ADFS 2.0 High Availability and High Resiliency Walkthrough

ADFS 2.0 High Availability and High Resiliency Walkthrough

ADFS 2.0 can be designed with high availability and resiliency to provide authentication service for the applications. Inspired by the MSIT technical case study: Enhancing Federation Services for Internal and External Partners (http://technet.microsoft.com/en-us/library/ff803566.aspx). This article is try to give simple walkthrough on how to achieve this (ADFS design planning is not in-scope, for more information on this topic, refer to AD FS 2.0 Design Guide (http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx).

The walkthrough scenario based on the following diagram, and it is simplified (without SQL Server cluster and AD FS proxy):



  


There will be 2 sites, called Datacenter and Disaster Recovery (DR) Site. At the Datacenter site, an AD FS 2.0 server called adfs1 will be installed here and connected to sql1 SQL Server 2008 server configuration database. At the DR Site, another AD FS 2.0 server called adfs2 will be installed as additional server and connect to the same configuration database, sql1. Another SQL Server 2008 server called sql2 will be installed and configured as mirrored database for sql1.

Off course, this scenario can be enhanced further by using the clustered SQL Server on both sites with more AD FS 2.0 server.

To configure the configuration above, the following steps are required:

1.
Setup SQL Server (sql1)

2. Create AD FS 2.0 service account using the domain account and create login in SQL Server using this account (integrated security)

3.
Installing first AD FS 2.0

  • Preparing service communications certificate
  • Create ADFS Farm Database

Fsconfig.exe CreateSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString “Database=AdfsConfiguration;server=<SQL Cluster Servername>;integrated security=SSPI” /FederationServiceName <NLB server name>

For Example:

 NOTE: Database name should be AdfsConfiguration, cannot be changed to othername. AD FS 2.0 will create database with this name.

  • Configuring AD FS 2.0 Signing and Decrypting certificates
  • Export 3 certificates with private key

4. Installing additional AD FS 2.0 server

  • Importing 3 certificates, the certificates must be the same, otherwise AD FS cannot be configured
  • Installing AD FS 2.0 software

FSConfig.exe joinSQLFarm /ServiceAccount <Domain\ServiceAccount>  /SQLConnectionString "database=<databasename>;server=<SQLservername>\<SQLInstancename>;integrated security=SSPI " /CertThumPrint “xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx”

For example:

NOTE: The certificate thumbprint is the AD FS 2.0 Service Communication certificate

5. Configuring Mirroring

  • Setup mirrored SQL Server (sql2)
  • Configuring database mirroring for AdfsConfiguration and AdfsArtifactStore databases

6. Update the connection string for both databases (I referred to this article http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx ) so ADFS 2.0 aware of the mirrored database

  • Perform this on adfs1, for the AD FS 2.0 configuration database:
    • Stop the ADFS service from Command prompt: net stop adfssrv
    • Open the Windows PowerShell and run the following command on all ADFS Federation Servers (adfs1 and adfs2 in the diagram above):
      • $temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService
      • $temp.ConfigurationdatabaseConnectionstring=”Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>;Initial Catalog=AdfsConfiguration;Integrated Security=true”
      • $temp.put()
      • Go back to Command Prompt and start the ADFS service: net start adfssrv
    •  For the AD FS, for the AD FS 2.0 artifact store database. Open the Windows PowerShell and run the following command:
      • Add-PSSnapin Microsoft.ADFS.PowerShell
      • Set-adfsproperties –artifactdbconnection ”Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>;Initial Catalog=AdfsArtifactStore;Integrated Security=true”
      • Confirm the change using command: Get-adfsproperties
      • Check for ArtifactDbConnection Properties

 NOTE:  For the SQL Server failover, it is suggested to use the TCP/IP protocol for the communication (rather than Named Pipes), to configure the TCP/IP communication, you need to perform these steps on each ADFS server:

  • Launch the client configuration utility. (Start -> Run cliconfg.exe.  It should bring up the dialog shown.
  • Make sure that only TCP/IP is on the list of Enabled protocols.

 

  • Click on OK.

 

Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Carsten Siemens edited Revision 15. Comment: Fixed typo

  • Jewel Lambert edited Revision 7. Comment: Corrected spelling typo

  • hsuyanto edited Revision 4. Comment: Thanks to Mat, Sr. SE, MS UK.

  • hsuyanto edited Revision 2. Comment: Fixed the command line - thanks Fabio and Bryan

Page 1 of 1 (4 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • In Step 3, the "/FederatedServiceName" parameter for the "fsconfig.exe CreateSQLFarm" example is incorrect. It should read "/FederationServiceName". The parameter shown in the screen shot is correct, obviously.

  • hsuyanto edited Revision 2. Comment: Fixed the command line - thanks Fabio and Bryan

  • Fixed the command line, thanks Fabio.

  • Based on the title of this article, I believe it should talk about how to configure NLB/IIS and ADFS.  For example - a piece I was missing, as a newb to all of this, was that you have to export the certificate from ADFS1 and import it to ADFS2.

  • The ADFS 2.0 design guide has a ")" in the link at the end. Here is the link without this: technet.microsoft.com/.../adfs2-design-guide(WS.10).aspx

  • hsuyanto edited Revision 4. Comment: Thanks to Mat, Sr. SE, MS UK.

  • Thanks guys, I've updated the article.

  • In Step 6, "temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService"

    Should read "$temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService" (missing $ in front of powershell variable)

  • Do I've to export the certificates from ADFS1 and import them into ADFS2, SQL1 and SQL2.

  • Miltek: Thanks for the feedback, that's the beauty of community. Updated the doc,

    Joe: Yes, you need to import certificates from ADFS1 to ADFS2 (and future additional ADFS server). You don't need certificate for SQL Servers.

  • Are Token Replay Detection and Artifact Resolution supported in this configuration? The reason I ask is “Active Directory Federation Services (AD FS) 2.0 Capacity Planning Guide” detailes "in a geo-redundant deployments, token replay detection and artifact resolution are not supported".

  • Jewel Lambert edited Revision 7. Comment: Corrected spelling typo

  • First; this is an awesome walkthrough. I noticed on step 4, the b in /CertThumbPrint is missing.

    Also, when I ran this command I was getting an error "The following error occurred: The argument "24" was not recognized." it had to do with the thumbprint switch, so I put an additional " at the end and it ran. I think it had to do with the spaces between the thumbprint numbers. I also have a problem/question, that i'm having in a few minutes.

  • Ok. Now my problem;

    At the end of step 4, I wanted to make sure ADFS was working at my DR site. I opened the AD FS console and everything looked good, but when I click on the relying party trust container, I'm getting an error… Initially, a dialog pops up saying retrieved 0 of 2 relying party trusts and it hangs there for a few seconds. Then I get the error message "an error occurred during an attempt to access the ADFS configuration database: error message: ADMIN0017: an exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 windows service is not running." this didn’t happen when I clicked on claims provider trusts or attribute stores and they populated correctly. I scoured the internet and haven’t found a solution to this problem. I verified the other additional ADFS servers at the data center and as far as I can tell, they are configured the same. The DR site has a 5mb Ethernet connection, so I’m wondering if the latency is too high (round trip is 72ms and TTL is 127 to the SQL Db).

    I wanted to put this out there to see if anyone else is having or maybe resolved this issue. I don’t see any events in the ADFS event log.

  • Ok. Now my problem;

    At the end of step 4, I wanted to make sure ADFS was working at my DR site. I opened the AD FS console and everything looked good, but when I click on the relying party trust container, I'm getting an error… Initially, a dialog pops up saying retrieved 0 of 2 relying party trusts and it hangs there for a few seconds. Then I get the error message "an error occurred during an attempt to access the ADFS configuration database: error message: ADMIN0017: an exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 windows service is not running." this didn’t happen when I clicked on claims provider trusts or attribute stores and they populated correctly. I scoured the internet and haven’t found a solution to this problem. I verified the other additional ADFS servers at the data center and as far as I can tell, they are configured the same. The DR site has a 5mb Ethernet connection, so I’m wondering if the latency is too high (round trip is 72ms and TTL is 127 to the SQL Db).

    I wanted to put this out there to see if anyone else is having or maybe resolved this issue. I don’t see any events in the ADFS event log.

Page 1 of 2 (23 items) 12