Select this option only if you trust the CA that issued the end certificate.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Check the end Certificate in the Cache only</maml:ui>—This option performs the same actions as <maml:ui>Check the end certificate</maml:ui>, but instead of checking revocation status from the CA that issued the end certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Check the entire Certificate Chain</maml:ui>—This option checks revocation status on every certificate in the chain, including the root certificate. Although most revocation checks exclude checking the root certificate, this option will run a check to verify that the root certificate has not been revoked.</maml:para>

<maml:para><maml:ui>Check the entire Certificate Chain in the Cache only</maml:ui>—This option performs the same actions as <maml:ui>Check the entire Certificate Chain</maml:ui>, but instead of checking revocation status from the CA that issued the root certificate directly, revocation checking is performed on a CRL that has been imported into the Local Machine store. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail.</maml:para>
</maml:alertSet>

<maml:para><maml:ui>Check the entire Chain excluding the Root</maml:ui>—This option checks revocation status on every certificate in the chain except for the root certificate. This option is the default setting for revocation checking in AD FS.</maml:para>

<maml:para><maml:ui>Check the entire Chain excluding the Root in the Cache only</maml:ui>—This option performs the same actions as <maml:ui>Check the entire Chain excluding the Root</maml:ui>, but instead of checking revocation status from the CAs that issued the certificates directly, revocation checking is performed on a CRL that has been imported into the Local Machine store. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If this option is selected and the time stamp for the CRL in the Local Machine store is not current, AD FS communications fail.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Trust Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Certificates Used by AD FS</maml:linkText><maml:uri href="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Application Types for AD FS Federation</maml:title><maml:introduction>
<maml:para>As part of the process of designing your Active Directory Federation Services (AD FS) deployment, identify the type of federated application that you want to be secured by AD DS. For an application to be federated, the application must be at least one of the application types that are described in the following sections.</maml:para>

<maml:para>To learn more about improved application support in this version of AD FS, see What's New in AD FS in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=85684</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=85684"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Claims-aware application</maml:title><maml:introduction>
<maml:para>Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users—and understood by both partners in an AD FS federation—that are used for authorization purposes in an application. </maml:para>

<maml:para>A claims-aware application is a Microsoft ASP.NET application that has been written using the AD FS class library. This type of application is fully capable of using AD FS claims to make authorization decisions directly. A claims-aware application accepts claims that the Federation Service sends in AD FS security tokens. For more information about how the Federation Service uses security tokens and claims, see <maml:navigationLink><maml:linkText>Understanding the Federation Service Role Service</maml:linkText><maml:uri href="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Claim mapping is the act of mapping, removing or filtering, or passing incoming claims into outgoing claims. Claim mapping does not occur when claims are sent to an application. Instead, only the organization claims that are specified by the Federation Service administrator in the resource partner are sent to the application. (Organization claims are claims in intermediate or normalized form within an organization's namespace.) For more information about claims and claim mapping, see <maml:navigationLink><maml:linkText>Understanding Claims</maml:linkText><maml:uri href="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The following list describes the organization claims that claims-aware applications can use:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Identity claims (UPN, e-mail, common name) </maml:para>

<maml:para>When you configure the application, you specify which of these identity claims will be sent to the application. No mapping or filtering is performed. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group claims</maml:para>

<maml:para>When you configure the application, you specify the organization group claims that will be sent to the application. Organization group claims that are not designated to be sent to the application will be discarded.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Custom claims</maml:para>

<maml:para>When you configure the application, you specify the organization custom claims that will be sent to the application. Organization custom claims that are not designated to be sent to the application will be discarded.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Claims-aware authorization</maml:title><maml:introduction>
<maml:para>Claims-aware authorization consists of a Hypertext Transfer Protocol (HTTP) module and objects for querying the claims that are carried in the AD FS security token. Claims-aware authorization is supported only for Microsoft ASP.NET applications.</maml:para>

<maml:para>The HTTP module processes AD FS protocol messages based on configuration settings in the Web application's Web.config file. The Web pages perform authentication and authorization tasks. The HTTP module also authenticates cookies and obtains claims from the cookies.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Windows NT token–based application</maml:title><maml:introduction>
<maml:para>A Windows NT token–based application is an Internet Information Services (IIS) application that has been written to use traditional Windows native authorization mechanisms. This type of application is not prepared to consume AD FS claims.</maml:para>

<maml:para>Windows NT token–based applications may be used by Windows users from the local realm or from any realm that is trusted by the local realm—that is, only by users who can log on to the computer with Windows NT token–based authentication mechanisms.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>In federation designs, this means that resource accounts or resource groups may be required for Windows NT token–based authentication. </maml:para>
</maml:alertSet>

<maml:para>The AD FS security token that is sent to the Windows NT token–based agent can contain any of the following types of claims:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>A user principal name (UPN) claim for the user</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>An e-mail claim for the user</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A group claim</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A custom claim for the user</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A UPN, e-mail, group, or custom claim containing the security identifiers (SIDs) of the user account. (This applies only when the <maml:ui>Windows Trust</maml:ui> option is enabled.) </maml:para>
</maml:listItem>
</maml:list>

<maml:para>The AD FS-enabled Web server generates a Windows impersonation-level access token. An impersonation-level access token captures the security information for a client process, which makes it possible for a service to "impersonate" the client process in security operations.</maml:para>

<maml:para>For Windows NT token–based Web applications, the following process order determines how a Windows NT token is created:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>If the Security Assertion Markup Language (SAML) token contains SIDs in the SAML advice element, the SIDs are used to generate the Windows NT token.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the SAML token does not contain SIDs and instead contains a UPN identity claim, the UPN claim is used to generate the Windows NT token.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the SAML token does not contain SIDs and the UPN identity claim in the e-mail identity claim is present, it is interpreted as a UPN and it is used to generate the Windows NT token.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>This behavior is irrespective of whether the UPN or e-mail identity claim is specified as the identity claim that is used to generate the Windows NT token when you create the trust policy entry for the Web application in the Federation Service.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Traditional Windows-based authorization</maml:title><maml:introduction>
<maml:para>Support for converting an AD FS security token into an impersonation-level Windows NT access token requires a number of components:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Internet Server Application Programming Interface (ISAPI) extension: This component checks for AD FS cookies, checks for AD FS security tokens from the Federation Service, performs the appropriate protocol redirects, and writes the necessary cookies to make AD FS work. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>AD FS authentication package: The AD FS authentication package generates an impersonation-level access token, given a UPN for a domain account. The package requires that the caller have the Trusted Computing Base (TCB) privilege.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>AD FS Web Agent</maml:ui> and <maml:ui>Federation Services URL</maml:ui> property pages in the IIS Manager snap-in: You can use these property pages to administer policy and certificates for verifying the AD FS security token and cookies. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>AD FS Web Agent Authentication Service: The AD FS Web Agent Authentication Service runs as Local System to generate a token by using either Service-for-User (S4U) or the AD FS authentication package. However, the Internet Information Services (IIS) application pool is not required to run as Local System. The AD FS Web Agent Authentication Service has interfaces that may be called only with local remote procedure call (LRPC), not remote procedure call (RPC). The service returns an impersonation-level Windows NT access token if it is given an AD FS security token or AD FS cookie.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>AD FS Web Agent ISAPI Filter: Certain traditional IIS Web applications use an ISAPI filter that may modify incoming data, such as Uniform Resource Locators (URLs). If this is the case, the AD FS Web Agent ISAPI Filter must be enabled and configured as the highest priority filter. This filter is not enabled by default.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Application - Advanced</maml:title><maml:introduction>
<maml:para><maml:ui>Token lifetime (minutes)</maml:ui>—Provides a space for you to type a new token lifetime setting. You can also click the up or down arrows to select a new setting. The Federation Service builds tokens that are valid only for a certain period, the token lifetime. The token lifetime defines how long a security token is valid after it is created.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Understanding Application Types for AD FS Federation</maml:linkText><maml:uri href="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="adfs_LH" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Active Directory Federation Services" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
	<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
		<IncludeFile File="adfs_LH.H1F" />
	</CompilerOptions>
	<TOCDef File="adfs_LH.H1T" Id="adfs_LH_TOC" />
	<VTopicDef File="adfs_LH.H1V" />
	<KeywordIndexDef File="adfs_LH_AssetId.H1K" />
	<KeywordIndexDef File="adfs_LH_BestBet.H1K" />
	<KeywordIndexDef File="adfs_LH_LinkTerm.H1K" />
	<KeywordIndexDef File="adfs_LH_SubjectTerm.H1K" />
	<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
	<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
	<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
	<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
	<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
	<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
	<File Url="assets\0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43.xml" />
	<File Url="assets\030f3abf-b6c9-406a-9149-e7ae9a5f620c.xml" />
	<File Url="relatedAssets\1d3561e2-232b-4d2e-b451-98f575029870.gif" />
	<File Url="assets\0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5.xml" />
	<File Url="assets\04072293-0c5f-4548-b4bd-5c3be9bfa44e.xml" />
	<File Url="assets\05232cd5-b2eb-4a13-9e75-0992677383c7.xml" />
	<File Url="assets\068aee1f-882f-45f1-a70a-452b6352c15d.xml" />
	<File Url="relatedAssets\3dd4f848-9c62-4403-bfe7-52364867ea8c.gif" />
	<File Url="assets\07149786-09f3-4159-87f1-308feea5d774.xml" />
	<File Url="assets\0ad590fe-6f85-4af8-b88a-4c2cebfb036e.xml" />
	<File Url="assets\13f8e318-dbe0-4967-aaad-ad5ccdee426b.xml" />
	<File Url="assets\1856eba5-b7e8-48b4-9027-5fd14d45a29d.xml" />
	<File Url="relatedAssets\f02e9737-1985-4abc-84a0-c55184b0660b.gif" />
	<File Url="relatedAssets\8c328949-1021-498f-944d-e61113778c7b.gif" />
	<File Url="relatedAssets\9a246800-9d1a-446a-be01-5c650d9b0f3b.gif" />
	<File Url="assets\1a17d8ac-4ac6-418c-845c-a4251376e1e9.xml" />
	<File Url="assets\23be4d60-fe62-4aab-871e-649f147be7d7.xml" />
	<File Url="assets\277dfde3-8d89-41d1-98df-50fc35048ae7.xml" />
	<File Url="assets\2d63d1e2-c787-474a-9768-29d8cab6f713.xml" />
	<File Url="relatedAssets\c72d956f-d07c-46ce-9cce-c65657259edc.gif" />
	<File Url="assets\31b140ce-1c7a-4b1b-b6fd-c87c8233d07e.xml" />
	<File Url="assets\31c2332d-7739-430a-aed4-25fc1ac9e640.xml" />
	<File Url="assets\34f010d7-0c78-4412-a7ef-6a52653a4443.xml" />
	<File Url="assets\3922aeaa-b2b7-4b29-b406-f6f5ddee0f10.xml" />
	<File Url="assets\3ce10c79-86e8-4afd-97ee-0425d605c0cb.xml" />
	<File Url="assets\3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd.xml" />
	<File Url="assets\3da0b27b-3d5c-4117-9ba1-60ccee5c5965.xml" />
	<File Url="assets\3fb68347-837b-4e40-9a7f-5fd7e90f1d77.xml" />
	<File Url="assets\42063d6a-ed4a-4c14-8381-bb239fbc606c.xml" />
	<File Url="assets\4619d451-71da-4063-95c7-02fb9790bd58.xml" />
	<File Url="assets\4737022f-1c54-472a-82ee-99d0306ddccf.xml" />
	<File Url="assets\4a88f9fc-8379-417e-88f6-ee7db530e9b6.xml" />
	<File Url="assets\4afa2480-1414-4579-8448-1913ababd20d.xml" />
	<File Url="assets\4bc380ae-866d-43fa-9571-9cf2a45830ed.xml" />
	<File Url="assets\4de889ca-7eda-4dd9-984b-da0eb8350158.xml" />
	<File Url="relatedAssets\916d5d6b-dfac-4cc1-bffb-1870e5280ef4.gif" />
	<File Url="assets\4fd78221-3d2e-4236-a971-18cdb8513d6b.xml" />
	<File Url="assets\5036aaaa-56cd-4da4-b210-5c789091da37.xml" />
	<File Url="assets\505507c2-db4a-45da-ad1b-082d5484b0c9.xml" />
	<File Url="assets\54ffb525-5197-4a9e-a58b-654493cf983a.xml" />
	<File Url="assets\567f02b7-100c-4cac-bb39-2afea3a8d776.xml" />
	<File Url="assets\5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f.xml" />
	<File Url="assets\5fbf02b0-8e55-4635-8bd3-525fe8adfe18.xml" />
	<File Url="assets\64180160-5e21-4e7b-a61d-a3e27c5ca5a2.xml" />
	<File Url="assets\6fc4b2a8-6bbe-4996-85cb-e27a873a6c66.xml" />
	<File Url="assets\7458dc18-13f7-495c-b571-33f6b37448cb.xml" />
	<File Url="assets\798e37db-46a0-443b-b7a8-f96cbd8cf12c.xml" />
	<File Url="assets\7b17fda1-f53e-4800-b629-cccd26344141.xml" />
	<File Url="assets\7bb63cfd-b17e-4a03-9619-f948e295dfbb.xml" />
	<File Url="assets\7cbc0c4c-1037-4fc7-80d4-d093ff64e644.xml" />
	<File Url="assets\8088c79c-eafe-4306-ac20-f43c4b23ccee.xml" />
	<File Url="assets\80cfa5bd-44ad-4dbe-bae5-0633d2de1de7.xml" />
	<File Url="assets\823f77eb-a4aa-4a46-9513-ecd582b038f8.xml" />
	<File Url="assets\8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407.xml" />
	<File Url="assets\8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e.xml" />
	<File Url="assets\8fbc984b-e639-49e2-b038-ee4aec3bc357.xml" />
	<File Url="assets\90002538-e292-403c-b4d4-01a3810c7fed.xml" />
	<File Url="assets\913b46b6-7d47-42c7-84b3-06d53d191af4.xml" />
	<File Url="assets\916957ce-daa8-4791-af8c-cdaa2c99735d.xml" />
	<File Url="assets\91a4e9e4-ecf1-471d-8734-7474c8899c8a.xml" />
	<File Url="assets\92c69ace-8d1e-41e3-9db8-85bdb28d28f0.xml" />
	<File Url="assets\93795b81-918e-41ba-aa1f-aa68150b86b3.xml" />
	<File Url="assets\94b3daed-71af-48ca-a2f7-29dc47074c7f.xml" />
	<File Url="assets\96b523c7-5eb0-4a08-b699-1f7856066c59.xml" />
	<File Url="assets\9c002b26-3d2f-45ff-ac9d-5081e82b30ee.xml" />
	<File Url="assets\9d06f526-fdd0-477c-85f9-29674c2e4d68.xml" />
	<File Url="assets\9fc7f8d8-1345-4400-b8b5-a6f637099d03.xml" />
	<File Url="assets\a2280f6f-45ef-47cd-b158-9bacfe1a2600.xml" />
	<File Url="assets\a23af311-766a-4b90-ac60-d2f0680ca339.xml" />
	<File Url="assets\a6ef154c-075e-4427-95f2-aed04595958e.xml" />
	<File Url="assets\ac922f38-12db-4f2f-bfd8-edc05f2a9978.xml" />
	<File Url="assets\ae860c09-45c5-4a1a-9d83-ff4f4d2046cc.xml" />
	<File Url="assets\b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9.xml" />
	<File Url="assets\b2163266-aea9-4251-8dfb-7c844233bced.xml" />
	<File Url="assets\bb89ffed-4b51-4ce0-99dd-92375eeb600f.xml" />
	<File Url="assets\bd1c92bf-f72a-4444-8c67-ad00a3ab4dde.xml" />
	<File Url="assets\bdb04181-d340-4929-9a63-a852b1765542.xml" />
	<File Url="assets\c754a0fe-faed-4c83-b650-27ddcfe119cb.xml" />
	<File Url="assets\c7cc7c1d-aff4-44a5-85f6-e18404591f9c.xml" />
	<File Url="assets\ccdd7180-42a3-43b0-a8af-27972f5be619.xml" />
	<File Url="assets\d87ee269-ff2e-486d-8401-db4325ffaa54.xml" />
	<File Url="assets\debbb166-5143-49b9-8937-7d41c9f5b48b.xml" />
	<File Url="assets\e3c91285-4edf-4bd4-b762-60694f6bbcbc.xml" />
	<File Url="assets\e49d6f9d-b576-4a15-81d8-93b646bfea05.xml" />
	<File Url="assets\e4e26582-bde4-45f3-bc6f-b537e8d0f54c.xml" />
	<File Url="assets\e61ad0bd-8dd7-416f-ae03-c7aa4569d147.xml" />
	<File Url="assets\e9d785ca-5159-4df0-8573-ac73b9a94f5f.xml" />
	<File Url="assets\eae03733-b48d-43fe-a172-6e497efdf6df.xml" />
	<File Url="assets\ecf794aa-82fc-4f59-b951-c36870753892.xml" />
	<File Url="assets\eefe0c5d-c756-4410-814e-b2dfb913cd32.xml" />
	<File Url="assets\f01bd12f-85c0-445c-b6bf-645ab66ac0e8.xml" />
	<File Url="assets\f270ef7c-350f-44fe-87cc-3088c9d87971.xml" />
	<File Url="assets\f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2.xml" />
	<File Url="assets\f3badc17-abb5-49be-a1a2-2119140dafb1.xml" />
	<File Url="assets\f60ca0a1-aace-4877-8b4d-40f06090d5c3.xml" />
	<File Url="assets\f60cc74f-d34b-45cc-9460-2d9127948238.xml" />
	<File Url="assets\f61b6a1d-c704-484b-8787-f27de22c700b.xml" />
	<File Url="assets\f702106d-2002-4123-b4a2-01676fcbcdcd.xml" />
	<File Url="assets\fc406ace-9397-4271-baa1-888383a12c63.xml" />
	<File Url="assets\feb4e99e-eb67-4562-8baa-aec24e7f4902.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
	<Vtopic Url="assets\0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43.xml" RLTitle="Resource Partner - Advanced">
		<Attr Name="assetid" Value="0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43" />
		<Keyword Index="AssetId" Term="0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43" />
		<Keyword Index="AssetId" Term="0101ede2-77bd-41f4-b8e7-d2b0e4ec9a431033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\030f3abf-b6c9-406a-9149-e7ae9a5f620c.xml" RLTitle="Incoming Group Claim Mapping - General">
		<Attr Name="assetid" Value="030f3abf-b6c9-406a-9149-e7ae9a5f620c" />
		<Keyword Index="AssetId" Term="030f3abf-b6c9-406a-9149-e7ae9a5f620c" />
		<Keyword Index="AssetId" Term="030f3abf-b6c9-406a-9149-e7ae9a5f620c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="030f3abf-b6c9-406a-9149-e7ae9a5f620c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\1d3561e2-232b-4d2e-b451-98f575029870.gif">
		<Keyword Index="AssetId" Term="1d3561e2-232b-4d2e-b451-98f575029870" />
	</Vtopic>
	<Vtopic Url="assets\0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5.xml" RLTitle="Understanding Cookies Used by AD FS">
		<Attr Name="assetid" Value="0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5" />
		<Keyword Index="AssetId" Term="0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5" />
		<Keyword Index="AssetId" Term="0357bdbc-219d-4ec1-a6d0-1a3376bc1eb51033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the types of cookies that are used by AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\04072293-0c5f-4548-b4bd-5c3be9bfa44e.xml" RLTitle="Understanding the Federation Service Proxy Role Service">
		<Attr Name="assetid" Value="04072293-0c5f-4548-b4bd-5c3be9bfa44e" />
		<Keyword Index="AssetId" Term="04072293-0c5f-4548-b4bd-5c3be9bfa44e" />
		<Keyword Index="AssetId" Term="04072293-0c5f-4548-b4bd-5c3be9bfa44e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the Federation Service Proxy role service in AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="04072293-0c5f-4548-b4bd-5c3be9bfa44e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\05232cd5-b2eb-4a13-9e75-0992677383c7.xml" RLTitle="Account Partner - Verification Certificates">
		<Attr Name="assetid" Value="05232cd5-b2eb-4a13-9e75-0992677383c7" />
		<Keyword Index="AssetId" Term="05232cd5-b2eb-4a13-9e75-0992677383c7" />
		<Keyword Index="AssetId" Term="05232cd5-b2eb-4a13-9e75-0992677383c71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="05232cd5-b2eb-4a13-9e75-0992677383c7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\068aee1f-882f-45f1-a70a-452b6352c15d.xml" RLTitle="Federation Service - Advanced">
		<Attr Name="assetid" Value="068aee1f-882f-45f1-a70a-452b6352c15d" />
		<Keyword Index="AssetId" Term="068aee1f-882f-45f1-a70a-452b6352c15d" />
		<Keyword Index="AssetId" Term="068aee1f-882f-45f1-a70a-452b6352c15d1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="068aee1f-882f-45f1-a70a-452b6352c15d" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\3dd4f848-9c62-4403-bfe7-52364867ea8c.gif">
		<Keyword Index="AssetId" Term="3dd4f848-9c62-4403-bfe7-52364867ea8c" />
	</Vtopic>
	<Vtopic Url="assets\07149786-09f3-4159-87f1-308feea5d774.xml" RLTitle="Provide Federated Users with Access to Your Web Applications by Configuring an AD FS-Enabled Web Server">
		<Attr Name="assetid" Value="07149786-09f3-4159-87f1-308feea5d774" />
		<Keyword Index="AssetId" Term="07149786-09f3-4159-87f1-308feea5d774" />
		<Keyword Index="AssetId" Term="07149786-09f3-4159-87f1-308feea5d7741033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="07149786-09f3-4159-87f1-308feea5d774" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\0ad590fe-6f85-4af8-b88a-4c2cebfb036e.xml" RLTitle="Provide Your Users with Access to Federated Applications by Configuring the Federation Service">
		<Attr Name="assetid" Value="0ad590fe-6f85-4af8-b88a-4c2cebfb036e" />
		<Keyword Index="AssetId" Term="0ad590fe-6f85-4af8-b88a-4c2cebfb036e" />
		<Keyword Index="AssetId" Term="0ad590fe-6f85-4af8-b88a-4c2cebfb036e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="0ad590fe-6f85-4af8-b88a-4c2cebfb036e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\13f8e318-dbe0-4967-aaad-ad5ccdee426b.xml" RLTitle="Custom Claim - General">
		<Attr Name="assetid" Value="13f8e318-dbe0-4967-aaad-ad5ccdee426b" />
		<Keyword Index="AssetId" Term="13f8e318-dbe0-4967-aaad-ad5ccdee426b" />
		<Keyword Index="AssetId" Term="13f8e318-dbe0-4967-aaad-ad5ccdee426b1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="13f8e318-dbe0-4967-aaad-ad5ccdee426b" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\1856eba5-b7e8-48b4-9027-5fd14d45a29d.xml" RLTitle="AD FS Windows Token-Based Agent">
		<Attr Name="assetid" Value="1856eba5-b7e8-48b4-9027-5fd14d45a29d" />
		<Keyword Index="AssetId" Term="1856eba5-b7e8-48b4-9027-5fd14d45a29d" />
		<Keyword Index="AssetId" Term="1856eba5-b7e8-48b4-9027-5fd14d45a29d1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings related to AD FS that are available from within the IIS snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1856eba5-b7e8-48b4-9027-5fd14d45a29d" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\f02e9737-1985-4abc-84a0-c55184b0660b.gif">
		<Keyword Index="AssetId" Term="f02e9737-1985-4abc-84a0-c55184b0660b" />
	</Vtopic>
	<Vtopic Url="relatedAssets\8c328949-1021-498f-944d-e61113778c7b.gif">
		<Keyword Index="AssetId" Term="8c328949-1021-498f-944d-e61113778c7b" />
	</Vtopic>
	<Vtopic Url="relatedAssets\9a246800-9d1a-446a-be01-5c650d9b0f3b.gif">
		<Keyword Index="AssetId" Term="9a246800-9d1a-446a-be01-5c650d9b0f3b" />
	</Vtopic>
	<Vtopic Url="assets\1a17d8ac-4ac6-418c-845c-a4251376e1e9.xml" RLTitle="Understanding Federation Designs">
		<Attr Name="assetid" Value="1a17d8ac-4ac6-418c-845c-a4251376e1e9" />
		<Keyword Index="AssetId" Term="1a17d8ac-4ac6-418c-845c-a4251376e1e9" />
		<Keyword Index="AssetId" Term="1a17d8ac-4ac6-418c-845c-a4251376e1e91033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the most common designs supported with AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1a17d8ac-4ac6-418c-845c-a4251376e1e9" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\23be4d60-fe62-4aab-871e-649f147be7d7.xml" RLTitle="Resource Partner - General">
		<Attr Name="assetid" Value="23be4d60-fe62-4aab-871e-649f147be7d7" />
		<Keyword Index="AssetId" Term="23be4d60-fe62-4aab-871e-649f147be7d7" />
		<Keyword Index="AssetId" Term="23be4d60-fe62-4aab-871e-649f147be7d71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="23be4d60-fe62-4aab-871e-649f147be7d7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\277dfde3-8d89-41d1-98df-50fc35048ae7.xml" RLTitle="Adding Partners to the Federation Service">
		<Attr Name="assetid" Value="277dfde3-8d89-41d1-98df-50fc35048ae7" />
		<Keyword Index="AssetId" Term="277dfde3-8d89-41d1-98df-50fc35048ae7" />
		<Keyword Index="AssetId" Term="277dfde3-8d89-41d1-98df-50fc35048ae71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic provides links to related topics within the AD FS Help content." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="277dfde3-8d89-41d1-98df-50fc35048ae7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\2d63d1e2-c787-474a-9768-29d8cab6f713.xml" RLTitle="Add a Windows NT Token-Based Application">
		<Attr Name="assetid" Value="2d63d1e2-c787-474a-9768-29d8cab6f713" />
		<Keyword Index="AssetId" Term="2d63d1e2-c787-474a-9768-29d8cab6f713" />
		<Keyword Index="AssetId" Term="2d63d1e2-c787-474a-9768-29d8cab6f7131033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to add an application to the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="2d63d1e2-c787-474a-9768-29d8cab6f713" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\c72d956f-d07c-46ce-9cce-c65657259edc.gif">
		<Keyword Index="AssetId" Term="c72d956f-d07c-46ce-9cce-c65657259edc" />
	</Vtopic>
	<Vtopic Url="assets\31b140ce-1c7a-4b1b-b6fd-c87c8233d07e.xml" RLTitle="Understanding Federation Trusts">
		<Attr Name="assetid" Value="31b140ce-1c7a-4b1b-b6fd-c87c8233d07e" />
		<Keyword Index="AssetId" Term="31b140ce-1c7a-4b1b-b6fd-c87c8233d07e" />
		<Keyword Index="AssetId" Term="31b140ce-1c7a-4b1b-b6fd-c87c8233d07e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes what federation trusts are and how they are created." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="31b140ce-1c7a-4b1b-b6fd-c87c8233d07e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\31c2332d-7739-430a-aed4-25fc1ac9e640.xml" RLTitle="Group Claim - Resource Group">
		<Attr Name="assetid" Value="31c2332d-7739-430a-aed4-25fc1ac9e640" />
		<Keyword Index="AssetId" Term="31c2332d-7739-430a-aed4-25fc1ac9e640" />
		<Keyword Index="AssetId" Term="31c2332d-7739-430a-aed4-25fc1ac9e6401033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="31c2332d-7739-430a-aed4-25fc1ac9e640" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\34f010d7-0c78-4412-a7ef-6a52653a4443.xml" RLTitle="Requirements for AD FS">
		<Attr Name="assetid" Value="34f010d7-0c78-4412-a7ef-6a52653a4443" />
		<Keyword Index="AssetId" Term="34f010d7-0c78-4412-a7ef-6a52653a4443" />
		<Keyword Index="AssetId" Term="34f010d7-0c78-4412-a7ef-6a52653a44431033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the hardware and software requirements for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="34f010d7-0c78-4412-a7ef-6a52653a4443" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3922aeaa-b2b7-4b29-b406-f6f5ddee0f10.xml" RLTitle="Federation Service Proxy - Web Pages">
		<Attr Name="assetid" Value="3922aeaa-b2b7-4b29-b406-f6f5ddee0f10" />
		<Keyword Index="AssetId" Term="3922aeaa-b2b7-4b29-b406-f6f5ddee0f10" />
		<Keyword Index="AssetId" Term="3922aeaa-b2b7-4b29-b406-f6f5ddee0f101033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3922aeaa-b2b7-4b29-b406-f6f5ddee0f10" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3ce10c79-86e8-4afd-97ee-0425d605c0cb.xml" RLTitle="Using the Active Directory Federation Services Snap-In">
		<Attr Name="assetid" Value="3ce10c79-86e8-4afd-97ee-0425d605c0cb" />
		<Keyword Index="AssetId" Term="3ce10c79-86e8-4afd-97ee-0425d605c0cb" />
		<Keyword Index="AssetId" Term="3ce10c79-86e8-4afd-97ee-0425d605c0cb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the purpose of the AD FS snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3ce10c79-86e8-4afd-97ee-0425d605c0cb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd.xml" RLTitle="Outgoing Custom Claim Mapping - General">
		<Attr Name="assetid" Value="3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd" />
		<Keyword Index="AssetId" Term="3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd" />
		<Keyword Index="AssetId" Term="3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3da0b27b-3d5c-4117-9ba1-60ccee5c5965.xml" RLTitle="Incoming UPN Claim Mapping - General">
		<Attr Name="assetid" Value="3da0b27b-3d5c-4117-9ba1-60ccee5c5965" />
		<Keyword Index="AssetId" Term="3da0b27b-3d5c-4117-9ba1-60ccee5c5965" />
		<Keyword Index="AssetId" Term="3da0b27b-3d5c-4117-9ba1-60ccee5c59651033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3da0b27b-3d5c-4117-9ba1-60ccee5c5965" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3fb68347-837b-4e40-9a7f-5fd7e90f1d77.xml" RLTitle="Outgoing UPN Claim Mapping - General">
		<Attr Name="assetid" Value="3fb68347-837b-4e40-9a7f-5fd7e90f1d77" />
		<Keyword Index="AssetId" Term="3fb68347-837b-4e40-9a7f-5fd7e90f1d77" />
		<Keyword Index="AssetId" Term="3fb68347-837b-4e40-9a7f-5fd7e90f1d771033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3fb68347-837b-4e40-9a7f-5fd7e90f1d77" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\42063d6a-ed4a-4c14-8381-bb239fbc606c.xml" RLTitle="Add a Claims-Aware Application">
		<Attr Name="assetid" Value="42063d6a-ed4a-4c14-8381-bb239fbc606c" />
		<Keyword Index="AssetId" Term="42063d6a-ed4a-4c14-8381-bb239fbc606c" />
		<Keyword Index="AssetId" Term="42063d6a-ed4a-4c14-8381-bb239fbc606c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to add an application to the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="42063d6a-ed4a-4c14-8381-bb239fbc606c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4619d451-71da-4063-95c7-02fb9790bd58.xml" RLTitle="Choosing a Token-Signing Certificate">
		<Attr Name="assetid" Value="4619d451-71da-4063-95c7-02fb9790bd58" />
		<Keyword Index="AssetId" Term="4619d451-71da-4063-95c7-02fb9790bd58" />
		<Keyword Index="AssetId" Term="4619d451-71da-4063-95c7-02fb9790bd581033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4619d451-71da-4063-95c7-02fb9790bd58" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4737022f-1c54-472a-82ee-99d0306ddccf.xml" RLTitle="Provide Your Users with SSO Access to Your Web Applications by Configuring the Federation Service">
		<Attr Name="assetid" Value="4737022f-1c54-472a-82ee-99d0306ddccf" />
		<Keyword Index="AssetId" Term="4737022f-1c54-472a-82ee-99d0306ddccf" />
		<Keyword Index="AssetId" Term="4737022f-1c54-472a-82ee-99d0306ddccf1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4737022f-1c54-472a-82ee-99d0306ddccf" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4a88f9fc-8379-417e-88f6-ee7db530e9b6.xml" RLTitle="Incoming Custom Claim Mapping - General">
		<Attr Name="assetid" Value="4a88f9fc-8379-417e-88f6-ee7db530e9b6" />
		<Keyword Index="AssetId" Term="4a88f9fc-8379-417e-88f6-ee7db530e9b6" />
		<Keyword Index="AssetId" Term="4a88f9fc-8379-417e-88f6-ee7db530e9b61033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4a88f9fc-8379-417e-88f6-ee7db530e9b6" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4afa2480-1414-4579-8448-1913ababd20d.xml" RLTitle="Federation Service - Web Pages">
		<Attr Name="assetid" Value="4afa2480-1414-4579-8448-1913ababd20d" />
		<Keyword Index="AssetId" Term="4afa2480-1414-4579-8448-1913ababd20d" />
		<Keyword Index="AssetId" Term="4afa2480-1414-4579-8448-1913ababd20d1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4afa2480-1414-4579-8448-1913ababd20d" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4bc380ae-866d-43fa-9571-9cf2a45830ed.xml" RLTitle="Active Directory - General">
		<Attr Name="assetid" Value="4bc380ae-866d-43fa-9571-9cf2a45830ed" />
		<Keyword Index="AssetId" Term="4bc380ae-866d-43fa-9571-9cf2a45830ed" />
		<Keyword Index="AssetId" Term="4bc380ae-866d-43fa-9571-9cf2a45830ed1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4bc380ae-866d-43fa-9571-9cf2a45830ed" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4de889ca-7eda-4dd9-984b-da0eb8350158.xml" RLTitle="Understanding the Federation Service Role Service">
		<Attr Name="assetid" Value="4de889ca-7eda-4dd9-984b-da0eb8350158" />
		<Keyword Index="AssetId" Term="4de889ca-7eda-4dd9-984b-da0eb8350158" />
		<Keyword Index="AssetId" Term="4de889ca-7eda-4dd9-984b-da0eb83501581033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the Federation Service role service in AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4de889ca-7eda-4dd9-984b-da0eb8350158" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\916d5d6b-dfac-4cc1-bffb-1870e5280ef4.gif">
		<Keyword Index="AssetId" Term="916d5d6b-dfac-4cc1-bffb-1870e5280ef4" />
	</Vtopic>
	<Vtopic Url="assets\4fd78221-3d2e-4236-a971-18cdb8513d6b.xml" RLTitle="Understanding Claims">
		<Attr Name="assetid" Value="4fd78221-3d2e-4236-a971-18cdb8513d6b" />
		<Keyword Index="AssetId" Term="4fd78221-3d2e-4236-a971-18cdb8513d6b" />
		<Keyword Index="AssetId" Term="4fd78221-3d2e-4236-a971-18cdb8513d6b1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes what claims are and how they are used." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4fd78221-3d2e-4236-a971-18cdb8513d6b" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\5036aaaa-56cd-4da4-b210-5c789091da37.xml" RLTitle="Add an AD LDS Account Store">
		<Attr Name="assetid" Value="5036aaaa-56cd-4da4-b210-5c789091da37" />
		<Keyword Index="AssetId" Term="5036aaaa-56cd-4da4-b210-5c789091da37" />
		<Keyword Index="AssetId" Term="5036aaaa-56cd-4da4-b210-5c789091da371033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to add an account store to the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="5036aaaa-56cd-4da4-b210-5c789091da37" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\505507c2-db4a-45da-ad1b-082d5484b0c9.xml" RLTitle="Understanding Certificates Used by AD FS">
		<Attr Name="assetid" Value="505507c2-db4a-45da-ad1b-082d5484b0c9" />
		<Keyword Index="AssetId" Term="505507c2-db4a-45da-ad1b-082d5484b0c9" />
		<Keyword Index="AssetId" Term="505507c2-db4a-45da-ad1b-082d5484b0c91033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the types of certificates that are used by federation servers, federation server proxies and AD FS-enabled Web servers." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="505507c2-db4a-45da-ad1b-082d5484b0c9" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\54ffb525-5197-4a9e-a58b-654493cf983a.xml" RLTitle="UPN Claim Filtering - General">
		<Attr Name="assetid" Value="54ffb525-5197-4a9e-a58b-654493cf983a" />
		<Keyword Index="AssetId" Term="54ffb525-5197-4a9e-a58b-654493cf983a" />
		<Keyword Index="AssetId" Term="54ffb525-5197-4a9e-a58b-654493cf983a1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="54ffb525-5197-4a9e-a58b-654493cf983a" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\567f02b7-100c-4cac-bb39-2afea3a8d776.xml" RLTitle="Federation Service - General">
		<Attr Name="assetid" Value="567f02b7-100c-4cac-bb39-2afea3a8d776" />
		<Keyword Index="AssetId" Term="567f02b7-100c-4cac-bb39-2afea3a8d776" />
		<Keyword Index="AssetId" Term="567f02b7-100c-4cac-bb39-2afea3a8d7761033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="567f02b7-100c-4cac-bb39-2afea3a8d776" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f.xml" RLTitle="Outgoing Common Name Claim Mapping - General">
		<Attr Name="assetid" Value="5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f" />
		<Keyword Index="AssetId" Term="5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f" />
		<Keyword Index="AssetId" Term="5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\5fbf02b0-8e55-4635-8bd3-525fe8adfe18.xml" RLTitle="Understanding AD FS Terminology">
		<Attr Name="assetid" Value="5fbf02b0-8e55-4635-8bd3-525fe8adfe18" />
		<Keyword Index="AssetId" Term="5fbf02b0-8e55-4635-8bd3-525fe8adfe18" />
		<Keyword Index="AssetId" Term="5fbf02b0-8e55-4635-8bd3-525fe8adfe181033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes common terminology associated with AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="5fbf02b0-8e55-4635-8bd3-525fe8adfe18" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\64180160-5e21-4e7b-a61d-a3e27c5ca5a2.xml" RLTitle="Federation Service - Troubleshooting">
		<Attr Name="assetid" Value="64180160-5e21-4e7b-a61d-a3e27c5ca5a2" />
		<Keyword Index="AssetId" Term="64180160-5e21-4e7b-a61d-a3e27c5ca5a2" />
		<Keyword Index="AssetId" Term="64180160-5e21-4e7b-a61d-a3e27c5ca5a21033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="64180160-5e21-4e7b-a61d-a3e27c5ca5a2" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6fc4b2a8-6bbe-4996-85cb-e27a873a6c66.xml" RLTitle="Incoming Common Name Claim Mapping - General">
		<Attr Name="assetid" Value="6fc4b2a8-6bbe-4996-85cb-e27a873a6c66" />
		<Keyword Index="AssetId" Term="6fc4b2a8-6bbe-4996-85cb-e27a873a6c66" />
		<Keyword Index="AssetId" Term="6fc4b2a8-6bbe-4996-85cb-e27a873a6c661033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6fc4b2a8-6bbe-4996-85cb-e27a873a6c66" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\7458dc18-13f7-495c-b571-33f6b37448cb.xml" RLTitle="Resources for AD FS">
		<Attr Name="assetid" Value="7458dc18-13f7-495c-b571-33f6b37448cb" />
		<Keyword Index="AssetId" Term="7458dc18-13f7-495c-b571-33f6b37448cb" />
		<Keyword Index="AssetId" Term="7458dc18-13f7-495c-b571-33f6b37448cb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides links to AD FS resources on the Internet." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="7458dc18-13f7-495c-b571-33f6b37448cb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\798e37db-46a0-443b-b7a8-f96cbd8cf12c.xml" RLTitle="Choosing a Client Authentication Certificate">
		<Attr Name="assetid" Value="798e37db-46a0-443b-b7a8-f96cbd8cf12c" />
		<Keyword Index="AssetId" Term="798e37db-46a0-443b-b7a8-f96cbd8cf12c" />
		<Keyword Index="AssetId" Term="798e37db-46a0-443b-b7a8-f96cbd8cf12c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="798e37db-46a0-443b-b7a8-f96cbd8cf12c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\7b17fda1-f53e-4800-b629-cccd26344141.xml" RLTitle="Outgoing E-Mail Claim Mapping - General">
		<Attr Name="assetid" Value="7b17fda1-f53e-4800-b629-cccd26344141" />
		<Keyword Index="AssetId" Term="7b17fda1-f53e-4800-b629-cccd26344141" />
		<Keyword Index="AssetId" Term="7b17fda1-f53e-4800-b629-cccd263441411033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="7b17fda1-f53e-4800-b629-cccd26344141" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\7bb63cfd-b17e-4a03-9619-f948e295dfbb.xml" RLTitle="Understanding AD FS Role Services">
		<Attr Name="assetid" Value="7bb63cfd-b17e-4a03-9619-f948e295dfbb" />
		<Keyword Index="AssetId" Term="7bb63cfd-b17e-4a03-9619-f948e295dfbb" />
		<Keyword Index="AssetId" Term="7bb63cfd-b17e-4a03-9619-f948e295dfbb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the various AD FS role services that can be installed." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="7bb63cfd-b17e-4a03-9619-f948e295dfbb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\7cbc0c4c-1037-4fc7-80d4-d093ff64e644.xml" RLTitle="Application - Authentication Methods">
		<Attr Name="assetid" Value="7cbc0c4c-1037-4fc7-80d4-d093ff64e644" />
		<Keyword Index="AssetId" Term="7cbc0c4c-1037-4fc7-80d4-d093ff64e644" />
		<Keyword Index="AssetId" Term="7cbc0c4c-1037-4fc7-80d4-d093ff64e6441033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="7cbc0c4c-1037-4fc7-80d4-d093ff64e644" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8088c79c-eafe-4306-ac20-f43c4b23ccee.xml" RLTitle="Incoming UPN Claim Mapping - Groups">
		<Attr Name="assetid" Value="8088c79c-eafe-4306-ac20-f43c4b23ccee" />
		<Keyword Index="AssetId" Term="8088c79c-eafe-4306-ac20-f43c4b23ccee" />
		<Keyword Index="AssetId" Term="8088c79c-eafe-4306-ac20-f43c4b23ccee1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8088c79c-eafe-4306-ac20-f43c4b23ccee" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\80cfa5bd-44ad-4dbe-bae5-0633d2de1de7.xml" RLTitle="Custom Claim Filtering - General">
		<Attr Name="assetid" Value="80cfa5bd-44ad-4dbe-bae5-0633d2de1de7" />
		<Keyword Index="AssetId" Term="80cfa5bd-44ad-4dbe-bae5-0633d2de1de7" />
		<Keyword Index="AssetId" Term="80cfa5bd-44ad-4dbe-bae5-0633d2de1de71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="80cfa5bd-44ad-4dbe-bae5-0633d2de1de7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\823f77eb-a4aa-4a46-9513-ecd582b038f8.xml" RLTitle="Selecting a Trust Policy">
		<Attr Name="assetid" Value="823f77eb-a4aa-4a46-9513-ecd582b038f8" />
		<Keyword Index="AssetId" Term="823f77eb-a4aa-4a46-9513-ecd582b038f8" />
		<Keyword Index="AssetId" Term="823f77eb-a4aa-4a46-9513-ecd582b038f81033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="823f77eb-a4aa-4a46-9513-ecd582b038f8" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407.xml" RLTitle="Using the Active Directory Federation Services Proxy Snap-In">
		<Attr Name="assetid" Value="8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407" />
		<Keyword Index="AssetId" Term="8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407" />
		<Keyword Index="AssetId" Term="8f8b89c2-f2a1-4ef8-8a81-9a98fa5e24071033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the purpose of the AD FS Proxy snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e.xml" RLTitle="Add an Account Partner">
		<Attr Name="assetid" Value="8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e" />
		<Keyword Index="AssetId" Term="8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e" />
		<Keyword Index="AssetId" Term="8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to add an account partner to the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8fbc984b-e639-49e2-b038-ee4aec3bc357.xml" RLTitle="Validating the Federation Server">
		<Attr Name="assetid" Value="8fbc984b-e639-49e2-b038-ee4aec3bc357" />
		<Keyword Index="AssetId" Term="8fbc984b-e639-49e2-b038-ee4aec3bc357" />
		<Keyword Index="AssetId" Term="8fbc984b-e639-49e2-b038-ee4aec3bc3571033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8fbc984b-e639-49e2-b038-ee4aec3bc357" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\90002538-e292-403c-b4d4-01a3810c7fed.xml" RLTitle="Deploy AD FS">
		<Attr Name="assetid" Value="90002538-e292-403c-b4d4-01a3810c7fed" />
		<Keyword Index="AssetId" Term="90002538-e292-403c-b4d4-01a3810c7fed" />
		<Keyword Index="AssetId" Term="90002538-e292-403c-b4d4-01a3810c7fed1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="90002538-e292-403c-b4d4-01a3810c7fed" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\913b46b6-7d47-42c7-84b3-06d53d191af4.xml" RLTitle="Adding Web Applications to the Federation Service">
		<Attr Name="assetid" Value="913b46b6-7d47-42c7-84b3-06d53d191af4" />
		<Keyword Index="AssetId" Term="913b46b6-7d47-42c7-84b3-06d53d191af4" />
		<Keyword Index="AssetId" Term="913b46b6-7d47-42c7-84b3-06d53d191af41033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic provides links to related topics within the AD FS Help content." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="913b46b6-7d47-42c7-84b3-06d53d191af4" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\916957ce-daa8-4791-af8c-cdaa2c99735d.xml" RLTitle="Understanding Partner Organizations">
		<Attr Name="assetid" Value="916957ce-daa8-4791-af8c-cdaa2c99735d" />
		<Keyword Index="AssetId" Term="916957ce-daa8-4791-af8c-cdaa2c99735d" />
		<Keyword Index="AssetId" Term="916957ce-daa8-4791-af8c-cdaa2c99735d1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes what partner organizations are and how they relate to AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="916957ce-daa8-4791-af8c-cdaa2c99735d" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\91a4e9e4-ecf1-471d-8734-7474c8899c8a.xml" RLTitle="Group Claim - General">
		<Attr Name="assetid" Value="91a4e9e4-ecf1-471d-8734-7474c8899c8a" />
		<Keyword Index="AssetId" Term="91a4e9e4-ecf1-471d-8734-7474c8899c8a" />
		<Keyword Index="AssetId" Term="91a4e9e4-ecf1-471d-8734-7474c8899c8a1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="91a4e9e4-ecf1-471d-8734-7474c8899c8a" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\92c69ace-8d1e-41e3-9db8-85bdb28d28f0.xml" RLTitle="Application - General">
		<Attr Name="assetid" Value="92c69ace-8d1e-41e3-9db8-85bdb28d28f0" />
		<Keyword Index="AssetId" Term="92c69ace-8d1e-41e3-9db8-85bdb28d28f0" />
		<Keyword Index="AssetId" Term="92c69ace-8d1e-41e3-9db8-85bdb28d28f01033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="92c69ace-8d1e-41e3-9db8-85bdb28d28f0" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\93795b81-918e-41ba-aa1f-aa68150b86b3.xml" RLTitle="Trust Policy - Advanced">
		<Attr Name="assetid" Value="93795b81-918e-41ba-aa1f-aa68150b86b3" />
		<Keyword Index="AssetId" Term="93795b81-918e-41ba-aa1f-aa68150b86b3" />
		<Keyword Index="AssetId" Term="93795b81-918e-41ba-aa1f-aa68150b86b31033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="93795b81-918e-41ba-aa1f-aa68150b86b3" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\94b3daed-71af-48ca-a2f7-29dc47074c7f.xml" RLTitle="Trust Policy - FSP Certificates">
		<Attr Name="assetid" Value="94b3daed-71af-48ca-a2f7-29dc47074c7f" />
		<Keyword Index="AssetId" Term="94b3daed-71af-48ca-a2f7-29dc47074c7f" />
		<Keyword Index="AssetId" Term="94b3daed-71af-48ca-a2f7-29dc47074c7f1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="94b3daed-71af-48ca-a2f7-29dc47074c7f" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\96b523c7-5eb0-4a08-b699-1f7856066c59.xml" RLTitle="Account Partner - General">
		<Attr Name="assetid" Value="96b523c7-5eb0-4a08-b699-1f7856066c59" />
		<Keyword Index="AssetId" Term="96b523c7-5eb0-4a08-b699-1f7856066c59" />
		<Keyword Index="AssetId" Term="96b523c7-5eb0-4a08-b699-1f7856066c591033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="96b523c7-5eb0-4a08-b699-1f7856066c59" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9c002b26-3d2f-45ff-ac9d-5081e82b30ee.xml" RLTitle="Trust Policy">
		<Attr Name="assetid" Value="9c002b26-3d2f-45ff-ac9d-5081e82b30ee" />
		<Keyword Index="AssetId" Term="9c002b26-3d2f-45ff-ac9d-5081e82b30ee" />
		<Keyword Index="AssetId" Term="9c002b26-3d2f-45ff-ac9d-5081e82b30ee1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9c002b26-3d2f-45ff-ac9d-5081e82b30ee" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9d06f526-fdd0-477c-85f9-29674c2e4d68.xml" RLTitle="Configure the Account Store Priority">
		<Attr Name="assetid" Value="9d06f526-fdd0-477c-85f9-29674c2e4d68" />
		<Keyword Index="AssetId" Term="9d06f526-fdd0-477c-85f9-29674c2e4d68" />
		<Keyword Index="AssetId" Term="9d06f526-fdd0-477c-85f9-29674c2e4d681033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to prioritize an account store in the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9d06f526-fdd0-477c-85f9-29674c2e4d68" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9fc7f8d8-1345-4400-b8b5-a6f637099d03.xml" RLTitle="Group Claim Filtering - General">
		<Attr Name="assetid" Value="9fc7f8d8-1345-4400-b8b5-a6f637099d03" />
		<Keyword Index="AssetId" Term="9fc7f8d8-1345-4400-b8b5-a6f637099d03" />
		<Keyword Index="AssetId" Term="9fc7f8d8-1345-4400-b8b5-a6f637099d031033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9fc7f8d8-1345-4400-b8b5-a6f637099d03" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a2280f6f-45ef-47cd-b158-9bacfe1a2600.xml" RLTitle="Incoming E-Mail Claim Mapping - General">
		<Attr Name="assetid" Value="a2280f6f-45ef-47cd-b158-9bacfe1a2600" />
		<Keyword Index="AssetId" Term="a2280f6f-45ef-47cd-b158-9bacfe1a2600" />
		<Keyword Index="AssetId" Term="a2280f6f-45ef-47cd-b158-9bacfe1a26001033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a2280f6f-45ef-47cd-b158-9bacfe1a2600" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a23af311-766a-4b90-ac60-d2f0680ca339.xml" RLTitle="User Interface: AD FS">
		<Attr Name="assetid" Value="a23af311-766a-4b90-ac60-d2f0680ca339" />
		<Keyword Index="AssetId" Term="a23af311-766a-4b90-ac60-d2f0680ca339" />
		<Keyword Index="AssetId" Term="a23af311-766a-4b90-ac60-d2f0680ca3391033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic provides links to related topics within the AD FS Help content." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a23af311-766a-4b90-ac60-d2f0680ca339" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a6ef154c-075e-4427-95f2-aed04595958e.xml" RLTitle="Trust Policy - Display Name">
		<Attr Name="assetid" Value="a6ef154c-075e-4427-95f2-aed04595958e" />
		<Keyword Index="AssetId" Term="a6ef154c-075e-4427-95f2-aed04595958e" />
		<Keyword Index="AssetId" Term="a6ef154c-075e-4427-95f2-aed04595958e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a6ef154c-075e-4427-95f2-aed04595958e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ac922f38-12db-4f2f-bfd8-edc05f2a9978.xml" RLTitle="Specifying the Federation Server">
		<Attr Name="assetid" Value="ac922f38-12db-4f2f-bfd8-edc05f2a9978" />
		<Keyword Index="AssetId" Term="ac922f38-12db-4f2f-bfd8-edc05f2a9978" />
		<Keyword Index="AssetId" Term="ac922f38-12db-4f2f-bfd8-edc05f2a99781033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ac922f38-12db-4f2f-bfd8-edc05f2a9978" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ae860c09-45c5-4a1a-9d83-ff4f4d2046cc.xml" RLTitle="Common Name Claim Filtering - General">
		<Attr Name="assetid" Value="ae860c09-45c5-4a1a-9d83-ff4f4d2046cc" />
		<Keyword Index="AssetId" Term="ae860c09-45c5-4a1a-9d83-ff4f4d2046cc" />
		<Keyword Index="AssetId" Term="ae860c09-45c5-4a1a-9d83-ff4f4d2046cc1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ae860c09-45c5-4a1a-9d83-ff4f4d2046cc" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9.xml" RLTitle="Claim Extraction - General">
		<Attr Name="assetid" Value="b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9" />
		<Keyword Index="AssetId" Term="b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9" />
		<Keyword Index="AssetId" Term="b0d35b8e-ad2c-40ac-aba0-784ae37ea9e91033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\b2163266-aea9-4251-8dfb-7c844233bced.xml" RLTitle="Federation Service Proxy - General">
		<Attr Name="assetid" Value="b2163266-aea9-4251-8dfb-7c844233bced" />
		<Keyword Index="AssetId" Term="b2163266-aea9-4251-8dfb-7c844233bced" />
		<Keyword Index="AssetId" Term="b2163266-aea9-4251-8dfb-7c844233bced1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="b2163266-aea9-4251-8dfb-7c844233bced" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\bb89ffed-4b51-4ce0-99dd-92375eeb600f.xml" RLTitle="Understanding the AD FS Web Agent Role Service">
		<Attr Name="assetid" Value="bb89ffed-4b51-4ce0-99dd-92375eeb600f" />
		<Keyword Index="AssetId" Term="bb89ffed-4b51-4ce0-99dd-92375eeb600f" />
		<Keyword Index="AssetId" Term="bb89ffed-4b51-4ce0-99dd-92375eeb600f1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes the AD FS Web Agent role service in AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="bb89ffed-4b51-4ce0-99dd-92375eeb600f" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\bd1c92bf-f72a-4444-8c67-ad00a3ab4dde.xml" RLTitle="Understanding Account Stores">
		<Attr Name="assetid" Value="bd1c92bf-f72a-4444-8c67-ad00a3ab4dde" />
		<Keyword Index="AssetId" Term="bd1c92bf-f72a-4444-8c67-ad00a3ab4dde" />
		<Keyword Index="AssetId" Term="bd1c92bf-f72a-4444-8c67-ad00a3ab4dde1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes what account stores are and how they are used." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="bd1c92bf-f72a-4444-8c67-ad00a3ab4dde" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\bdb04181-d340-4929-9a63-a852b1765542.xml" RLTitle="Account Partner - Windows Trust">
		<Attr Name="assetid" Value="bdb04181-d340-4929-9a63-a852b1765542" />
		<Keyword Index="AssetId" Term="bdb04181-d340-4929-9a63-a852b1765542" />
		<Keyword Index="AssetId" Term="bdb04181-d340-4929-9a63-a852b17655421033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="bdb04181-d340-4929-9a63-a852b1765542" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\c754a0fe-faed-4c83-b650-27ddcfe119cb.xml" RLTitle="Troubleshooting AD FS">
		<Attr Name="assetid" Value="c754a0fe-faed-4c83-b650-27ddcfe119cb" />
		<Keyword Index="AssetId" Term="c754a0fe-faed-4c83-b650-27ddcfe119cb" />
		<Keyword Index="AssetId" Term="c754a0fe-faed-4c83-b650-27ddcfe119cb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides troubleshooting guidance for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="c754a0fe-faed-4c83-b650-27ddcfe119cb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\c7cc7c1d-aff4-44a5-85f6-e18404591f9c.xml" RLTitle="Trust Policy - Transform Module">
		<Attr Name="assetid" Value="c7cc7c1d-aff4-44a5-85f6-e18404591f9c" />
		<Keyword Index="AssetId" Term="c7cc7c1d-aff4-44a5-85f6-e18404591f9c" />
		<Keyword Index="AssetId" Term="c7cc7c1d-aff4-44a5-85f6-e18404591f9c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="c7cc7c1d-aff4-44a5-85f6-e18404591f9c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ccdd7180-42a3-43b0-a8af-27972f5be619.xml" RLTitle="Account Partner - Resource Accounts">
		<Attr Name="assetid" Value="ccdd7180-42a3-43b0-a8af-27972f5be619" />
		<Keyword Index="AssetId" Term="ccdd7180-42a3-43b0-a8af-27972f5be619" />
		<Keyword Index="AssetId" Term="ccdd7180-42a3-43b0-a8af-27972f5be6191033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ccdd7180-42a3-43b0-a8af-27972f5be619" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\d87ee269-ff2e-486d-8401-db4325ffaa54.xml" RLTitle="Trust Policy - Event Log">
		<Attr Name="assetid" Value="d87ee269-ff2e-486d-8401-db4325ffaa54" />
		<Keyword Index="AssetId" Term="d87ee269-ff2e-486d-8401-db4325ffaa54" />
		<Keyword Index="AssetId" Term="d87ee269-ff2e-486d-8401-db4325ffaa541033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="d87ee269-ff2e-486d-8401-db4325ffaa54" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\debbb166-5143-49b9-8937-7d41c9f5b48b.xml" RLTitle="Active Directory Federation Services">
		<Attr Name="assetid" Value="debbb166-5143-49b9-8937-7d41c9f5b48b" />
		<Keyword Index="AssetId" Term="debbb166-5143-49b9-8937-7d41c9f5b48b" />
		<Keyword Index="AssetId" Term="debbb166-5143-49b9-8937-7d41c9f5b48b1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Top-level topic for the AD FS Help content." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="debbb166-5143-49b9-8937-7d41c9f5b48b" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e3c91285-4edf-4bd4-b762-60694f6bbcbc.xml" RLTitle="Add an AD DS Account Store">
		<Attr Name="assetid" Value="e3c91285-4edf-4bd4-b762-60694f6bbcbc" />
		<Keyword Index="AssetId" Term="e3c91285-4edf-4bd4-b762-60694f6bbcbc" />
		<Keyword Index="AssetId" Term="e3c91285-4edf-4bd4-b762-60694f6bbcbc1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to add an account store to the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e3c91285-4edf-4bd4-b762-60694f6bbcbc" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e49d6f9d-b576-4a15-81d8-93b646bfea05.xml" RLTitle="Create a New Organization Claim">
		<Attr Name="assetid" Value="e49d6f9d-b576-4a15-81d8-93b646bfea05" />
		<Keyword Index="AssetId" Term="e49d6f9d-b576-4a15-81d8-93b646bfea05" />
		<Keyword Index="AssetId" Term="e49d6f9d-b576-4a15-81d8-93b646bfea051033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e49d6f9d-b576-4a15-81d8-93b646bfea05" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e4e26582-bde4-45f3-bc6f-b537e8d0f54c.xml" RLTitle="Adding and Configuring Account Stores in the Federation Service">
		<Attr Name="assetid" Value="e4e26582-bde4-45f3-bc6f-b537e8d0f54c" />
		<Keyword Index="AssetId" Term="e4e26582-bde4-45f3-bc6f-b537e8d0f54c" />
		<Keyword Index="AssetId" Term="e4e26582-bde4-45f3-bc6f-b537e8d0f54c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic provides links to related topics within the AD FS Help content." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e4e26582-bde4-45f3-bc6f-b537e8d0f54c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e61ad0bd-8dd7-416f-ae03-c7aa4569d147.xml" RLTitle="E-Mail Claim Filtering - General">
		<Attr Name="assetid" Value="e61ad0bd-8dd7-416f-ae03-c7aa4569d147" />
		<Keyword Index="AssetId" Term="e61ad0bd-8dd7-416f-ae03-c7aa4569d147" />
		<Keyword Index="AssetId" Term="e61ad0bd-8dd7-416f-ae03-c7aa4569d1471033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e61ad0bd-8dd7-416f-ae03-c7aa4569d147" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e9d785ca-5159-4df0-8573-ac73b9a94f5f.xml" RLTitle="My Organization">
		<Attr Name="assetid" Value="e9d785ca-5159-4df0-8573-ac73b9a94f5f" />
		<Keyword Index="AssetId" Term="e9d785ca-5159-4df0-8573-ac73b9a94f5f" />
		<Keyword Index="AssetId" Term="e9d785ca-5159-4df0-8573-ac73b9a94f5f1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e9d785ca-5159-4df0-8573-ac73b9a94f5f" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\eae03733-b48d-43fe-a172-6e497efdf6df.xml" RLTitle="Outgoing Group Claim Mapping - General">
		<Attr Name="assetid" Value="eae03733-b48d-43fe-a172-6e497efdf6df" />
		<Keyword Index="AssetId" Term="eae03733-b48d-43fe-a172-6e497efdf6df" />
		<Keyword Index="AssetId" Term="eae03733-b48d-43fe-a172-6e497efdf6df1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="eae03733-b48d-43fe-a172-6e497efdf6df" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ecf794aa-82fc-4f59-b951-c36870753892.xml" RLTitle="Choosing a Certificate for SSL Encryption">
		<Attr Name="assetid" Value="ecf794aa-82fc-4f59-b951-c36870753892" />
		<Keyword Index="AssetId" Term="ecf794aa-82fc-4f59-b951-c36870753892" />
		<Keyword Index="AssetId" Term="ecf794aa-82fc-4f59-b951-c368707538921033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ecf794aa-82fc-4f59-b951-c36870753892" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\eefe0c5d-c756-4410-814e-b2dfb913cd32.xml" RLTitle="Evaluate AD FS">
		<Attr Name="assetid" Value="eefe0c5d-c756-4410-814e-b2dfb913cd32" />
		<Keyword Index="AssetId" Term="eefe0c5d-c756-4410-814e-b2dfb913cd32" />
		<Keyword Index="AssetId" Term="eefe0c5d-c756-4410-814e-b2dfb913cd321033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="eefe0c5d-c756-4410-814e-b2dfb913cd32" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f01bd12f-85c0-445c-b6bf-645ab66ac0e8.xml" RLTitle="Trust Policy - General">
		<Attr Name="assetid" Value="f01bd12f-85c0-445c-b6bf-645ab66ac0e8" />
		<Keyword Index="AssetId" Term="f01bd12f-85c0-445c-b6bf-645ab66ac0e8" />
		<Keyword Index="AssetId" Term="f01bd12f-85c0-445c-b6bf-645ab66ac0e81033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f01bd12f-85c0-445c-b6bf-645ab66ac0e8" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f270ef7c-350f-44fe-87cc-3088c9d87971.xml" RLTitle="Overview of AD FS">
		<Attr Name="assetid" Value="f270ef7c-350f-44fe-87cc-3088c9d87971" />
		<Keyword Index="AssetId" Term="f270ef7c-350f-44fe-87cc-3088c9d87971" />
		<Keyword Index="AssetId" Term="f270ef7c-350f-44fe-87cc-3088c9d879711033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Overview topic for AD FS Help content." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f270ef7c-350f-44fe-87cc-3088c9d87971" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2.xml" RLTitle="Provide Federated Users with Access to Your Web Applications by Configuring the Federation Service">
		<Attr Name="assetid" Value="f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2" />
		<Keyword Index="AssetId" Term="f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2" />
		<Keyword Index="AssetId" Term="f2e0dfa2-6b20-4c95-b0c3-4830c042bbe21033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the Add Roles Wizard for AD FS." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f3badc17-abb5-49be-a1a2-2119140dafb1.xml" RLTitle="AD LDS - General">
		<Attr Name="assetid" Value="f3badc17-abb5-49be-a1a2-2119140dafb1" />
		<Keyword Index="AssetId" Term="f3badc17-abb5-49be-a1a2-2119140dafb1" />
		<Keyword Index="AssetId" Term="f3badc17-abb5-49be-a1a2-2119140dafb11033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f3badc17-abb5-49be-a1a2-2119140dafb1" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f60ca0a1-aace-4877-8b4d-40f06090d5c3.xml" RLTitle="Add a Resource Partner">
		<Attr Name="assetid" Value="f60ca0a1-aace-4877-8b4d-40f06090d5c3" />
		<Keyword Index="AssetId" Term="f60ca0a1-aace-4877-8b4d-40f06090d5c3" />
		<Keyword Index="AssetId" Term="f60ca0a1-aace-4877-8b4d-40f06090d5c31033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Provides prescriptive guidance for how to add a resource partner to the Federation Service." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f60ca0a1-aace-4877-8b4d-40f06090d5c3" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f60cc74f-d34b-45cc-9460-2d9127948238.xml" RLTitle="Federation Services URL">
		<Attr Name="assetid" Value="f60cc74f-d34b-45cc-9460-2d9127948238" />
		<Keyword Index="AssetId" Term="f60cc74f-d34b-45cc-9460-2d9127948238" />
		<Keyword Index="AssetId" Term="f60cc74f-d34b-45cc-9460-2d91279482381033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings related to AD FS that are available from within the IIS snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f60cc74f-d34b-45cc-9460-2d9127948238" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f61b6a1d-c704-484b-8787-f27de22c700b.xml" RLTitle="AD LDS - Settings">
		<Attr Name="assetid" Value="f61b6a1d-c704-484b-8787-f27de22c700b" />
		<Keyword Index="AssetId" Term="f61b6a1d-c704-484b-8787-f27de22c700b" />
		<Keyword Index="AssetId" Term="f61b6a1d-c704-484b-8787-f27de22c700b1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f61b6a1d-c704-484b-8787-f27de22c700b" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f702106d-2002-4123-b4a2-01676fcbcdcd.xml" RLTitle="Trust Policy - Verification Certificates">
		<Attr Name="assetid" Value="f702106d-2002-4123-b4a2-01676fcbcdcd" />
		<Keyword Index="AssetId" Term="f702106d-2002-4123-b4a2-01676fcbcdcd" />
		<Keyword Index="AssetId" Term="f702106d-2002-4123-b4a2-01676fcbcdcd1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f702106d-2002-4123-b4a2-01676fcbcdcd" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\fc406ace-9397-4271-baa1-888383a12c63.xml" RLTitle="Understanding Application Types for AD FS Federation">
		<Attr Name="assetid" Value="fc406ace-9397-4271-baa1-888383a12c63" />
		<Keyword Index="AssetId" Term="fc406ace-9397-4271-baa1-888383a12c63" />
		<Keyword Index="AssetId" Term="fc406ace-9397-4271-baa1-888383a12c631033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="Describes what federated applications are and how they are used." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="fc406ace-9397-4271-baa1-888383a12c63" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\feb4e99e-eb67-4562-8baa-aec24e7f4902.xml" RLTitle="Application - Advanced">
		<Attr Name="assetid" Value="feb4e99e-eb67-4562-8baa-aec24e7f4902" />
		<Keyword Index="AssetId" Term="feb4e99e-eb67-4562-8baa-aec24e7f4902" />
		<Keyword Index="AssetId" Term="feb4e99e-eb67-4562-8baa-aec24e7f49021033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="GettingStarted" />
		<Attr Name="Description" Value="This topic contains information that describes user interface (UI) settings that are available from within the AD FS Help snap-in." />
		<Attr Name="subject_productTechnology" Value="IdentityAndDirectoryServices_ADFS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1706" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="feb4e99e-eb67-4562-8baa-aec24e7f4902" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="adfs_LH_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
	<HelpTOCNode Url="mshelp://windows/?tocid=51a09fcb-e0e6-430a-9df6-8c31dbb7d275" Title="">
		<HelpTOCNode Url="mshelp://windows/?id=debbb166-5143-49b9-8937-7d41c9f5b48b" Title="Active Directory Federation Services">
			<HelpTOCNode Url="mshelp://windows/?id=f270ef7c-350f-44fe-87cc-3088c9d87971" Title="Overview of AD FS">
				<HelpTOCNode Url="mshelp://windows/?id=7bb63cfd-b17e-4a03-9619-f948e295dfbb" Title="Understanding AD FS Role Services">
					<HelpTOCNode Url="mshelp://windows/?id=4de889ca-7eda-4dd9-984b-da0eb8350158" Title="Understanding the Federation Service Role Service">
						<HelpTOCNode Url="mshelp://windows/?id=3ce10c79-86e8-4afd-97ee-0425d605c0cb" Title="Using the Active Directory Federation Services Snap-In" />
					</HelpTOCNode>
					<HelpTOCNode Url="mshelp://windows/?id=04072293-0c5f-4548-b4bd-5c3be9bfa44e" Title="Understanding the Federation Service Proxy Role Service">
						<HelpTOCNode Url="mshelp://windows/?id=8f8b89c2-f2a1-4ef8-8a81-9a98fa5e2407" Title="Using the Active Directory Federation Services Proxy Snap-In" />
					</HelpTOCNode>
					<HelpTOCNode Url="mshelp://windows/?id=bb89ffed-4b51-4ce0-99dd-92375eeb600f" Title="Understanding the AD FS Web Agent Role Service" />
				</HelpTOCNode>
				<HelpTOCNode Url="mshelp://windows/?id=5fbf02b0-8e55-4635-8bd3-525fe8adfe18" Title="Understanding AD FS Terminology" />
				<HelpTOCNode Url="mshelp://windows/?id=31b140ce-1c7a-4b1b-b6fd-c87c8233d07e" Title="Understanding Federation Trusts" />
				<HelpTOCNode Url="mshelp://windows/?id=1a17d8ac-4ac6-418c-845c-a4251376e1e9" Title="Understanding Federation Designs" />
				<HelpTOCNode Url="mshelp://windows/?id=4fd78221-3d2e-4236-a971-18cdb8513d6b" Title="Understanding Claims" />
				<HelpTOCNode Url="mshelp://windows/?id=0357bdbc-219d-4ec1-a6d0-1a3376bc1eb5" Title="Understanding Cookies Used by AD FS" />
				<HelpTOCNode Url="mshelp://windows/?id=505507c2-db4a-45da-ad1b-082d5484b0c9" Title="Understanding Certificates Used by AD FS" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=34f010d7-0c78-4412-a7ef-6a52653a4443" Title="Requirements for AD FS" />
			<HelpTOCNode Url="mshelp://windows/?id=277dfde3-8d89-41d1-98df-50fc35048ae7" Title="Adding Partners to the Federation Service">
				<HelpTOCNode Url="mshelp://windows/?id=916957ce-daa8-4791-af8c-cdaa2c99735d" Title="Understanding Partner Organizations" />
				<HelpTOCNode Url="mshelp://windows/?id=f60ca0a1-aace-4877-8b4d-40f06090d5c3" Title="Add a Resource Partner" />
				<HelpTOCNode Url="mshelp://windows/?id=8fb3b4c1-e3ea-49ac-85f4-c1f6b7c7168e" Title="Add an Account Partner" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=e4e26582-bde4-45f3-bc6f-b537e8d0f54c" Title="Adding and Configuring Account Stores in the Federation Service">
				<HelpTOCNode Url="mshelp://windows/?id=bd1c92bf-f72a-4444-8c67-ad00a3ab4dde" Title="Understanding Account Stores" />
				<HelpTOCNode Url="mshelp://windows/?id=e3c91285-4edf-4bd4-b762-60694f6bbcbc" Title="Add an AD DS Account Store" />
				<HelpTOCNode Url="mshelp://windows/?id=5036aaaa-56cd-4da4-b210-5c789091da37" Title="Add an AD LDS Account Store" />
				<HelpTOCNode Url="mshelp://windows/?id=9d06f526-fdd0-477c-85f9-29674c2e4d68" Title="Configure the Account Store Priority" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=913b46b6-7d47-42c7-84b3-06d53d191af4" Title="Adding Web Applications to the Federation Service">
				<HelpTOCNode Url="mshelp://windows/?id=fc406ace-9397-4271-baa1-888383a12c63" Title="Understanding Application Types for AD FS Federation" />
				<HelpTOCNode Url="mshelp://windows/?id=2d63d1e2-c787-474a-9768-29d8cab6f713" Title="Add a Windows NT Token-Based Application" />
				<HelpTOCNode Url="mshelp://windows/?id=42063d6a-ed4a-4c14-8381-bb239fbc606c" Title="Add a Claims-Aware Application" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=c754a0fe-faed-4c83-b650-27ddcfe119cb" Title="Troubleshooting AD FS" />
			<HelpTOCNode Url="mshelp://windows/?id=7458dc18-13f7-495c-b571-33f6b37448cb" Title="Resources for AD FS" />
			<HelpTOCNode Url="mshelp://windows/?id=a23af311-766a-4b90-ac60-d2f0680ca339" Title="User Interface: AD FS">
				<HelpTOCNode Url="mshelp://windows/?id=96b523c7-5eb0-4a08-b699-1f7856066c59" Title="Account Partner - General" />
				<HelpTOCNode Url="mshelp://windows/?id=ccdd7180-42a3-43b0-a8af-27972f5be619" Title="Account Partner - Resource Accounts" />
				<HelpTOCNode Url="mshelp://windows/?id=05232cd5-b2eb-4a13-9e75-0992677383c7" Title="Account Partner - Verification Certificates" />
				<HelpTOCNode Url="mshelp://windows/?id=bdb04181-d340-4929-9a63-a852b1765542" Title="Account Partner - Windows Trust" />
				<HelpTOCNode Url="mshelp://windows/?id=4bc380ae-866d-43fa-9571-9cf2a45830ed" Title="Active Directory - General" />
				<HelpTOCNode Url="mshelp://windows/?id=f3badc17-abb5-49be-a1a2-2119140dafb1" Title="AD LDS - General" />
				<HelpTOCNode Url="mshelp://windows/?id=f61b6a1d-c704-484b-8787-f27de22c700b" Title="AD LDS - Settings" />
				<HelpTOCNode Url="mshelp://windows/?id=1856eba5-b7e8-48b4-9027-5fd14d45a29d" Title="AD FS Windows Token-Based Agent" />
				<HelpTOCNode Url="mshelp://windows/?id=feb4e99e-eb67-4562-8baa-aec24e7f4902" Title="Application - Advanced" />
				<HelpTOCNode Url="mshelp://windows/?id=7cbc0c4c-1037-4fc7-80d4-d093ff64e644" Title="Application - Authentication Methods" />
				<HelpTOCNode Url="mshelp://windows/?id=92c69ace-8d1e-41e3-9db8-85bdb28d28f0" Title="Application - General" />
				<HelpTOCNode Url="mshelp://windows/?id=4619d451-71da-4063-95c7-02fb9790bd58" Title="Choosing a Token-Signing Certificate" />
				<HelpTOCNode Url="mshelp://windows/?id=798e37db-46a0-443b-b7a8-f96cbd8cf12c" Title="Choosing a Client Authentication Certificate" />
				<HelpTOCNode Url="mshelp://windows/?id=ecf794aa-82fc-4f59-b951-c36870753892" Title="Choosing a Certificate for SSL Encryption" />
				<HelpTOCNode Url="mshelp://windows/?id=b0d35b8e-ad2c-40ac-aba0-784ae37ea9e9" Title="Claim Extraction - General" />
				<HelpTOCNode Url="mshelp://windows/?id=ae860c09-45c5-4a1a-9d83-ff4f4d2046cc" Title="Common Name Claim Filtering - General" />
				<HelpTOCNode Url="mshelp://windows/?id=e49d6f9d-b576-4a15-81d8-93b646bfea05" Title="Create a New Organization Claim" />
				<HelpTOCNode Url="mshelp://windows/?id=13f8e318-dbe0-4967-aaad-ad5ccdee426b" Title="Custom Claim - General" />
				<HelpTOCNode Url="mshelp://windows/?id=80cfa5bd-44ad-4dbe-bae5-0633d2de1de7" Title="Custom Claim Filtering - General" />
				<HelpTOCNode Url="mshelp://windows/?id=90002538-e292-403c-b4d4-01a3810c7fed" Title="Deploy AD FS" />
				<HelpTOCNode Url="mshelp://windows/?id=e61ad0bd-8dd7-416f-ae03-c7aa4569d147" Title="E-Mail Claim Filtering - General" />
				<HelpTOCNode Url="mshelp://windows/?id=eefe0c5d-c756-4410-814e-b2dfb913cd32" Title="Evaluate AD FS" />
				<HelpTOCNode Url="mshelp://windows/?id=068aee1f-882f-45f1-a70a-452b6352c15d" Title="Federation Service - Advanced" />
				<HelpTOCNode Url="mshelp://windows/?id=567f02b7-100c-4cac-bb39-2afea3a8d776" Title="Federation Service - General" />
				<HelpTOCNode Url="mshelp://windows/?id=64180160-5e21-4e7b-a61d-a3e27c5ca5a2" Title="Federation Service - Troubleshooting" />
				<HelpTOCNode Url="mshelp://windows/?id=4afa2480-1414-4579-8448-1913ababd20d" Title="Federation Service - Web Pages" />
				<HelpTOCNode Url="mshelp://windows/?id=b2163266-aea9-4251-8dfb-7c844233bced" Title="Federation Service Proxy - General" />
				<HelpTOCNode Url="mshelp://windows/?id=3922aeaa-b2b7-4b29-b406-f6f5ddee0f10" Title="Federation Service Proxy - Web Pages" />
				<HelpTOCNode Url="mshelp://windows/?id=f60cc74f-d34b-45cc-9460-2d9127948238" Title="Federation Services URL" />
				<HelpTOCNode Url="mshelp://windows/?id=91a4e9e4-ecf1-471d-8734-7474c8899c8a" Title="Group Claim - General" />
				<HelpTOCNode Url="mshelp://windows/?id=31c2332d-7739-430a-aed4-25fc1ac9e640" Title="Group Claim - Resource Group" />
				<HelpTOCNode Url="mshelp://windows/?id=9fc7f8d8-1345-4400-b8b5-a6f637099d03" Title="Group Claim Filtering - General" />
				<HelpTOCNode Url="mshelp://windows/?id=6fc4b2a8-6bbe-4996-85cb-e27a873a6c66" Title="Incoming Common Name Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=4a88f9fc-8379-417e-88f6-ee7db530e9b6" Title="Incoming Custom Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=a2280f6f-45ef-47cd-b158-9bacfe1a2600" Title="Incoming E-Mail Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=030f3abf-b6c9-406a-9149-e7ae9a5f620c" Title="Incoming Group Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=3da0b27b-3d5c-4117-9ba1-60ccee5c5965" Title="Incoming UPN Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=8088c79c-eafe-4306-ac20-f43c4b23ccee" Title="Incoming UPN Claim Mapping - Groups" />
				<HelpTOCNode Url="mshelp://windows/?id=e9d785ca-5159-4df0-8573-ac73b9a94f5f" Title="My Organization" />
				<HelpTOCNode Url="mshelp://windows/?id=5d18bc6e-68ed-47ae-b7a7-5f8d6c83f18f" Title="Outgoing Common Name Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=3ce9c5bb-bf01-4a9d-b924-bbf1e1b530cd" Title="Outgoing Custom Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=7b17fda1-f53e-4800-b629-cccd26344141" Title="Outgoing E-Mail Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=eae03733-b48d-43fe-a172-6e497efdf6df" Title="Outgoing Group Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=3fb68347-837b-4e40-9a7f-5fd7e90f1d77" Title="Outgoing UPN Claim Mapping - General" />
				<HelpTOCNode Url="mshelp://windows/?id=0ad590fe-6f85-4af8-b88a-4c2cebfb036e" Title="Provide Your Users with Access to Federated Applications by Configuring the Federation Service" />
				<HelpTOCNode Url="mshelp://windows/?id=f2e0dfa2-6b20-4c95-b0c3-4830c042bbe2" Title="Provide Federated Users with Access to Your Web Applications by Configuring the Federation Service" />
				<HelpTOCNode Url="mshelp://windows/?id=4737022f-1c54-472a-82ee-99d0306ddccf" Title="Provide Your Users with SSO Access to Your Web Applications by Configuring the Federation Service" />
				<HelpTOCNode Url="mshelp://windows/?id=07149786-09f3-4159-87f1-308feea5d774" Title="Provide Federated Users with Access to Your Web Applications by Configuring an AD FS-Enabled Web Server" />
				<HelpTOCNode Url="mshelp://windows/?id=0101ede2-77bd-41f4-b8e7-d2b0e4ec9a43" Title="Resource Partner - Advanced" />
				<HelpTOCNode Url="mshelp://windows/?id=23be4d60-fe62-4aab-871e-649f147be7d7" Title="Resource Partner - General" />
				<HelpTOCNode Url="mshelp://windows/?id=ac922f38-12db-4f2f-bfd8-edc05f2a9978" Title="Specifying the Federation Server" />
				<HelpTOCNode Url="mshelp://windows/?id=823f77eb-a4aa-4a46-9513-ecd582b038f8" Title="Selecting a Trust Policy" />
				<HelpTOCNode Url="mshelp://windows/?id=9c002b26-3d2f-45ff-ac9d-5081e82b30ee" Title="Trust Policy" />
				<HelpTOCNode Url="mshelp://windows/?id=93795b81-918e-41ba-aa1f-aa68150b86b3" Title="Trust Policy - Advanced" />
				<HelpTOCNode Url="mshelp://windows/?id=a6ef154c-075e-4427-95f2-aed04595958e" Title="Trust Policy - Display Name" />
				<HelpTOCNode Url="mshelp://windows/?id=d87ee269-ff2e-486d-8401-db4325ffaa54" Title="Trust Policy - Event Log" />
				<HelpTOCNode Url="mshelp://windows/?id=94b3daed-71af-48ca-a2f7-29dc47074c7f" Title="Trust Policy - FSP Certificates" />
				<HelpTOCNode Url="mshelp://windows/?id=f01bd12f-85c0-445c-b6bf-645ab66ac0e8" Title="Trust Policy - General" />
				<HelpTOCNode Url="mshelp://windows/?id=c7cc7c1d-aff4-44a5-85f6-e18404591f9c" Title="Trust Policy - Transform Module" />
				<HelpTOCNode Url="mshelp://windows/?id=f702106d-2002-4123-b4a2-01676fcbcdcd" Title="Trust Policy - Verification Certificates" />
				<HelpTOCNode Url="mshelp://windows/?id=54ffb525-5197-4a9e-a58b-654493cf983a" Title="UPN Claim Filtering - General" />
				<HelpTOCNode Url="mshelp://windows/?id=8fbc984b-e639-49e2-b038-ee4aec3bc357" Title="Validating the Federation Server" />
			</HelpTOCNode>
		</HelpTOCNode>
	</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> 52y`!7VM1T$!,fҗALHT*IRQSQR)K4$ZE7\#gWvg`}yw^B x6wL0"Z1(6)7j
McA\b8[+Jw|~WaWA7A?UYplVkqu.5zvvjG_+=!7z5Q߷^/ubkwzMp0fxڛl48o,ӗ_8fyvmO=lqlcOz(x4׍w>r[UӀ_1nņKGohi֝KiGϢ37b=.ѳ_N8+o1\Ѹ0olRv[8e6x<G62gz賲˜F^L~q3葟˞i.{V2zM?Mr34e4mr]m>ڻeiF]L24Q.EiS.m2:*gt6ogz+74etnf9ӌn.2\MCnfݐ/9Ӆ~t.Y
su3Mp}=FÃ\ic-LZ2g:gzot93z=FO[{3mh˛išt7s9ӌ~-˽FO[|\FL4ettsu94e4{.{ϙeq7e4.^[w/l.Hl=oA'ܺa~-ۿܝJd:NMkd.zsp~veoT<wzu//uُ|~9n3mZc.m/wWV~k:1w9߳o[sos[϶ію2[C9ze剉eϿ~ٿ~>{匶wq؛2][6NaP_cNI4	>{<C.rW&	rY}</i#2XW8^t)lNnXKtw-\~Yο;>Q~֩S9NlczϜ^{W~zmNeqX..Ƿez>qrZ[OC=sLϔsцwUy~6uܖ9w9~jn\\z~csg3mN;|ߟ
~wܟ,{vwu6Upn\$g֟g]Nz7<?=T?"79=.ݚWt|0/]ϟz\tFWnŮ|HWtWJtLWtV܊x{+wo]CqK]]SZ7珫icY|un{^۫
nܫWku^ﭽ[j^jn-5Wuk_͍Xu>\ǃku+_𭾚[[u|÷jݚWk>||3FL:g|3<V1wvǂ~?=KuV9c؏d.<|3<~1yc8\c͒t~Oy=1z\c.sǗwc~=1W}1zc֘c1\qϏcd~?-NcYk3ǣ渳==&1cݞ;0wP&{}6wWx[:}w@
ޫtP}wOÚsw8Cv}0oV'G	
`}oxCAć<,x`Ñ$L<]yN-|AB0qSl6c
׳gB?,C_W^oF5GӝX_9Jz?޾}3)MSxޔo}:P7JSߩuJKzOZSJ{_{JXN})jS/:JuO龂ҷ)}>So>S߯|J=ħJ_vN})7)}wS/;|Jud})#)}>JSR>So>ZSJ߽|_|JͧJ_|_vJ鋝ON})A)}7S];vJˤOSJwN});wJKN)}>SJ=}x7՛_wJN)}/>SJU}~N)}/>SJ+xO龭OwSJ߅}})7S<=;O})]<ҷ:SyJ#O)}<ZSJߗoJJwRJ_yw?apZ
++

++

++

++

++

++

++

++

++

++

++

++

++

++ĥ|z44#U0C!ׂC0\PeÆClmYÈpq`H\0Z/.áp4{\0r;.aׂáڂr`.CCpL{^0յ!`ȶ.K&!0mr`ض`0\\/nr`趹`0||[\0-/pá`\0k.Cá܂s`ν-s.C`Xܹ\0{.Ct`]0
.Dá݂a{0"].Jå!nt @@  @@  @@  @@  @@  @@  @@  @@  @@ 1>⬋HX``XX``XX``XX``XX``XX``XX``XX``XX``XX``XX``XX``XX``XX``XX``XX``}!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"!B"DB!D"o}ٚ3o_h'3}?ꌳkaS6lj6NaSᯭd6[{Ma}l9,wWN],afSY8|_'AB-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-B-ԅA $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH$	A $H	 AH${	@-	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0aL&	a˜0&L	„0acy\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pp\\pîџj>޹|Rߪ?
U2ATPPATATP@

**

*w*

**

**

**
xlc޼ATP<6TATPPATATPAA5Yq
**

*cTTPdW*

**

**

**

*];wA*uuL>;w{R>;C><x =Onүacm/ >H<xa<@y a*5y` <P*

QEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQE~yٞ-EQEYQ*QEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQVJٞՠvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv}vg~5"(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((_#ka4l*N
TATPP553C=;[(((((((((((((((((((((((/؁dK(((((((((((((((((((((((((((((((((((((((H(((((((((((((((((((((((((((()EQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEIR2TEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQQEEQl̻(I*;?{^ݎ7I|3$s/%}kt܏^-~y{ok?Ωsۼ?o_%D^Pw3?\nWsݯߤwm_з~/gKlwyᇿt3!w1zksդtHk\lv]7p5Zw;wVd<h;6߽Ä=I?s|>R
v$l6%D8CA$Z 1F tmjqu4m!QqypjksҚ:T&aT<7d=A$(	[pW?b4zE{!Dc}־z#bA"fTG5'#=^_Ojzn/p!bzH$xkʂ>P=o1M_GcCJFG^P)BsMa#G_xoS=U_nQVh>(oOtjQRjsALFuQ*-ٷAY[T-L6{˽86vOMqy"sW7}Т:O}^~HXC\E!6j=(-Q} <v<D-z,:m)7SF?G莲H=ӋޥoTw=k#~~U{TXB۩8:|ѝO;ߡ![JnH3VCÔoe4v"}AT4.}za@{DΕAp7Ђ(if-\
(/2FJrS46D,aJtQxR2"+K9/‹mcz
߇1?\?BFTd-CX2_YQeGJl :StL_6)#^QmBۣ̊j[O0Ǵ4}Rʲ'[X^^8w>eqגmt_DӴP7dU˜rFĸܬ{B
b	0
:+MM$:cyWXn M`05jlydh1X;X ?ouFO}.#,8iwC㧍Tw{a!vE7DH}Ģ]8h2eVQkPx:ꆅm@&#?RDU)>8!z'/pk4'yLCoO/]bfdvYa|
֎uh:S~$ф%dk8&n477-HPJ@
60QI+{e-Ha~.)a,;M.v0h x _9"xQ=w-G?ɯ~6r	cP1#IJLjMiinir8qm[6|SMgNJD/
h8vh]N7A.!8TPh;뵔KF4%.c=C<Kўndw)n&XѢĚc)jT9`=&r-pm?$)#Ů@3mb1l|v1!
k֑0,h]bpB핬:深5Td]qoԐ
`ET(LLgxp?|h8ޏS*axf~Xs6D_JS2#syCfWMco_xRRӜ%(jBH%?+HرHly-)}V9f9mm
^';b~Rтjס^]H-V;LnԁLm.zZ0'E[	|!4҃Wu~ESv4<АL
GZs6V	r>'on0
)0M>
[%
mFfama64IN|Ȳ'N+{Y#S&)5YF!>Nf#XN))O.b̴%A-njD=V`C&Pd:ElXw`qfZPg՛wӭ\'&W)u5
6XJ%)+sfȱW+è@3ډBj@iLMˆ_p+R1
}]J츙8/NmZ&UTYB3A6hVW# =*QmWzs}er8't]	P;umsߓc6A@mKjLs?Ħ̝&$#Z24Y毜eWX.3Q0hYLK5Ѭm!,c9JJu{_aK3JXHȦY&ڒ'	TSK;F.6PMnl'E9.ݓ=B!GOr? s:ܒ\9/}-0X/F OKNۈ<TP<x#'fGLYM^yU6akh*ͭSfz<{& vqXzHi:Xe_xuTꅆ8Rcv$`0jOIqμhwL;m̓}xz
%C]15.#}Z/o_zhiJ;+j1װlwx.'&!HK:\ҟ4ELv(qR d6F) Wlx.]%{A[Tjx2ÈN_8qqΏٰԷ34	6|q:+{ް%2Nkf|fm&
5rw_HAi>%qT
z
,ǟo1ZΊ_D	U9Vn9`uF%/<7XbäDo=u E#yK͢&iĠE,T9֜bub{`?=HmniR:@Y<W+J}/c͕W#5E
Ky)ɅNOInZ/2Sn5"2{Nǒm6'k[4[Dd&/|g8eKNJ%_l3u*l* (=_O$NfDlOqc6/n]p0>#G[-6

[(L$;A]aR4
Pɾ%
&h%$ogM o|8WC2Σ?hBg$T"*b	<ߐfa6,ȫfY}BWE޹OV+HS$ח̞HI#@j{Sy0̅YOJwxա:
loL aX_zwU4̭sЄkcUփo+6GžE-rhj6ERO&g٤=	QzM }ϲ}eV@H+

ԾEj4nXsNM@u:'X3"e?gEyh\٪oacZbmN+lTh{g`!	6]c{Ԃb9OXcN_Ʉ\_՟+a y9A\##hat	EQq<ml:U9w6T}8_N6ŕt۹2j&@%X8&ײx]"O\!X2b~Faz)ϘǭHe֕&ڗb2_"7>ɯq53jt^RԊ-Z=$#T.BOv״DX<B@Q?ψeZ=`_y| 병 2)L5 %P<N>Y5@Jvj^q2+ܥ--]4Nbe{#MNru;,;gko8D|Ѕ
2`ٻ	g'sn˙	<%ɰU`1J <s!]Wx>6GJg)sƒamE*C|Kdv\-Jge z/.c*Y$GF51zIIpa|{rR(C(V^)1a
#j)ؕ̚3V=,{#HhwעGDS֘zs96nx*gVuLz;d`PۥfM8v\^63`=*E[a]HK2ʡ67A^k]Za!_o(j>3Ia"q'<YR's휺{yBj㠞^4@=oO9r<~$#|Y&Y8+9XЋw0AF\h{
Tp[u	9hCj7l/?oCIJ
ȒFm褁vSQ6]OnGUy.}JKխ&we/~j>SaRuņZOJ`*׻njY#ÁK{>_`jtiڋaZ	5%kJ;MVIRl,/R.9ւ_Z	bacOLNlHn%6[{j)V0d~5d['D?we*W~;ZxF@ouyxz3=t8*XQ6T)>AJQԋ ?.q5ڍ!T1b:	c+*6fmoԏ߲Bj$P^_X^L|>(F֗RyBW(ۚ%ӲGޙN]lCg\f 9@
*}<4{} y]x!b_ƛG6.yUuف;_:\sw}y3+t.s{)$mQR\t
m^2DٯVɳ1(:C۳^τRT?I:iqgx飶*Ȋ]PWU,kXMiVY.aFl6Hlj&Spg\sQO1gt/)[ۻ[Iј*U?CYfz-y17 $L'f
vPX1e[5"E uEA2Tq?0*(O@:1O%CVZ
a)1cdP^943=
.@)"CZ3,gKG0WlfA+رivv-ںc3]av7p
df<@	>Ƭ>Kah[ҋ$n HZ/jXE#ҷX&_{>zZp2}-[%w1wws@'gf{B}.TĦLvr~ː/,,#_i&Rd}}φr'ΥV
sQ%]Zfаv}{V)n7v^Dg$@{6#Rl|쾇eLe@vGɈz;\Z"XYꩌެڹjۓhN1=֠8efy{14Tz:dJғUQA2uzNBťUw"HjQKn
ʼpOFlt$bfddY0=͇bUU)Q^''/&+’nY]BGFDEBBCl@A2	@>k?>W4B	?/DmukA{R>6.Hlo\V]WjUծv]jWUvյ]WjUծv]jWU@_mW
D@c$nWfr5ms9'cN_,&u<vb2=SdQf;ɍ{Z]I<Ěrk&mIqpØbӗq;2E
!e2gIoM/+Ka-=!>n2JhlX%;)Xc㡶WRv1Wnҗ>[Q8vM眨3$ƚE-WZ̨ՙEP)6	GnZLSsJAMՈj
h&ѷS^%%r	5θTO$%DdClgLұF@skv&9H݌n/tk*;yxҍu>4G}^3<o8Ql(E_z;NK#cNHZ54H~J:u>b~GvZ%0r5jAi{ߍ節
T&JH=A%nePIdn"ot9E		}̮:#=I9O6a	Md;֕}k`uh7jpw+{	'7@$~9k&9$Ѝ s'Uy+ ASjUFu\ӺFÐˉiC
>s"*
!Fgo%X,,(vC|4}C
q
غv\g`Yru⴦TMxXzuCXqTb0gXm}Ʀ>\ByZ|n<@[~;0c|M3Nð85`
](;v]e1l"^J &qʨc*R4c,8>>;@ZbD'"Hc=~r
jɱ_}OWWh`mJ?:e[]Ǭ]&ݵG2dQ,d)&	?qywIAؙ&x@V*>v(>RMaT{KυaO_7,sR r]YnL~S9s7yd<Nw,%9FT/#ϡ[&L%s1mU2BǡUBd!%Q9:YHiv]f;]EZ_'f`B@
1+NuWEGC/t{˸7kh@Ŭ$d:X8u_زkZv]3HOnQIq]z$y͖@)	Am#';q;.hxJ@̃oG|i(A
zh75k'NǹH4|D=.ׇmfATpؤnGt,3*4CӋ-ӢV_D7,[G1xqbX6b4)B[%G)ɚm<U+c_5-y:=Xi6y)13eV3YGsXVrePs5BnE6;
GAo&d~\f,5a4)cbqtb*/߃1HV!F׶VIj2sH݅o.;n0sW$pn*F"utyt$SYlpA,.W&18逶ŭ+cWⶴHՁ][A0IĽ+g{m,ڭqeiF_SD9#4:
$RQb)qYB _3˓3K;w$\!`$1.5gl2l$eMF	4ڴw=s/PA&"]mh=y~-Km98Ĕ+飠=@gt)&pj%YVuu,}rźmN
:թURjǷܢHv=®ipW#T:U%%-S`C0a Qs@S/EAnLIiEeKtzD}KC9Eq+:Ba:$$Jt$Ii:*uP4$$y]-PQrQOD0?9v:fk2
==QǼi\#DO3zCůZJ*M;Ah:pS 'W^C7C1 ǽۦ\PM9+Kr/!~9$00O\C}adEE	xW.`TH%lݪi,lJb-3yͱix)3iD0_[al,pc3ťLO^a4EJ(klvL[NrgV6Q[ޖ_́i?[c.E
ͨ:'%QIdB=D&QGU1
%fvFz	^!
Qc#bSY 7XE	Sr\Xj
Vdx<νI9뀦'*Gqn%+߅Ɋ	܅*CH&kp	tOVUbj{B#S30<z	lbUH1ukaiM)q9Nm-
ֹ۶ISr,N/=}cj6i#a+6+ a;^X<YM:_`
3p°Nji}G\j<}şބ}bװ{;r$ZVsI;iHKjAa|=hCҲsjgs0sGeY
;Bb,;.6^o_ĵs2oڀ-!|BۗT\=V#Vt:;a:|xjJ,|]j+BiX}6o1=nvnR͸Vt˓]I(Jk\0l#ʬ̶_ymmg42Nؓov+2y*xE$,>}ߌ1ݮ*foB!)JP{m?8H^*:
D5!RXO_@z
s߳C@	TJVW
Rh{JtCKD.ikN/H퇾Aib"xe4(D(md?,VZ GX{$;
ASУnb/GfR?^a6@q7UU xnS~6V_YQI>GSM6t!c`'@@:?O~_kbpHkYD*a&2Kt	:yBTRSi4XA&wМɺqhD^-A,b3h~uFS=Iω#_
?SO睎yQ`ƆԮ5_ZT%	|Mv#F0;խػL:l1Z
'LMWЛQWlEa'*\1J[ݟ.M$$ckDX1X;k}N;L4RZ^j޹>4O8m>
P5[Q>g=Sg&Io?UI8DCMe{0sT)?ݪ7#F^'7΅T ?VIk)*q-_bpqu+-$W6%ڨBы<I#CiAsU/w{Z@שG!=Ji䔍ۋ<
t|N@N0u#kn4۹/"HMfi7d!a119;
L?wE]S0x]߉@՗l}A֌}LYDY@hΨCImFB6VT#p&'zN/Q^?ܧv}!9/'l9 FK?5pVXd;HڱŃT(J{[?FHB9V~Fqϓһf롫ckL&"nϑlL6|E@d*QtqCI.ieVY=Eysj.xIaKD{,
p1vbo!d1bzoaY~̺=0p8zV/M-[ǵ N3V#qĪ~+BdO8>6ݑN}cZh5nOK/${^jڢb͠p	N
CzϋPBVJ0ێj{cz-T;VilRxHӏ;tCg3UeD1Izԓ-f_bJ7`S~\#Hz!CZ<S j}ʂ>m
\ZE uWG%Ϗk|JTUk_#t9ljlJ@auG5M;0jYVԜUw>@Y%L,'}"hfw_+f&Qf}OV*MOJLťE4e?~'_/I
**}YI+N\z{30ޡqcPMY,HDvgkfw-ih$Ӄqxxm/!P
A5d
 |svBrtYYuߢ|5=l+Eu쓤:4/mZ/Vѣ+ua^!O5s&"\OK/ݣ_`v=%iFǩB!rb@? Y١޸bz-akG[I /ˍ"ϴsN{v}z)aF(*Dă](M6k?ɒq*xgMr>dw^)SŽN*L]~jNQIw0hy.&tP;zI7\Ѻ?:؄ifΠe"11VChk"f9UP Q'&%%Q$O
<
|J
p`tb̄i|[
"
4厞e#īڵr.:7L$Kx9;sc֪$izg
Zp=^B/Fge^OٛWgZ`oG._Ge]:1
'jsss!T7T{E=!ΖSk(L~^Z Q⏗dh/:]Z$VB*1IjQl>"\
+M8"&6ߴ/`	<_1V>Ka}^z1`#bkxՔ=Ég&Jwg;4/~uCuZ#-k[se1h0*V),x6SUx

Mڰ/V.E!Z`NTj^:1W=ַ:!ˆc2~9Vo
fB:ɧC煜)+I_k(0|{K6qK L/лkB!LL"s&*$ [I`&<|<WO>;bakEoʄ[;>PCO[>}hJi:
	VIx]?d˅r\^
ǻ$L.Bw{y4JwkSh9 B]"67s](v7Iok~XԳdC#2:3-}XKB<]Vaܨ"YU)XN+
gG>X?xz*6jԮSie^<|1gփͨ-}cYĂZM$x{Q:!P"O0zuXM7;wMwN_>2@4	,{so~m8TA8^q	/I:8ػQ|<]BҵZZ4ǽ`x/Yu&xpʥS"dĢW[XzݷXya@9pv-hٱZ+I`g=	՘>\z9W{w;FU5{ꡈw!
r3p}cR	
Lѿ+rI(qr\#`$]7kqu<T,m~ŋ[b L7fɎqk_ï{g(A|aFnh*km_Ai
51fx8dLT`dBp7(Wה}iYצij ###	==%Xf- P~%}AZ4CWd;~SݱQU"`v浛򓔫a|Lmb(	h ^k;<6E&sy8$:.ŏIѽʿ=6wg	GZR߁1Ï5A%H.rs#2(Ap`\<k$B՞_xX!T[Qel">}R˗܏RImg$Il=+֍]b)`TWQY,sO|~:g40lPmɟ
#w@CY#kLi&r(ck$ߏc;p%Q,xg}A-mlЊN'k;P 꽹6~ڂ;[t}"FPއ춛guw(

g@*M[OSnRxuNn(ߌWہ `\yI(=ӆx:>,mɵ &X|!kO	ZGvCxHVF^rE{
s-up;#ݲ)HuF0Cͦ(sv2<E+ٖAwdɻN;,}xk>dTc)d-Gz}SyN
|}hxY0fbYw/eic[1Ǡob$#!:)WRً'Rxp_ʣ>H
-fpbΪ|GtG'{`mH][ᚬ;UbB
)dzB	K-qLy<(&1:RefR{XHu{vO$8	M#l
>?l&ۥHOJZ2'x']c/tlEױMܯDdAM%ӭYöog묌̬bc}"2gNb5J91bIq8'̘II>[B;vŇpC^|!
CNaҔ*aƚ>.Džg$NV
B/æucef+
/hF0DžwNa~k+fM5
[S%9փ_Nv8jcv](7EoF[[?تpd}'qt+	b量DYI&t ,Ɲ'Oĩ0hEY_VvcZo/#RTl Js>ʏYyXPZ2hZ 	M%N|rC?]EUz0$<z]"K[
2d*Xdz',I2YJB!tnMZ?{w[~U^V/ԡqY؊;σ+~C;i:O+L,E"1hHS5ECò!kWVd4Ü v-e+ǚBu7d+n0)uĈ,Ř,8&k$F?-u]-Oe'W'_-6B!$8N$bȯGHLBSuT*&-j5\7zyk-08֌YaԬt$-C}1sA;	sFT4P[5ƏZOQp'y Q%|Д"b=K	T'vbFJHOC	唃S-eC㞤i:jPg.aQ%"&lv~VUE>Oo:_c=y_qt3f'ZX2!|-]\#g{}cTK3z>~QveHL`|变lP"?E0C0ԣ+gɬ u;F
vE6"k,HDy"P~SW6ۻ`v#hΊ2,Fz5ׇ2t
Q_2YeJtMwԖBFcK tL.z}EsFzՓ!ղ3ƒc3Jp͉V@!30jܸeP2sĺyMi#yUYch35XEĉP)ʐ1#촚x(27[Dsf)O{2^*X2l$. r
U~Z{e]02ֿcjO^~oomLGI['? #ӦƜ/~3]OP?WIK-nXE^҃kF@Cي-w[J{r1tjNpS	9y=cY\

:30S*E1ܠ[[쩚QGYg`G$]kSҭN	4=]	߹N_S1r߄ߩ)5<_t	E^,lŕc/ F`%IQb!eQD$S,g}5qOA21ow]e}pAhd[R7Qa3p<0EȻ%PWT^`޲䌖RrtW]8 돃rn򾅞P/0ay_3qe`@?<2wxVw	<) !>5JD!3jl>%u&%D
tjN;>'
FƋ=0~v##WEVq*6TUR=N8
.sݣûnVz2qfdpA&;\(讘fuhe]SY<'OS^a1R=4})<'f,WZ"HiZc.w4{rn{,G(B
IB"u^4U3%smnZQ5x{lzk*z$
)'XA[D֍HIh*F8I6&j׏LJ/uȻ{j!Wr_CM5I:mM;;i\Rӡ|.O[<tXHA:B9A?"rx8¶S8~G:P3Q	E`f"upCowl) tT]
\V|q ڸ?qn`p3&5JW`lz^^0&FGR{S"QH2sJ]`oSdNmX rKx{ו_w3A)c`L&vaM8GU
;к+oFZ0V>0Avh0 #"31j=E(=jDK&4lz*#ǐYY(#KCk	ln(S<5&IVx,pBuFHFVD0AoxY5o(Ό//Wj~a>`x.%V1)O< H,㸳	t(mΥ{R~̎V/Dͥ[e`O5{*pƓ;|^'G?6*0Y\䤿$Sh$rg|6,YYKu|;="iїζA΁Zc׳CN_O
^3W#J(Q[t	#[JҀ5V5qa?y#M~/PtA	B_WqO0z0q*S:Sq?</<<Ed~y>H`k4 bW]:Ζy$h*{uTmY$ϨcPpAX(ˋO_ZeMkHIKRK,܂nk1)Ї#U=epu+YZmMysҎbcCqlu,?
J7lwC	,%|~Eۺ;=SWTp\[6$짏*
t{&ј^73W9CR	fyuLaFdNd/	z=[*.F&IRRS0/hoF34rLΦ]ύqQ̘uKD5#jU^v}X/q<3^kl	3ՎCrOLʴaE4&nrv1$`|3uW
.;ϻy.
OSSb*9+9~jUȰ̗"MlbZBQ0D+YDMl	L;Ɛ_T5 m~?jgf&ģ]OAxDAVk(	]8asZju3ۇ/G:C_I_({Gf%Q2w,j5>4!e]]9*3~KoQQO_5+&I1wAR! _W*
(҇39@!^&Nsۚfx#
8=ICٲ'Ck㰊pjXeC.H:
y,|_u`pB'TWASLeJ	.
5	.ZK([ڼ~ڶζܨ)g=5O$f	f+Ξc
e;$ qZ{j;'ڞWh1Z5R-$vu17FxGhkB</˂;h&?O+&-оǚg{B*&L&<udϠ̀ޯ_WzM*fxJoL8s=l> ֶqW_c)+e{=  wwITQc<'<|XwL2 r(u+/p8~.A6{M:Ie+(tVym7'epg[hl{3}Z`•콞#g)z8xzpVVnIӢv/j6CcL[v\e0&u[%j/k\'lZ!e5wGa;F֐bXjSɉ+'sӕ!.EiP0^mnABilC>L3H!iqv"
nM'LADŽf%({`.bDkKcEg)X0_j&=^p#DԔOs͞4!:xBfIb-/,Z;#5	A,&RݖH,6&]:؀
Q0arWINڜn+.I<4}c~2~QetS`EA}6حb\d5!=:|:FQ/$۷b]0I@Q/_
k;(IM"B-KbNSz8DuB8YGNxf[.3DuҸiP69f,Xٲq":7~['tȗ
9FYrbhA<xՔQaRXM?ÐԐ"Vy̽zr8QclSIҩ1.}^~؟@aWUYBKb//1V7shL%B0=žZF,[Ϻs$\Koм!=o%zw{7?oʗ綩//<`8)ݔ$)aVFXӦLUaAG [‚^ůFڡ^Q
6a _Q$X
Z0Mk5öbLeٸCKu]?W'.+EP̔\JlNao$2%i쉅pojg*ʵfYaYS[G(/VNދF/t[	?1$-7_ֆv
_u$	E9#ݍ.$w~Xhub=DVp[[*&={z0s+G#4".Q0N1x=C^b0X}RI{i̹̎VuTլѼ5en\%XA^zIc}Zav`Mg4;\ae05\WAţ[&P<,^,M<~Jd44GF#9޸'C/O^wu,,tt8kD`;i=|ywa℉hT\
ر`lԫvw}ekWw{f8qIV<gy_OsE++Uj}_bݯ{|Ls/9
u7Q-J>&+.幵=h_u\326Tq,+q1˒q`iIKϳ
CgV<5^eojp?a
}sZ96Eݞ,jȊa_ZcOcwᣇpPB{;d&1BxPg{V%i$,>f)10i8
L͸N-)w-VZ~ ~"_
Q
XO3
3Uq!M󀷪$ɂ(P:}~	y+JPqu˾*O0uLaZwF[++x"pj:릗}	vz?TjX@US=6"~Տ|m]Z^mEl?X31β:w[[Zfp
G>B՗~]j3	Ye?sz8Vw!U|}-Ak辸
KIH`/}_jhvvG4Mҫ>{g9bcA`L{ѿOt'W3n%Bf6x@&Q LK5z2V@RB:eg<'1\>$sAl(GJAK$l~ClǜC~J⚧w_RJdqS_2LK̂N1*]mgB"l4NN1,<9f?.ԾЙ}rD,2O)VFpC-1$֍~Wmm&={f]p'Ԕ%Ux.6'z1N1ug࢘A(Z(vK2F҂7$bMjhe"̨iPjCmL0.u@A4 "јNg*lѕmG0LX.
:^nK)b}R7Gؾl%Y&&jփYnM
D{ltn*X̂fa	FKnN؛y϶fH:Y6h(:X$i(|cի}zE\d:'p
7sCD)=Ay=,+*kIZ*'<p%\=! Y#"J!!8}#Ug8i=h}"~cz~ 9}f^,-xX]Jh̍[>7߳@F{.]#1ПRè*ڰ}8M~_r'?
sG?%TO&&?Lx=fpd磶矄x_#`ſ'oWlWpA
HIH$Nj5{S+G1	=
J.)&sHI55A".u yԑH"G&Ι$WXxsHTnG:QЇBMN1EZLPεXj~~yFlNܝnkE.+͖͜g"rT:'}nج	˩
̀Qp)2QiK^7ۿbN%0ɄHs
953i!?Qΰ%(Jn/2X,̫rMg}aF.p~WĿmnzD%/%|%i^E9"tU:y揄IkEE}nr5
/yc!2DsrΤX.eZ:ln(KhlS9Q޸ a]#eĆ%1Ԝ',oqoxw%s@P5!fP}KYL/֘!:z{619j3ny12$"MMcuÁᖮUgswNvqz=Qi[7aKk޽tǚW*	Z,Vԕ=~oDoxۍ綠5.*=)</6O
w"aDZgB@|ɜ7g-}_PcmD=s87'nspGyKfkg^N_YL/9%ϟiɷ棰ݟy%
]3srJ"@r%xMn)19b=M#zd"Eaqc8s܌AW˹h(;<_
7xhJ_g'/ko#pOyuwnx"(';`Ӵ@R&Uܮ4ï9f&3WIνGG~[0(T>GR Z2xjsrk	,`XwTx
C]<XnKF=J˝ﰻ@wդ|7S|2u3{5i`R~yS;/֑*}9LjMq(
oey8Vlv4)׳4uI}2S2lKrxExRdҕG09К`4Y^|rviGSVք+De|ҹ
jM`@PpPޅ	5Mƚf]a)J5D)zoC6ea[hoW*4ًU4K|$[#V麿_LˠA\TL,5@BIWa9T!&Rw1z`AEl1-Z\蟈cOS} ^bwm'Pn6Nˢ.aRL+1/3AZ-w`c.=W_/;Mv"^0q0Q]1Rslٛ%uҾae왯qw!?u08Eg1$[-0Nja֒rQy{ջGk-\vZ;
sV<aSnhy
d8{ƽ:M-XvQwh|tvxƢh2&#7y?r02VN
埜~T:_t7W'I=v__{Վ.>t_fz7+Ӿ:373Z@Kςvz#%}VX
h޸] ;D4byGU^#YA'X)ps+k GUc-y87nw|烔6U=pUQ6ߛޙ`l<Y9hjSoA#ɽM1eW#	=5N"
&RWD0ƫU8m8㫞+X}|X$|m	6U#\#VC]wݹ7^,\
늆ռ{:R8Y."3fԅF'q|r_jTveM0ӌ_
Mu?6I/xhQ1ʁjcJE"ϟ ę^)Ϣ$O`*2s [[-;'_@+F¾58ڣv/Bѫbik$FƲ^D
)#\0*)buۂqΡ 5-RAnl|w9&}{g"K7	Ƿ#ׂྗ"F{Ip_*5
klA4hF/`T_U-v8Zf£\{|A"-x~/ke碔OD͟|S۹EBfGpb@=I%K7Бɜ$0(2Pkݶ^m RʪS!VxUy57aK D
2N-ms#1E{?y!<n`堜!j~]Уm]6*Hɻ6`eњe@^Δ$pyˏ:I>(
Rǎˀw!
>ĠiʟJl05YLJܙd`	\]atq7mŗ
Y^׉T;F
n;Nrmcl(-ٴ;jSbL=sɏ_D0CJ"kW.
lfdяopoJAyͤ.ӧ`cAaK-&RG!fFkK.heɳ7:(ў09eHPx=p?-n38ʥ޷CB:<f)7zq8a6\ys^[^:4eh}c2.BjCXه袪3g1fKYq:l]:KRX.O8JQR>̟}bXp,~E.
 W
er#o62WK3LP:dYtw:%C	K ["])ER5`f24-4	fP/	+ZC\"$Gfg$=t*1#jj&ݮ6~lP
R'	bizAvN93+8޿Dϸ|[oH@*g"FZ\#1@.=8KIlJ6+O P<co{w@"n`ܤhTmF`c}y,t"
ǻ"v_O͆5[W'
En`Tq8,Do:K.4JL.ӊp3Qw#WF\,JO*q,6Y
cW!ӏӭe.OJVH_#Li>toKf7K[>l:=rީV`y[SwO|w,-C>w$=Ϥf*k6(Rrd`2TOETlq5t$& ZNJ.C",5-j\Gve
-E&Մ8(ڂ#Yk| Q[E8Y^fXRi+x޼E98[ֈSFvbkH+L=Xs[HNVg9րFPH	ĆvtZ9#Qq/
7٧
#fjX𠨮^r5	)EQT݀akIm#)ts@jK:xؼjvxC&p͘+ҷ~fLz@-]h({Qbe`2za¬eU}X;^]24}T8;hm5ҳRS9>
V}:r9YSAǗ;dA.8<,wROc֠9l$^@B@[fμjHla9
$|M0O@O-fa`8~U:U
\`5藨5Zs C(0ZI^w=Q_d3,{'qhȈHS3GT4]$3O|j͵Jszt6vInR=y}=j
c3w4X_#
rܐǯr U2G-if:	D@]#e@א0Ұ
SZE)Z}{_^F3?ܧ"68:ݹ4C(DL35s(MdҲaK//Y]X-,XWTUh)(9B&
 A
G"h@2%.p	SdW˗fdC^)D8olTs-~Y|ֆ9@}|5PucxOalL /@P7pn|gڇ=Ə=&fUg10Pme/ЧI[;fT.O_
sb>g<Uǚ5^bz1Wf'މ._ڦР o˺⒖4D3&-_'a(O#Ɏ`	Q,V+,ԷȉR4>9´Ï(*z/GWwdv*u/OE~6tX+:^޾K؎8
F/wFq~x,NMT5Af|_e}—OmXrR3!|x;mϝC¢kfcX!4,M/os8މd6/ltRiC%Q>`Dg+ZTě4Vu"ψ~ͧ!`D"/߷tl3``'em06Š
-B]E7D5[rI[kVb‰n?2'3u}üifUie1~an5.s\YrIFD;oP!^v|Zviǵ56"!H~J+yfj%v3A8f;a.IJcm`=EF;z*biM,!>RV`MƽuVOYM$!,{M&rR]\14"?MʤMW􀾣>OM^]|t^H|~b_y>.?8gbLtAo )YڻVQoVy+q֔QNθc*Wrd!F>#ԫU;	23*J'QRۿ
ti
$
'g]RA
.5_)iv-uY$Rj}\YPL&.V.U+{P[8c g뗓ՙ止\Di7bK5])#=YnjEU51zљ',tL׈wYk9T3ƙ?H3lCu6yߩ3IڣiLbfZS7"ziALajZm,/-`ݣ|OGzK*OߠG#婽"x(x)#Ye;QV9	<bȲ͢4mc3Vrg&)J֍97ؽnrr.Ts_6dX}hYK#?P^t?=Rꞿ2+ד=28zZE?e8ͅņE~NSEkHn[:=;`
C^w'Go(/C	y7G?<r授CO0qyޟ`5F&@YП?V|Oq>Q5ză\TwꘌSz9@^
;eIg5$Gd/fѳ%g\v<3ޥi#c	_`6	1yN)q{ZȯEt[%YOE6t+wN&5*Tu#:w0@šyaDYGN?Μ-<\͈nf0{4Xkl{k+Ry{%u"$ل;vgu,(F]-;\+ŵ	2J3VTW{'į,
~v:m٫wmtS;ұ߼!FY9GW~m'015.r~>-qx6)"ebQI"cTj tɄCWPq^?
2"\YKjp%]\M'k@q|iTё;ʼn٨wD A9qJQPٿiPpuja!N<r濵\zLBN,ڠzxȔ,ʁ*gH2k[㗑0
֕ړ
ʳPWL"l1rZ(e.~/C\?]XfGI
`n‚ zyzL6<9K-c|D[}4!+aj$@="+ҹ=Ҹ~kˬȁ%l>4TTЇXvB~}WJl7qbQ+2]!Xٳa+R
-<|'xPH8;6M[%8'GQĮ0z9★%hxWLt2{:^P8nM݄"VM;d0biaD?ٹ݌%(7X#
1֯nc;TteîӎHX׊*6"l5ύ6aMgDS阤"F(M8
|	dCW
,O]n.L/	UPA6j2y|Y>龿AIt-D2@_@Ȅ]3W
]jS6[w룔6.H>\sWۈݪRa_tmHZ<@{w鹵F)-+\rs|b4,Ðnqp>pmLأk	p q
0iT+ fW&
'3mJ^oK,J7VG:=.z>yY4w{[ZEX/}zBݿ9pKO<77O1'K1ԝCQFo.G(,C볟W1Ĺ!#ma50OP!U9r}cx@M/%7,J>E_gp|ow-ldVMm@/(?7Jlw,1
U0|	B"kDaK@h	-FzZ!lL8f¿?;(cv0n߼O02nZpVz>U3)1騙MKq8,nv0r̉[2QV	vc
Ҹl1FMD?X Alj
1[g&|1cwK|v$oKUWfȽب XE&o/D0ޟ*XTS4
nDGZvc=N%~ma"i{>̢QeSmB+No14f<]xlwSvZbyb.(HZ1'lJ@5t{[;7
=;=`@Kq#	
Oo07nrT*$"aF:ޢ	5k
d,kXfI~=/yMy6](in&/Ev/T[6=d^c	/bs\pcہ!)1[V{ΩG̻ۺ^O	Й]klfژ!>0xPGZj~,$<:K#c2j	aXg@e\%<qMUW>{/jv8q?ƏH *euaN.%Rw:0QhaPоDEpr&$wGr<@\NKo;PQ~[pۖyOj|$-\YPc;l3<K,㉝	h=a'D!5ZXoNx8<;b7A`u!E@<`8\OVsP={CfAn'.&3ͺ5N?9=o^a3jEރXS3LlIÐ6H>
~d9~(C}{R~qka0G8INw7<MmhxaTKUgI>B*tTcZ[X|0Z¤wW܇0>ґsQxR_$cY邌*.$\!U腕)9iOʊrlRzߘ8:f"RdjR.N%m
F(5D% hi1EDf1.*8B&4F
ؔyk8FձM56}b3/ڶ(__'mDK_VxDR蕮4wmĥK4|	1fdNɔ _|0vH=zwz;j
="7E;{__[2sY."U4QY SH0)1/+QBEJ>He"Ji&B_Ƽ"}9qĕsf!:$BiD
FB4%Zᾪo1Zj2GK3eQ9OS(73$Oy*[?cbo=O<	(̆E r.! XCu6FQWIPW!/_|
V=~yEHXYo≕&X7Sޯ]\e|B2hw`>:RŎ1 Ðb&GEw-uߌ-ߺ~؂h÷=qށOm!O/+*YX>X%V|ig>#eXQLM!Yab?}?R3ѫxYuF&z)Jt0^u;6zΫ*Yx%`~vG١Nl6I%<f,ZIh.flkUlM0O,UrZA}O:s?"@Z"/'@EV},@-r.ܱ.zKTMyo1K5vH1J@BxMiS
&,TѭHͫ0<gLY㎶$ISzuceh5T4|ɖ@3Cf2]AIsDm}Ag/`퓙c2o'5dT%U4
4V3@Kih()	zh{Rzba-2O*)+'&ߒI=C*p0,q;1<t@@O;~5^UuۅQ"x$sz;Jʣ;(⣽$>[-;U.+OL?{Obb]0l6k(˝;
$4(!ݪ-ΏPL2N*2ի۹ʺxܣM	q2;PpC/u7/><W~%gp?:C3Zz'<cmp=?GOSn
IDH˾+ũQr}I G+}?494j\wڡjACa>eEy,L[/7v:?0w5]ގJ['ʦ({3m#B{12wuTMŹZ0v`N
0hܐ"^G@ai~b(
^]yJ(!7Ef'7fId]}
F'g/<VrL_FH Ȕɨ"gc%aG)~ca?|P3ux=v|<TU'$Y/IQg_jH䍏vN4ߡ
$~dMGꢸoN?60F{qƄN	"׭;sQkZxu_NڞpSu쐪DVM|OE {ϐfi(}_U|C\*Ӎ˟o[s;@,\2c=?zHZ=O=_V҄HDpYgw Jq̀mE݀0nY	8[tmR­n+
}qЄ&&A
+O?{b0Rgfb_ѡ7s
O/o3C`C"p#X|A'x|κHYj
P-ZXTt"[;1:[ti^uA2A;N8(
E+}@~roT2@"~SmCk
Lc|I!){7[df%jb)+uHGFg9'o!υ|#Ќ?Ϭo8|KX
֧]b*K҈bŊ^j㗳<"2㜶VFv9_C.ځd5}wY.ƏlKU'Cakf~zcZ-v>ea.^p [	ڶ'6vۀ1ftc[X E=H2?Xi.ڝAjr504ym܃2״`zӌ;p#\h%g*1;O^rq}&
FfĉiQ/:&v}o)"lC)b^+P/o|ȫ *s P+
wZ:jzE+
e<)LUAsUog_;ikJ<'۰ 4;QMjh#?7($kHd8WP3сϏ5N}9ɯiaj}a~376єw릩'tTS@Mϭܫ1fﻬX.5jyxƳa8)=Wu~c$i#WZf"+gPmt\X>A@A2:pz2A`6x\Rd{DrrVVmLY-gzx6I¯Uh}U
	}`h[ŏBKʍpe4msJn❱:@&R/R;II ?XtI/t$,Ej$ :N^flCpޥrvKetu?
#b(i7F|iQeGջhDzZ/7JD5LÐ{Էf?f*>
R47o1?[]7}-wj9Nre#+IJI',Ǎ|bďjp7 `	پNkhB%k_叽lg8WKQP)h85&};Q`e#(Be<ջwB
G>
l.a0Ó?./
ٙ˽L0bqV&j,|Jmc#X`/];m>5\e§&3<&ңn:AXb&#Sg4mx·@^KwA"-+egN1ۏnQd$}Bh ʳU?UNh5ww	fA(ߒˡw.{A$nGyC}YAR4%_FȦ\I~r 	Xk7;e{Y-QH0Œ"N&̮
Vg
\!?ȫ`<ᒭRC#iYՀnh@X=b?ۘ(mAx<am^A<B/C3#fO2}Z
>z|N"yɖΡJq?~Oh2$\鸷ضTc[ţ4ϼlS<%e:UYqsE|=MڳbY$^+\THʁ`h3z?$@ҟ{~C5R_&gfLfr/$$T̚ZMh4JLZy^6G^0wpظc wLAP&VeW*4gJk||`OyWrWʐB*Q
%.=#\ZgB>Oi0+X[k-BY'wU|>޲c*ٻFEZn;!|jhQ$	u|2;n]yHS\*.u
<OWRZ
ؓ,,#vL$l(;{
j`4MX~w)"}4S=Ts
h@cJ6=ȉG4Fw{T/#
ls~{Ji~#Y	.#L蛊U%08r:̵^g,G4:NJ`O
~	uĘ^b<rm7;*dIrzv^'G5G7zoe_}NE/Rv5`f_av—XPP4z9$%}"aEiz5/݆aLFW^,+#zE}LDme\ALjhĕ7bN[)^atoZtfbEn'/:,b{[$t^rbhgOkqQb`c/6/|TxDUÂ/N-~عh_Gbs)rWV48@;dU7Q7u2| WO&@3w~7"	daCHzL}5c{k7dLc)\Aa8uw|1+n&~s#n@kƅL">LokRb1e`ğolS&\X>]ޥ_	-xx؏3|tsdT?<ᗡ0g?n|($5q`˨=Ww:x(g_&|*mv.]>ۊ<7s	FĀCf`yHf
D0}KdEV15XxhHy޷U4Dz|TyhJv^ILM/ȰY{V9UlZzވz8^ߡl\eŃ_9ӥ
^
Bޥ+4\PEo
]H	|BΕNE'*1/Ө`Xxlw%}]'
OvEj3dGSm^3V-t'YޖXm )Oݣ:SA<*&u؁
Px+	
mIPeFG|ՓmEb9::]5GK,3Q&<`5ԐN9xQnĎD:wVf)uWY**'HmcW8txR}&8f(f=d|m5Ync;wvmhf7ˡ.68em(-򝢘cUIE	W$["SZ|Jh{nsjhf1-fBL0Q9ñ;Bd*9BV<>qc'sF4#Z4<QȕrvǬlЋꡓ˂źhXWU6*o)('b&g	Ns5݁KÈı;"oK|Y5z$d3poe.&ih+\ݸXDm()Xr\Mq>
$Z鲚e;5Zp$^b=U)L<km;1}>>PR܅QMZREHy{7~hHy4!l\@MA3Ǯ0|umi6JQake-2VvĞv$8vy&JҢ6KW 
8F\@_S=2sm=f6.8KKr~&DoBϾQWʵJJ&~_rɨsyx
%.,Q1=5r,:McV迡f;Rf]fGUr(1*SGTTFEFOk_
)q8,d+FG%pp*(G@o}y)(R:$"ȊejNd& ]nbN(8;:"m'}Wb<~u/6d[k
s߾eggPkY/UranYmcrsŽYĴkhxpH|тȅ6?^3X,$%+h?_.aVbz$qiteNfZ2:ҭ3•Z\1}+WK}֖'T#̿cw+wO!g"IO[Ev:QCV]Y&($
r>kѥcÝ/0~]< M/@
鼈ܘ~
twh7%pӺI"4Ӏ*NO!C̢"Mh7'7(u6=2JQ<W1q={2Z4ѷW3
ķK<QaDDE2֣C⌮tL5[-+P`g>G_9\Q@P:#
zEE=Od@O7E+ygqYc_u̓b)~E"c^GiEYOsew7=Rنgq-Ig/<*Κ3Ae6P;2[R:^*@>Kh0k*Мcҙ_ٰkdvt|]ݙjX;8;敚EgLt>_{z-|m?MƦ|tA.1:IpeF*27:R6ي<`&c-X!!0)gNm&&%FeCgŵ:K"6uE3~]jDm<\7ƐvH`WK=!Hl#;pK
@~^G )aC/AHqF1V	Oƚc)빠i] `||"kqP[voZ֭6LnPe#SVk9x;)YXY֍*Rs{3΋TE/!&_YU=<k3Q|#~f'7[T={2x2vvZ_oN˔ʀ)li/VH勖iێa\Ȯ٪CZ$
5N6`uTҒJ
ψҽDejò
I`Dax/Su}dyDը<xRR+dAJ6	\3FkoN
g0Raf~mRpT;S(Et`l'*BS܏l)?D>[l583zdc9Dy#$\l|`#`<U2wA.]1dHp(`y5y\+[	+hkg. !Cp7-\xS4KkraNŒG\VdUt2z	μ7'7gd$LCkC	jh#^J7EB&o>Bf|X֊8"toMs.cȺk8==R֢$Z*IJTXyT`\dưHCfo%,̒lpr=/WQS@xDŽC]',²ukI,"\ͳ1D&%;ﮋ24210؅ 18\Ptڇ%Գ\:pYMwYkPP`A}N(1}"Rbw/+NY_JFǾ+59S+Q9N0VzKmRC
:p=l:,T^&n\Gv7yuMH`7BmBo
	:
5}9D h@+/icz^vܑ1\nx.=:!P/6Y&!>zٝQ,6XVIv+P}֎UE𬼴:rlӒUkGuߧ;HɊrkَ=2]/=WɹA~Tx"0xey_6"$>8&^^@Ƙ` C+)4^	@˰_[Ct Q{Jh7N'F7vC
>}@mh:gPkQ3hK?fK'Eaֺ}@w$Z<0		wjwv/}'C@m5}ml憱U6[%Sm.EFp3dx8f.d%>\UqM|~N%r$lɤ:sSvi5/p&LQO5	|Ƭ?*Hv|÷CD:-~
ď\Bjufb5#_oxꕭd;KQm=z~ٿ+iVuO++M/)~!IG/c:X_mKyr6D0lF"'=2(| y{n|}ɴ9aa!]!
ᷨ|~Ϗgz.\~wþ|db~Pd>3gt$#bK{ov_r}`Ư`	_lO鷉a'#w`bbJu"ǎ>]B9cC)~wai7g\9msĞǃ)F0Gv8]>~~hPFŸ11+Io?Y?w}vL;d򫬅{9P9û_g^WO|JK`/{
^jh}XHwd*:8w1sc;Z{
g?@L̋X}~B$uutp2pyVv͜8T~Ù
s*biӳ&79|gÆ	Ma2F4RIIJ,~]85d^Hˆ )wg(UMm:/޲ʤHlKDs	Q;f rN
xo£Mjf /jB}/pN+by_֖lE
l(>:;*GnI97ʒ"ϹOv JdO6cyKW x#h1QKVB__k?:,(_a~5|r^ȦcO]GJUpَ|lvJQh܈aC&G˱Mva|_X-IȍνqX2 :}C⣽ôٺ'Xj9>ڼ_;1#CA0'0/A*v?!^Pd$4ӕׅp/a;#OX5'R)]6"o~9&@!W|˲_?selʬt/>:K[dXĆIoPP}׻,=Ǐ97q޲8~E`~Ƈ>`@)sw|2bo_q ^ZR3	cs>oPᶏNϕgecVݨ|d_wfC}طÊ	H=N$ٗm}IytyB2[Kύar˱q42>2kKAVɲo"Dad"(ĩbhۦ\_`90H9\hwl:-`iٖ~TIǼܕNFHqM"
߲{z㰜fq$RzAηLk$54a䷲C(rvxz[.L	FK Z đ6l'JNSyw`.D|6/8Kjws*ɉm-}lbr">M MX󽂆@=ͼ771
9b[xxbL]*B?jQqpuqִ"iǹB!hx'rM"Sk1<86|߼zy{L=?}31!]EqoD)ʂw_gՔY;%dЄytJ?|/yƄjj?c*DVK%}[pH	_=de|&6u*)+!bW޳9\^gK
><F[;f!<ϭ<?&ݚ&>	8qz=bI=i,	wyHޚ
o=xWm@^'ۦ䋂bfk
;YY{lj_G)hf@)
edh[,gtc]=,]h@.30QL8#[eq)CKt.xF8!FV-acczjVR3I\ۂG4#ާW7!
wBp&MW8g((AaabM7r߭i.p!oǥ^z<iRNZ!.L ,ǫ'VVX' Q`"Yhf&Ωj|\KWc01KqoMQIeYRƘ]+sxw=cήm
y=nL.z)G⻱FDrMv8<q/_.̏m2rq`)5T+8.sGV'|^C
PO)*!2	- & G"<%.X@8 @>lLni0@˸ȹ̾PXYت(,AEQEG(Nb})
[O,;o9))?Q]ĕ[vS/㠸b)l#s'`}>NNJ!:ZNl/YMѠJ0ZP)"e2S=Ǽ$x1dćS<G.!u=/|ƾm?ުj=I7IS^/^4`\th_8U8&0tukЋ[Sit~f>S';d>4KRhZoQ{7πg+'<WhPky)CuҴ?8
U{j&Mʚ^CcSJ`Œ,\jJ'UK	;K<
hC S罀ݳ:X-29^q.L.377VxW{enc	if$Tb$$>DMJ"wIAq7bZ&_bb*Bw°`~a7` Kp۰O)+UTd`-W%T$bs2o[l]8RfC\rg|H`|CwGC k (F"Ђt- :k,\K
F9jhكL࿜/gXo
}O3!̒"6_H"d76.ۂs(foi%r"k~Fz5ө=tM>gtm k#<^`EƂyܔJwvx`RSu\#00wЬ̢,c.@cQY!Ϊ/r|Ii(ZwpVě)2su02AG9ej_
10C&2wlO?QNO,H{JXHBZ\d/0XfhGyJMgV>4;؏nnvy5\.tĎiyי	W<l؛?>EDpL1)eeΌr~yyL.1G}GO~BbЪZ+>I	Z$f
fy
=B/`E9w4}|H%GaWR~-.spvTqzɻQ7#}r0+
cDpZm9|٪fZLPlG.I/*9BpikS}f˓LH\8L';w2{KhHpX&^WdY
qABUwk4DHRAzbNJQ98fBGYO	\g3~Si۾iAYw8Yad3JLjJ%
bӳ6
0UЯj\j0Bfa;DHHf"%D4y圔]7Y%Qe@=G1(Z,םvy=y \PVrW{@[0DorP>ƙN"b'`*|qqK^68J巬olxlGBIDi&_WDwg(l>DXYI<Ebaa`[{/EFwǿk䇷=pK^X#=Zs/2XU|ѾWw?Innhűlt3أR ;*6qA)$-LwC~YSt<?NUƗ+!a
|yc!A2-mL4j3,#\Ԏ94`rYbl>z(?735d9yJv)V)0!6-ɿ$kc.0$(<mDSPlImZͮ׈1/nͫx^%mW(Jӛ&R=ƢSTtx̌0E|+\s	zQx	M-12HK,D3Ib1Z|W*s_<mBՀmNᢛ
)Ϟ)PuP?=++nqz^޽%Ý)Qv+ۄl5iQ0"ePAf6Y?OknG茖T~úe'
A#a
i8Y\KfS^0aX:XtS,=ROW@a5KqS+2x
ǒW,bOIԔtF-f3HVA؛:dWC>Ґb֩Iyq$jwQ S7jX`ʜ.`&G/5x̅#v>X?C"Nqz@{W዇[gq1ef`)u{8Zv|4PFBW>&2iQ.>:0PMˋlLHshuה/21W[g^9ʥh%	4\(бX-붼MT!L8H@qUGCbSe(
7&>pj9ZfPT`7IGe$;wU EZhovh웿5IA(6_n)[(Vd̟qCF^nE#C}}Sҏ]Y\z[<
_a*4/TG=<VZ.,3yrMS~Y#ꉲ(/Rרu \W!7Yg{	Y;<SkۻHDV|Ϙ
gsL(X
<dFhsBU_]JG5r|WhcJ&$\^1|QBj;.țT4HAa"mѹޠyhEo1[~‘|v>S8PUz1ks4g>Y{Dz<l%܎eAoc'gݹ#w2l;pAsϞ7ްP<x:"h[t]ǻr"9?cU
f~_[(>ɵɑ&DׂQV@Ӫ8 +ZjdNWAaq{Yc0exb_̲a?
Õy9́B0_
5p\&{1֘;rvl=L?	T3rmۺ]{X?=V?{#Ƨ?.+3@-5}<ކB!A0z#=`U͏C555|{F+k{x&Y0%]sw~<sJ
w	8lB/{A+pɼ''x*_5ݿ<0U%oط/+?
clQ

^}ҿјd\:a[,cki8SoGً<ߗ3>ZOʒ<Æud`jޯ1O_޼}s%:pCtH|Fe99!79!=y"
2lj9G-R_o+"( L+ra8˕X^1:ٹ=&}K/;`/tJ	U;O.Sb a&IuX	qR>}7TV/MՆEA]Dbߦa[
-P)+M/<n?rF{Όp@j:95ԭ{Y!Z-		=T<*XڸWrY8.޹U3{9t_ꤰZL^ØCN$0C/8AIv"(7ÜM~ޭEU"'^)OQ.%ސ,`Niҧ5g.YQkT6c^ޭ@}w俨PzY99ޢ̌VT(,b(:1HWKwnN{]inH&5luϝ(US&`KbCάRƼ̗4Ku?SvGzʫ=Oo±{>6K^Ini
m6Oǝ$1MD$ˍ4asog_6!pʭm28
;j⫋wsޕjDXEÇ餤z"D0?}>-L!U<V'3`c~G~#yp#DlYhG_
)Qd!d_%t^K;actAYVUdOQq	%Ʒ&$v:~4~նo]ǒskD;Tvj5:xLK͑l⹋,8$V௓#Uʒ !`&qΐ\5%
EF0i 	[BG츫5:J SvK&RJKzY&KBuLBx#zr޿ν'Cj9<+uart֖>EZ\גӥw:ʟ?t%͙o.k<d^ nQ 
Zt8%Krt$Pt0tL:
"u
M6t!w6LF"tC$-DffqM„PV᷶2l#\678G	=5uN׮L;_&ewA1/Ps#6~1-3<\NCd{}éNٹ滢Ju,dNiFxuqIcL<NKAʦʻ~arkG|=Ee	in\$NW5nm6.Npc~)&t/uձ14Q'8,C&~|N-$vm_EW+kݽqDPn?@moC#&E]7+x2{6VA;Ӄs2|,iQ1O^^nz|[Ó6{`nKN=~a;@V=(;Br(ӖzQKC/{R?%$_jW'ަS=E;vo%"ueh9Jx+U,`x!G1|F^iUgҝOcw;˗+R1lP'M\䒴*
O~`731{ӷhH߶JԎpZ6EY:I>.59"#QA07. @T?=.#f872~2F0b/|[BHQ.ApA-9K!Kx_)3O]]zgO'|z	ŏ`F0A4B=(j~pU!?a	"hgDϸW]=!,Ӭ
QUAѠ7U9GKЊW`=TJԦ;	_psҋyՕ/ѧ85Hh/(Wry0OJUrp-$j90<,Ңhoeķ_x#dp"f?'LV4Ћ#9#ThWiyr
;#Mx  4z>֏<cJnEl+R"N%VḳˀP+w#(uP!ue5(\Ρ[v:E7íB!p#|d[uMaPcyqS6
cbvI섁!KZ,^3gdqYI͟=X(*	$uܣ$a.PS9,`mI^]C=EK32Itc7ȼ'
rtiDFCCkQW"2@ha84BbVX(D
Bƥ Ϙ
mII&x*N'ą|6h<Y!QsQ%RS5k%z* "hbs]^*jh{?}I蓑eK-5\ҦDUoQq3Uwl8WgթjL`QuOXlQ’̵Cfb'hS<R
"
*4 adw˙}ݱ.~ia]a,W}mT
(n,1iuUXK6
b{(櫗>M-˓pώqs`b">%AsŗGZ?jtIEX7p7,%CEE0JShc\mͽM]G<Ql	C4a)yUqdڕ0d8
>5
ºjfj6܀":Hb^uz>F
ij ~rN|˜
%PAxekʺfa՞e	t@T
@
vt8xг#R3ӷpaprmuNxgZQblӲq+!NiF&P7|`h{Gx$C1-Џa0E(NdfUID\
--,qE8';5KhU{)уgk\-D0IP1#GԬ5'Q[⹢wݴ@7rmdc`)(.J`j>qz)9rqEqFYn=AuďgĀb+7nb0n90cTXx%Ev@biWllWX+CV7kYb9bۭ`{9nJwzzXiXrE8uU72Ûrc2(o
\?4k7Xc;;cXk+ucU-o%a/j
KC13eĩdp\f2d'ujc.n.,e4\7RAI5A-;q.<Į'0c
dIOb$aϤ[+GK?JNX]DfKGG_mx.;0ۍ
J$ؒc{Ǵ,+#jnC|u
$D̀N=`%

LμTk& $c|k`ݧItEVzeǜ,J
@3|nL̔-1O)B%0[SWZS1L`U4WwƧjF@GF>1qGpb[c0gfmw,*Z7SUIܘ(IB?
{%!ӏf+qL=Fo.,{.#7s֝iSbYY"L'(/N;ÀޗVtM,$ks<\rȻɁ1T[\{C_Gc]9Ҝ{QsV*ܠm&#U-"*H1=[
w7Uh|}8lX>LhR:
jԨTqLJz<ngĄ+ZYfv%)ljn{rͥfĭ4s2.oߔx;<ې70v	g8*KňfKJ|4ks%{݂fɹG귐wEM@ƱM
uK!jJ1aJf҈sL.(mESh@sE^9+2Xm7űW\25bZmӌZ
j8]x1;&;3[(dc6νG5tèD=z/~jJW:")yip</"DIj%N0:'.H)JߴB\q
#	ϥ%sk\JҠmBR}j$q@	]Zo	@h=md:=y)DTf[iZ8l&mTZ[Q춽qGݶ"4Cyg:+N?cXJe'MH\ԡDr3܃:bw0Q@P ]RY3H
%]{9w[dz-tڟV>m=,v?c0~#<ИS
ڕD>y?=)'3"|(XCD9@s&8~櫷9bӓK>,4=)LHO8Ql{e`s(M@C̰+߮zu
d5B܊@PE_!U3&Ͼ֦H@۟xndtP_C#YSݖIXu`:h>1&aaFiNsi%9(=pwt3{X]e+
jr[p&OtI[.;YDAWrG4aU
<Cj
Nizvr"^z@Uϼ1ʱFed!=iKыQ]pfx<y+AJS:ìNa,j
e85y%%bQeUJP7IlGX*Xmn^Ƞ5Sۨ&$DԴZRّ,C{1!%DwЪ첼RIYN/-d"Ǫ8^7#OqTK	nŪG5рS2jI$n'*|֬QNc=n\Nd+Ks#JXIS1Mc.{C	\
#bb	_P!7IJ~'pl+:r43	ҁC`{T&K̗I\0;#{TOVnw7ء;^eNƅ<:ro`%y{Dgӧ˼[ýyya)%z,uQWG!/:n^2wŦټh
n'Hހ_K[8DOɗis.y$$L}^ .m=^ySgBCê{	O/1hkNT
yLj®5$4(kl*=&5Pf	jHbfq7bٙIݻSʌWD0oUq7̹N'I`!>`zq԰4A>j=ԥ EU.Ht|LŇ*CyIk=/2}hWZ5M<n$ve+quKMMlXLH':wIآP*ښr2ZE]qѬ`D/wOTko*ޢ9:IalC
q)eK1^9nUDe,w	G#/"k)vXӹT}L;儲;iDnsHdٙ6ӿѫBOڸ)S@mզcW(U J=0Qjxh8;Y_8]_o,m7A\^¿2oMM 2qmIKqmJ!]!GL*A0mS'$t[rOTi(W
4oJft	:a%1Emj*E36nw&f*ys"i[tR>ÃLۼktV2G6w0(W‹I$GȰN;+A|ڄ?`ߛNOWeF73YHi
4yuϴ!;DŽ50(.k`H{\-)kjM1L;am
5#S;@.SAp7>	-o'9-YH*Ct\7_NOHV\X!XI+QpzT;0V4߫wJ	&jخ^
G^lP֛"a@Ǣ<tuG	qbRoxV
<6^:Ymc8]J(+W)Tٓec9rrT4(r35R#r;(nL*_0b6m5ʅ5ߓ8)/hQ1\e!QF,a/0Şf*JFkY"V
+~#ZeutV%4:C*hz&]T'/m}+Q ;XI)i6XnK5	8KblթWzjUhh[5r:4AN|^ 'B	3ق Gھ\6ib7ɶSTUJÑJ9=3+[zKB}j0n*.7iC2*+xVs:"(53|E!iuEb`9<wTXfQ`v:qzQ;4
w_?&+72(J@{^aqԨ3gQpJʋSld-"ŗ@#̱ٺ´%XOfӟvɆ|$~I@I"en<&K"U8?͐9̬`.	ePXo}ivKH_&
*|k_glS=>> }k\XA2㭔nқ/Q:Xz#]#pU\I;y*\ko;˭&c}%v%V1I)8څbR	|MBMcO:-0,j]a*!,
P6ׅkTl߫j5L3pxୌZ[K7n`DltkzNN.а)oQX^hσ];Em7]fRnBA&.hUdM&579U]&LŁFKs%O0a]YTv՘0Og]8<1^icN}mдAiz( Kn7m\,]nWn~"ÇNBE\#AwSFK<VQĩըT6}'pK0z#;*'C+SN&fq8'+x1r@7<
~.%\0MaMƐqb9ZYt$}Wߺ=f\p-ugpWSknTf+T2I3RS,dP{έL,kZFZLӸ\B[knȩ6uW=:Kt&ZɕNIY~smǓ!l+xRd,&MoKf*H=OYf2p;TͫX&sQts^<{bCtp-J.d5?tGP47_ȶ늳l_ϤP0)+noĚoKjn
cqz qLj#6;C=qNna7 =T٤m8
}E)z[E ew=B+@{$"[#čzAMY
!s%GbXT]v
њCF-Ouf|GQ(H~×eJX֒rq׶:Ҳ&6bZ,C.k8KTNWASGE]3g60ZkH*KDrY8[*y֠—#h67VS$3qbrܲ_2KPxTez=c j1xUTgҸyP+yĸ3sgK$S'fN$V8F3%TԕP7?/IkuLYvPcbn;crNLݦ-,a6;r۳2@`Ք
G#``zz"Lq~`lg1=pt̶5>LA>(TIԔ1,L<a=%	oAOI13hAT=!,H=6.FAq;5ylF $.n/\Dv(qd\MLQ϶f"XJ	F9Q2m(4|rBfx<!Nr:Һ]TS2MeϿW=h#=&i躛 t]2ê63
`IY#(&A%mjw:"+W;яڌ
n-_g3N+r
JT
$氩A%NJ_A?Lj<!_M1dk=
J4
d3t^)wi)*4Rmژ|f8رftmŴ섩4
׭kFj*n$4ϺjcdkI\.s!̇qV
(vplRjRA!fQQ;|cD9Y##|zfG_S2̯%w䈍bOB9Hwh>MɔZ!#^˄]VP2?}bD_M
DOuOtUԚUM@a7oXw:'*In8NTBJ1KB@)%*L)(׸m~W;B}iUOe[wΡlW?\M(Gɖ]w:%LiNhd~Jvx!7T9t{0(;BBДI7G#mɉv$.SkȸHORw{$hBB@+pNHY0MB\ASHRəLKRc	demS|vzJEMoyVuycnL0_IRdn\:bL;t4@wMy\Ke" eڂ ſ&M1A7jn 55-Whsgq#.ЏN_[fYy:4pND\=Vǀ%L vR蜷)w&ꪋr|v\6Iy.tCw
}E:XXU\fcIhG`}MG[P TB=r:q
aNZwwƏGWk{:F1ZtPvh(lHű7ښ쭅$i
y$ tc%nQ|<kH

-(g`m&Azbd(`ֻծ$A[,$l=M!rIϯdy=*[@,؁4ts$8|8n:vKϕL-5B#@Y%keSߍ"v.Y,M\;+94W1x8"Tk:(ఊ_EoFh
	(qPܙR"N{>U\[ZTp8	S(6W^2}un)m9.WpeZr5zjE鏐CjOM
QὯh[._:Mg/	
zBXu]TdÀ
.bJ*N@Fy{~tt `=, u-xZ5XqoFWG4DJk"t9)dlַ%D "*}z+2c*:.Ҫ؂>\M~bNON"z*^Y:{
ZX23 (ea  $30iڐSB$'Y9%ARbϋeFb>K=(hif^?:<wfl#|hl]zpאx&Ap+< !a,n5Rd
6ŜRuB^a!75"dƀтTǏ,/Ut/*Rwà-G"+!1V研Z.ݝ1'zcb6Ѓr4e
]lpqV#4+pQi95\x>IXTG@ڼ^"-XRHFSRSx.zRDЭL>Y[cE">\JG$*.%U
ˏQUCF?=Bo."HVQI2;]VK6O[>MO("
2LsTZbUf<BGg@h2U&6t)3S|(WGL>VB/?IGt
x_kVA]L5$z#Z;+"yTP,A8dx``F8p_"	x)[J91@o!	Hm#̜׺FgI23td%sݥ4(YG7	F{U87ǥ+R׸}ALp6S5uGeZ^\z'wF,,2JsS2n3ҭVQfUb("d,0ti>T7fa"#J0QEX04E17A KH	`AB]a;z8X3
|(!x\S5[~-*2, yèJH_aK$ &{Y7Øa"~[=|UNrKm	.Lb$fU"xN_ HA;Ђ-emdA9|hM	З@Ն~-"6!UX?%N
[#&7rHNd&
űKzE*[UasYn	>7	cGm"T6jS:rH.9ꢼVς<n#\dw+t$tYwzO.HHc	bэt"+Sc%S2*=z	d$HM]!hȞK1A\*0[l"?p OmNJF
A#:~*OmeRݍJ"{Y	UnsqBTz3z	igRJd˫Jp-vsI-][r( :wZW:&1=nM.oV]
CV:zN5ŵR,O?Hgoɾ؆aokH2I+.Dy乩
ԁWأTZDCGDK*+p2BH
w:I,"UY-g0~*.	E/n{ŠZAJi\%'/:`:IMX}i2Rz+$,z1=B
RȺs<~x<
WUan&4Μa
aj5#۶'[Hq0L!'!	=b &^I]Ʒ>QpH]fjN(Yj@m1M7m,ke[$…}n*jl~@rL`#ƅ~F\$Fu+v'31,]/Y?_wi*˧CφqWpV">uSZ
vJK@	(11M@d)(WhHp(ʬL%!	[]
:zLk=aw6TUB G\N/bJr`IOK%W! JgHc	rN^pOIh62ZG`Vo̯,iٷpLD sʛ*<I:-i:ay*t휑e&VJJ;ZgҒݛEnƁ<f94,9_z?t4Ū
YKWlpXvvkB;x#_ 8c:	"I1#' q]dg]7`nTjWG
%ba_Mjsa|W-8ifQSy?3b^@G?fAîpa $U2{@LJu
6,u4:cH	&UvʖXkbjlʾ&ƸLkKAFXΛM%c'#$JD!G'8@v믭˛%"@L $ܑ"Omjf_ev|RTf
rA!mG򑿎5Lh?YaŐuEZW#jc
nNCn+L97	K}.wߦmW\^
[<(qB-,#SpΊOINc~R&H_Wc{j2k"2;XcFঞK%
/Is03ء
fи3+lTTLmZMaI\Ŋ5~,ӫѭ!>GTc"
A@d3hkMzY}^/iauV9h+@j&N(vq9ُwº-LQNuq3(rMoז$U!7DW((e1=D3a"YQ^[~݂zHt~AF+VcΈ%{aoA}QȜkYuP+T[m0db)Mz~_.23JjԒ=2b.Fbpt)$U>n53N
x~!+rT\(F=nDk6GArUnӏԄRUB
4wu#ԕt8J6y}1"k
=B"n?x><N5ox?S@C)dOr_֤
8j}x?g>=dEQDXeܚ귽<Pڼo#zxUv}gtBɿB-^*wǀ쳧/3E}E5AݫG\!U(>l:0Az̟Iʮ7C?}	I5շM,")':0clQٕ
z_]xg=6	޼qtJG]gb߅ߢtg.mm4տI0۵W%R؏~4=[{,Ioy,\WO!;nE]EJõJ&6>F'a2<yw+^8s
\N mMfnu-N5eq|Z7Tl]W=h[ۜM.}t
>Ͱ ws/,7)2rFÔ=u[z=O3ҏNj);~g*QXK-
]w>$DzꑏN}a	}cbё(hs@_2v{i[5[Tl}w>
ƑOsez
	;k/]Cȹ*_GWsWxݡw<wtZzЛ%k7%nuy^WުzooSGz<+j߽G>iXáؾ5Ԩ,H_~/IZٟgڷ_~kpۘOJB50=i*f{;?3zj_Un?oԾs=^XFϗ)f/:
CISvH^-‡7՞l&$_%1SRXp3"`G`gj=Y$c c	ZPH
P@pr(a.))K]Ov:UYU\!WU?D<;FN.e\z>$TvD
@jӴ_bsGD
ݸ6i죶NhJQ$c{E8o4f_cd?cYC";*33Λw{O>?}ts1WyI2>a2fgR{º-ihl,P@J;}1}E(PA$pH[W~<}.3'٧\WU88i\
]
M䋍rg{*xIJ!=R<	{`mDϹPx>\mI=#
uʲ룇EzDb?UKa8)!T~2U<S$	GNRP
bڋ>w<U#lx`!\Jz ڊ=w,7`__~Q;px;x"/~'c(|#6}`pe'gd_-c>-kG¯ fR(UgRL65|ǽI=IY4V;!3@
dDFxRa$|_9b7#(7n2BƏlѴȲ.jR/H;ao;tY2	ZNT#b_.y[rԾRӷ=.2/=&bl+}(8SkdxBI6rpt9gWJCe
ήk<2Vi
fÐWo^e'ғ
U_Cd,b.Jy/ؽk/bh͢%蘲zȐw}Ic.ٯA=lGg{b᱂lPzQ&-PʤeOCh\e9mLu)xQ߱R8])bG.JJʕb?d24"IkeRR	GNҸ5c-_G	ٲ,wpV	sRذ%<K=zsmCVly.,;<z<fiC%BJ;7yeLHo`cdd<$\|6hGX9Vh%d{}-k<+?.2}hZ'P5iN9V8٣E<J!|cֈy
M呯	P/#BQ12sko
%&LV$wFfe4YL:T
Wސ]t.Sܷ{B8M?xz?\J9lݲYI
<~/uzyӦ5W9E=҆lhmvpee1"gM!ʾǵF965^95N;B_a<GWSPWQ35uk,&:*guicɂkaAr2Xw*W3݈|2cb[d0ETe4oh1Gk<Cx-UDQ1XjDVf.EU<3pFt{H̑^!9-FLs
ќfXڌ#~NDv,i\ZG\̤FlOqKȳY:nPxV"ʭ	{kt<g9ޒ$w|iPVcW](P;=x'>NH0|Rkٟ^u0pK	8~Æ*y?3PtN+JDMi<G<\lxʋj%3f:ɼHhOLʕާd	׷}pǻ+RO_}M
=JGi?Sٿe:Rܫ}$a;*l6-glf7

RM
\YƻE
/F)ʠPqN6FqjV0 @@  @bTZR7}VM]҉vøAMqqs]P;d{D=a-R,{<WLiPYq{Bq<q)tT QK]8Z^MK9hT
-rz`bH%{-cpЅXK\N.l|JϬ8yCd]S
$ggQz.Ob|(k4(M}1@&p	?\u?v{S=їhC(<
n˺=q_Q8l+gVƑw><^B #4KY((Shyb9OsLT8Z>ŽK9}y'cQ{`,՗'t^#ŕD/׽Ԕ(>l|KRϜm[Nܾ@Is*0/BMуh=J*l'Ԧe>a]M|2V,,k%F$EGPX^f@44R5tP+d~Nxʓ'k-M5LO?I츫\mq'lY8-LjQ04vtrkĹqI1]a$)w$UzљduUHʝ=JfT`|\P#4ņ֏ԥ).xA{GYCM+xD,G9L"(uK/"{xg.!|
KϹKȠ#wr}ԠR}rg(q;`o./SٕcɅ/z\-g\xʿbD_?P/k[&5[HŔ]|+_M}!Rޣ0k6A\Ԓec
|#ehWd{?mY͎DڬۉȉaGyS1uX\by=|tb={iǦĀq+^3F`Fxfx,PN0x'Вr5'<ThX|&a\Q~PiRքlyͱ:D]n)sҟ9I(5(:So1)-ԛ4Ir5fr]SMWmFyΤ)pesc*e>DevAރy_Rޮ{1ɟo!|u<]fu
aq3%j{4/_KA59wIrD5fzǣUXp<ݳmgB觰WbM}f2l$ٸ:AC)-vnz|ON=狸KzͶ+u+*T+'eI)ו(oN}]?c^hcO^>9[M_rwP4ۭܫk;ڻ$7|ܾ
Tw!jTT=ꉄ*}vi|G+R-_ˉUv4y"׹a	U/L^%[G@]K-[/weyೞl*dٯ{&0?C-Tu%5eCl=nznK6e5t]5dM!U,*m4X"2%ƥ?C>eY&IB=Pj=NSY`~fPweػZ5d'GsW)nrM5Vu7.&yL+	n/>.<?P~=Ty&l76*xj_5eXm?;+{F[2Z=nǯG?mWJd9XkeğlͬֽZZ富
ӽP7OiizM4/&?ci
0Q[a'>L6AT]Mc'/G19xFO%]QmÃdgAI+9,^ejȿK˺7H:>=9c!K+go3eSo/ݲhTH$d-e̞'VGW۬>U?s?=dm<`o6fziԻimʓfM 7qR$i-	mXSlXgd$&;<^'>5w?ڸ{J:{sGL]{nw]+exͰ[cƛ{eکM^v5رߕOz'V9Ζ(9)g&{+6flToۣ[<gg/][:NDàcMp$ZҀYUa=iWtexܧ_$o{* |yEa%E7;`x|g.lbtQ-2ȫ] >خμcb+aboIɾ_"xPתk>9:82}
\UDׅێLy,mp8Cc*zwQ?Ӣy[VA;cYo`?~*3@0y3Fvn3^K+!^įon=dr>\3;_u῟kլorK`rO;m[^ã<;*|9{@fz,!"@gt<f]/=
V |֋@fz,!5:-h3&oXwPڅ4g!
oa%E7;`xۙz!Lp@ }<]j^K `
JE:6?aNh
Yjk|Z&#LJ<702]\(9
]O
~gS"@^vSZ,i
9/N.B!,'5 !G^iIR*P*$(,5DXEEѥ+z}li4nOI+b[d|XQ=GFmodX{/
#mcq@>*8M44 ȍr421NWr78(vm\w
ƒm#"m+,Fù(ZFTi	񔗅BX7>uF/,
z$	-˃3'!Q@VVQ-Eoŗ{p\2
p8K>ҧ{o>ȕ"8(Ǹ
>-B{s#KRFTW8@O]H@]rK4

ޖVk[ESm,z-- @V—Q9*X$9WH~K9267H9`"brE>OzY`N`@ȿ[nS,
KhSZ'[0T^l@>j
OY:nٛT(ܪrނ0ee#go)X^+hBڗa<p
EiÃ}e-v5>p# -:"
eyX.:!#jqwN5ɇi?~kz
RߋKK4#@"78jO&G>rXPٛ BE=cl8]͇˷ت1[m	̢瑩oR,6eoJhtR-G0VěMYRJv|5t)>`T"\IJl7*<-(,5BV:T}ވe0)!7/Y
kіoCPT詼E)2wntt,O/
_d*f5H#hj~
-c*(҄u4~-OΕZ<f4~kG%P1A2xF/ɎEzE^D-g=T(zc+jR~S4B:P kFՠ[zvr$w
4ރ<Y&D@-&R
}V@6AV?2l<
\@^:Z9Ts2TQUoX~pI륷@~-UVs{A
~뤮l]c^e
4-,/[\x?nzԵEj~ [ƃMob޶bx`
⫁meLHqk.U ^(-,23k1OzZeDmG6TFe4qDY`QZgiE_qmYƮ]$*H$}hj(	FTCFa(tHBu:,HM:P$md(zE"dҚ9JK,.RqCŵiA,K! 
q;G(K!Dsq8
pE ⧾^ZW=}%衞G_7jW[KC6O2<z>
X,IF4a'!X ŞyˉI<TL,?y
BX,IN笐'4bI¢EPeY}C^W4:Sxf1O2L=dȋbiϓQW@b	 <C	KI <$eVb,Y<$g[C!KB6=O(h0	Z<JCK iO(iڬ9Y;yx>7}+Y]lӡ@jjp-T[pC1Kl6ZJXiy-'9$ڢ1
'A-4bIXe'Y=JXy-by-衬Y'V%bIבKC='gۢ1
'apJXy-y/PffIHCI`n,g~q(n0$~ri(bI編2CIB,n~(u0ĤnmLl@H(wbiKj>	fdgkD/ͣuG%J(G@1O´7E4xc$L|[!Fy$X}V[,<IQ`<P•~)$Sؙ[N;aYF;9p|14`	</!O>8E1
o
X,I<Q`yI#8F*,CźGL#"Ó\!oa
X,<Y(0R{8O(obiΓ-pΓ!2%p,
X<IeQ`<Γ>b{C$!\KC8KB3os{ire2Lk^=U'Rp,ܸ9Mñ4c$WC4م9B^I`NXGw<chy+^KC.$e!F܃4bKcX(0qs(biǫKAJb8Z]S,Y.*%st
Xq4VP..Eu%4bCH(Iτ.δF"cvy!wiu8C8VRҐ./Q`uɃi/,
X y)=n3%
Xr%DVi(bK$Hɹf3A@ Vտc5Puh]M'^Pv8yRH E:shץPCю|*bD[)`^1'YVlq@'`ޞ8
"0C.č󧈋]ygU~-Rw{T\^>p7$KӬb:j˥">Zh}Wc,&v=5.d7zqHJ?d}ȎDd1!T\XtLe#oDt\I.>k4w{l"kQ[Em(Ӥ
$=<WO2ifIM'Jhf,Q;-MQ5dH@+fi+AdyUkIMhKen$.sKLz."?˖#4ܞo)Z9e@LJrE4"Ŭ!`(s1:9UR 8@=7~P*eq:c+KhMU g]@AFZu<?
f@5ƊY*^nR)h;ŵUY?nbq90"ŬJxU[$-uau<]+s:tIdΤ/I\ZHr,TtaQA+7Z|IMȫJ4a)jT{}2B+c80}˥\Lx0jd5a-p5㼋TZ鋠@]LT1Rtw謸pj&(۝p;m%
ی`dfL>#2rԿ~QXo3ęZ*D.?"BAm8V!F$x-7&.g@(^PYˍ]3R˹>;GAGi2빷d<PnkwV0v՝ݙ< &#8bN+^Ԥg“)qnNyomqo
"w	W	~kS߲~o
x&&ݶ: yOf.M	7GAw
w
@!:;lBkxgpSy`eo}5Sgw;	v>@)ȎM(64a	A6!c7ۄwvvtyә&")](aSˆg:N(&}3#lCPmi+6	G1bӥ{"	̑M@G$ps69B#Gw(aÎCu#PMӬh^Zm9;u#mT~zP65Iݤ|9}|Opp>#QPowz.4So|qc87><66y4uoC8J&X~jogT	,77BMYt|߇`mⓜ8V'2!	|]v+{9qn8Hs܁s`n<Y\:z+s>@h?Ҏ^7gAا>m
`3ǽSc|w\ۇcK:ku~il~HQYPikTNcx9g_6f;ʽ
uU+;Gg!1kڱ~Z]quW‡s
ȃC_ddĬ<;LهC=vWxyv JmXdȢ>cWK:b>Wfa!^mrCl}seM|;9(yN_9C.GȰ?l9pܖ'r>2g͉F9QnQT?#NEiH9͈9t'l"Εocrُ6ulEHdSs_vdAb\
NTwcշWZ\Q*ӟSuTUzUlT nb	WXpt뎹~`*hקBT<t#ju]a@6"\T5P%l$kI߁Ty6#,HK*Hw8.b
%t:4"KcTjbĬ,bRjSE
hApI)l	 mJSZ
I)Ge;vEWUe-E%mЌ'h6W*q4#u*B:]kg-&Ʌ$†.|"E&)*lK[I$IʴCHE
E!Isʠ
IIiH]\=(6
>(Q/&MoSkIj֦Wپ#/].<Rtt$13Tbc69&W5Nm6%~}J,|_=8MUҼbgXn@{8"je1.e٣H@2Q^&]Ғ-ƴHG`mT;oOΚ\Q(=ܣ,/H}TEkR|1-2ޠ	ڷh4GJ?='K&4Pg${4%5G}kҼ
>5KhXޣ
AC\?V?Zy?%sr*AzGY}xX(>
U}H UR5"po~3QR1,-=ߕfjZffwzfY	*K=xDD!QGT\X	Iu.+8Jٻ*+ֲ#QIe<ѥU&,gg/fk3٬v=0\{]mmkoep$
Fof%%MJY(Ew(uX ,#P)pkPd5e3j$ģV,VKZ:Gתo`o?N?_na;.9CSow$\
1Fcɘ0x㷑BH0?e°Aϸ~,+Uw"և=R#K^Cc caxs9G11lo;ҵݱ!0귺GDV;I9(/$~RfQ%#d3(!J!	bep5`{"q׬d>bޘc#,O1L1mYXorKЊbMcox|qF	
r:qo+@qLL>K(DYicDz^[ƶlqQ(T#,+{bH8<ȟ@f|S]y"KpQ]U0$|s*Cl#$TVB;Y=ԘiҬϔLDB1al~S7O5mx:q}͒eYTHHFXdyY?V{2(qbQ}+IQYqO19)rxeH-TOӬ1qBYeg=5VrmL\5E0o?Ah&sCz\9es#ld8+@y=sƲP׍ue%t64Zh`CPF[CZPߐ1	}j-3߰g
cR?\ƊB6+9@V:?+ϑ27GʢDݓ#517Vլhak6gI7Ͼ-'U
Nf<ucQ
cKFƂI+x5aXҳGrдHbւOIcV}]eE"	ĥ-IACA7jFYV7|BU%8ܝPVx`qIPc7jhtuw:aEpY0[|=S	qT
4D~:Z<o̕
RDx;N#-&?꣄Qư`+2@
RҡÊIlEHhxaΉ:i6m:`OibE{D*%ɓْ)<Q>
cbRucYUFFQ볕~pY]l_ /ɋE;}"*ϤVOwkUm4QBұ$'KJ0Y#DxiN\
DWlͽFC[DBrDc{D~d}EK
!6]lQot
.rgZK
#Ɣ}Tc3@A"tQt-+;Dz(^z$kwB%gW[
4L QggFZh'_U)
 	5b,?n(ub?"ÞXZD,zfAĭFJIoYHPoXk\n}>3xmm=lj0bY.*y7oc$;6-gb_1+5Uɼ9TcaNa&G -Y-,ӌ@f>ϨkQ!>K&
o.UKeţK
"#scϕ*ꆮ0Yvc.aZ4mkT4TiTcn\3cA;. ZXƲ_f^^Fi܇j4wI/
KeGC`50wXe4A$rBl^D>YVʍbTnr;V_cMS
+'=}pz#O@Az}	)tr3b7[N|_s~WlFT>O-kEWRUG=5t1ibE<1FD4c +,+j@4ř}4xygTxoY%5oei6G|Cwm8]XʦlkyoXcA!,cٲ`MY)ʺt%GXӬ/^MvDzPyv,Z!H7X=isŴ{opPyji?-ڕevv+Yf)-IJVKUx{Z4 qhu9nʡ#^	58Vo[iCSDEUǠ/
+"&LeRpnE,~rEfjWVǀiq<mַy2\	LdYٵбxES!"IoX15ss&	_ҍN4[@JxH_A^X߳fJN4l:9c>o(YOX}#lj\$` tݳXMu!誤r5P,M|:Ydc
5~撗ž4Mwe2
ijr(d3GHet[pnz|RQkit*19ch+&5~(d2{0!b^Eb%=.	;ٕQ3Tˤ6|~`Zu,V

 5cYZ0d)A\Z@8[V'24NqLQSvuCryI߲Æ#^ ap];W)g+d6"GI3=6HcNt?PsuFmTz,i#VTY{``QYRcةDN壴xqrJf}qaz&!̴<}}S1I:iϤ<k6FZ!HMu1P
U1YqX1[_-+kXbOB-݇7# 
DE-:ś,7s:.֛
0Ý"psa.?-J/˝A$^湖0obRUIeXU}Md_4vB	Bߒg\&|T׫hBJf>ROpmXDAW㚬Nb
:Ofj95maQD[͠_:bBH;y)Ru>hK[aef݂	KWdnwFpd"᝞7Ll%YCIhPQ,$N_ݝQ1P5i;*'L_sqQERCE =ʯ!VɹUSyO	ڏkl=1f0t,:ڭ!>H!'/T1hoj?pδ#x
!ز
rSfլH,/MzXǕ(0O32HiābF.	7p2IIQ0MϬb)tQ(?CԘ0)軋CH{笾
d,i@Z[C |$#(X!uq1ݻ _j0>׵`]ρRfYŢ7TMl5|~]inĎS-]'fi$G0
16HEB" o=u,-!½
tA\#"a䟒!@C/,B||zhl!TC1tX;C؊[x=c*RI8Htm_mMq(z1/]\M:&؆Ñfse|ZvZtV
gwL)=sȦ;tT	'CcEs_f>к̮?qZ)&oyXeL
)ФGyE4>洺TlVs@
E"({&Z~ߤ[25.||1 P,$<U$^۴3Pu$ C6L":?@35m7XEߑk{z|yEtgwzLUDYA~3δaW'Eq.;kA:$T"uI/&씘=C<X$I0D
#'cИ;CU؉T$1$Psk=;< HUhF`K?,pDv|2(1CXjH@~aB
gX`,[ʴ+t]ؙ-K
W/3~i]RD}2bp@mIuդdx!pd›3py?O[Df4EVIsLrye2!e"P-]a$ppU$2ҿvwsuXx5!]=MkCJA*m`ŏa!
:}@
bK_PmfPe5|I%8CHp	}c:OmesC.@, 8k2
{'q'#tGeb$GA;cOs??b:k_c'D|cUJ>4;1@NP1Zg{T;fN<vbV릘'F8,xSn$?uLH@ޗ5b PR,$APl\waoɱn).Ikr!ћ25Nej(HC(~#H,a6MYF;C^]^z,S^tZ@s|ݹ` dq`
3~:IVלHb[XYjxpz,!]4"84P=,sٷ(Q>ʚvf993l((N"'C4ҊahĶU@*+xv:ڑ74!z+Pw$z8]`S"1SZ
$WG'5K5&	i-+B¥}lv<S6͆nHɀ`SkF>!z¶
1[V@.lXO2fO J!*Cu<5!`Q1]̘ dz%C#$뚇[O5V!jD+ЖI5"ӮVY &mu#bxǀm}2D1f-8ɔI#޷aL Eŀ#1ͦf$"=2Sˈb3xAhݦ!gj6-<q7|VζPSαig/fs8EλD
:{N>.ۻIwx:
ȱǺg>/RWƞ_ыkw\O_󃞔}xgּF5TuuUpK
M!l713Ok-5Znt#O;J
P](+-iamjO?椙6Ѕ
ǍX2W=[W6 
][6?pԲ&+=Wl(t1ԾKqy#WL5{(/rr>4ET AE}=^hyϷ\8e{yTmR\uSiNIyZǿڵlmo8{]c*ӧՋz̪Zk>p[-W+ܭB){r+hc#nlt~ok|QZbsGנ){6.{A숝^Ӕa:4X.Nb{&LϬC|boY#cGK4&e3^=;M=rG,=h$x';)=㽑9ڼsa:XZ9{}wPǰO;E4l=>hm.wXQmpܖ=&2In~(

p.='iņD^{(~^p_6=d#4jX\!q4
~.y#.
scWZ$'jY
L}5M}TzIǸifi.6;mPn r]Gge|+nFzO۶=*_33G_lS-]Ѓo?pZo>)7c?NX6_GWiXTlGi>m({{O»mhO޿2/yyި[ecmaU<lں`ܶ.鐻~պ^ukyµ'R"+6~zt׍x;WտqzsZ
`]6Gpmq#}y烵lj߽m%WtiQ8Ѯ{kOyxEZ,G^Xn|q…k{smMPv;<vtͱcEjTޡnQ6:MG}MkEyo߸n=XR4*Q(MI|u0%M"h̥I
ht'M"EG;hҙ4hAڎ`
V4M*E?O^4WM&DEv>ҞѨe4RVQ@-ZA$IhRT8YT*L.-IJý``Ou0ΦU
D
l&zfEѤIVU4MNؗ]Vi+3Gt}MB҆UPdĵX4|]% ۘb[9CScET!j۠gUf&lbƝJaBX-a^fE4mn%^4XGR<[:v,}A%:y-g3/	eup	GffԜ.-X!>/mj%Vns߫W]sQ:Mb%9+]a҉7ga^KXeMg+4-1`55-uV쵗k_:,G7x]|fCZ2XK<\ 7mp{o&\s}K\4=TK	qɳd+\X"=YGr!Jz=oJ/O	w.p{Vzyed@ioybo[\uIi&=|H"\hmuW5,#w=Nj+.y	uJ_zg_m:oiNҺ/qW%D*:_;OݻuKn!\[Bq]vmu5
'lc/h.uShWnKq-]桓%@+-B.)^]ӕ`^{'d(L5*]"Z~1,)Yr@t&gd	H	FKĵ$!,\yu#HýuKEYUm#n%̛[ⷾIn)Ѿ֖힙O-3p:Kk`%=YZb7a7QK
$qG5jEZ֌YѨe`}m=՝Ymzf+mTDW;\-Nj}Oc|l/
LC~a*!®~H5Az?)JuaCWDغI=W*K`&hRA]3{1ax[t-nk6N
őu%m"J.gUZAĚqʧj9a^(5_km\7|-~c)-#dlCP6LRڀ$۠އh$GƦN4DRuz.0*?xFm]3{+jʏ<>cmLgnjFO8$hu?d5g{HUK;mTSVĺ[[d
8
(%Mp%Tb^\$,?

Anon7 - 2022
AnonSec Team