Installing ADFS Windows Token Based Web Agents with Microsoft Office SharePoint Server 2007
When using the Windows Token-Based web agents for ADFS, the server hosting SharePoint must be able to delegate a user’s account to any line of business (LOB) database when using BDC web parts. Without using the following steps, the user will be able to authenticate to SharePoint but any BDC web parts that talk to another server will fail. This failure can be seen in the ULS logs under the Business Data category and should indicate that the logon to the LOB system with an anonymous account.
Note: These steps assume that SharePoint has been installed and configured.
Prerequisites
· A SharePoint web application that is set up to use Windows Authentication and Kerberos
· An Active Directory domain account to be used for the ADFS Web Agent Authentication Service that will be installed on the SharePoint web front end servers
· An Active Directory domain account that is used for the Application Pool account for the SharePoint web application that is set to run Kerberos (if this is already created, ignore this )
· Two SPNs for the Active Directory account running Microsoft SQL Server
o MSSQLSvc/fqdn.of.sqlserver:1433
o MSSQLSvc/shortnameofsqlserver:1433
Setup accounts needed
1. Log onto a domain controller in the environment.
2. If the account that is running Microsoft SQL Server already has SPNs set for MSSQLSvc, skip to step 4.
3. Open an eleveated command prompt and type the following:
a. Setspn -a MSSQLSvc/fqdn.of.sqlserver:1433 domain\sqlaccount
b. Setspn -a MSSQLSvc/shortnameofsqlserver:1433 domain\sqlaccount
4. Create an active directory domain user to run the ADFS Web Agent Authentication Service. This account does not need to be a member of any group except Domain Users.
5. Open an eleveated command prompt and type the following:
a. Setspn -a HTTP/test domain\accountforadfsservice ( this is only done to see the delegation tab)
b. Make sure that Advanced Features is checked inside Active Directory Users and Computers
c. Right click on the ADFS Service user account and select Properties.
d. Located and click on the Delegation tab.
e. Click the radio button for Trust user for specified services only.
f. Click the radio button for Use any authentication protocol.
g. Click the Add button
h. Click the Users or Computers
i. Enter the account running the SQL Server service that SharePoint uses
j. Select the MSSQLSvc/fqdn.of.sqlserver:1433
k. Click the OK button.
l. Click OK to close the user account properties.
More Here
Courtesy:http://blogs.msdn.com/b/timquin/archive/2010/10/09/using-ad-fs-windows-token-based-web-agents-and-moss.aspx