ADFS 2.0 can be designed with high availability and resiliency to provide authentication service for the applications. Inspired by the MSIT technical case study: Enhancing Federation Services for Internal and External Partners
(http://technet.microsoft.com/en-us/library/ff803566.aspx). This article is try to give
simple walkthrough on how to achieve this (ADFS design planning is not in-scope, for more information on this topic, refer to AD FS 2.0 Design Guide (http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx).
The walkthrough scenario based on the following diagram, and it is simplified (without SQL Server cluster and AD FS proxy):
There will be 2 sites, called Datacenter and Disaster Recovery (DR) Site. At the Datacenter site, an AD FS 2.0 server called adfs1 will be installed here and connected to sql1 SQL Server 2008 server configuration database. At the DR Site, another AD FS 2.0
server called adfs2 will be installed as additional server and connect to the same configuration database, sql1. Another SQL Server 2008 server called sql2 will be installed and configured as mirrored database for sql1.
Off course, this scenario can be enhanced further by using the clustered SQL Server on both sites with more AD FS 2.0 server.
To configure the configuration above, the following steps are required:
1. Setup SQL Server (sql1)
2. Create AD FS 2.0 service account using the domain account and create login in SQL Server using this account (integrated security)
3. Installing first AD FS 2.0
Fsconfig.exe CreateSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString “Database=AdfsConfiguration;server=<SQL Cluster Servername>;integrated security=SSPI”
/FederationServiceName <NLB server name>
NOTE: Database name should be AdfsConfiguration, cannot be changed to othername. AD FS 2.0 will create database with this name.
4. Installing additional AD FS 2.0 server
FSConfig.exe joinSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString "database=<databasename>;server=<SQLservername>\<SQLInstancename>;integrated security=SSPI " /CertThumPrint “xx xx xx xx xx xx
xx xx xx xx xx xx xx xx xx xx xx xx xx xx”
NOTE: The certificate thumbprint is the AD FS 2.0 Service Communication certificate
5. Configuring Mirroring
6. Update the connection string for both databases (I referred to this article
) so ADFS 2.0 aware of the mirrored database
NOTE: For the SQL Server failover, it is suggested to use the TCP/IP protocol for the communication (rather than Named Pipes), to configure the TCP/IP communication, you need to perform these steps on
each ADFS server:
In Step 3, the "/FederatedServiceName" parameter for the "fsconfig.exe CreateSQLFarm" example is incorrect. It should read "/FederationServiceName". The parameter shown in the screen shot is correct, obviously.
Fixed the command line, thanks Fabio.
Based on the title of this article, I believe it should talk about how to configure NLB/IIS and ADFS. For example - a piece I was missing, as a newb to all of this, was that you have to export the certificate from ADFS1 and import it to ADFS2.
The ADFS 2.0 design guide has a ")" in the link at the end. Here is the link without this: technet.microsoft.com/.../adfs2-design-guide(WS.10).aspx
Thanks guys, I've updated the article.
In Step 6, "temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService"
Should read "$temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService" (missing $ in front of powershell variable)
Do I've to export the certificates from ADFS1 and import them into ADFS2, SQL1 and SQL2.
Miltek: Thanks for the feedback, that's the beauty of community. Updated the doc,
Joe: Yes, you need to import certificates from ADFS1 to ADFS2 (and future additional ADFS server). You don't need certificate for SQL Servers.
Are Token Replay Detection and Artifact Resolution supported in this configuration? The reason I ask is “Active Directory Federation Services (AD FS) 2.0 Capacity Planning Guide” detailes "in a geo-redundant deployments, token replay detection and artifact resolution are not supported".
First; this is an awesome walkthrough. I noticed on step 4, the b in /CertThumbPrint is missing.
Also, when I ran this command I was getting an error "The following error occurred: The argument "24" was not recognized." it had to do with the thumbprint switch, so I put an additional " at the end and it ran. I think it had to do with the spaces between the thumbprint numbers. I also have a problem/question, that i'm having in a few minutes.