ADFS 2.0 can be designed with high availability and resiliency to provide authentication service for the applications. Inspired by the MSIT technical case study: Enhancing Federation Services for Internal and External Partners
(http://technet.microsoft.com/en-us/library/ff803566.aspx). This article is try to give
simple walkthrough on how to achieve this (ADFS design planning is not in-scope, for more information on this topic, refer to AD FS 2.0 Design Guide (http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx).
The walkthrough scenario based on the following diagram, and it is simplified (without SQL Server cluster and AD FS proxy):
There will be 2 sites, called Datacenter and Disaster Recovery (DR) Site. At the Datacenter site, an AD FS 2.0 server called adfs1 will be installed here and connected to sql1 SQL Server 2008 server configuration database. At the DR Site, another AD FS 2.0
server called adfs2 will be installed as additional server and connect to the same configuration database, sql1. Another SQL Server 2008 server called sql2 will be installed and configured as mirrored database for sql1.
Off course, this scenario can be enhanced further by using the clustered SQL Server on both sites with more AD FS 2.0 server.
To configure the configuration above, the following steps are required:
1. Setup SQL Server (sql1)
2. Create AD FS 2.0 service account using the domain account and create login in SQL Server using this account (integrated security)
3. Installing first AD FS 2.0
Fsconfig.exe CreateSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString “Database=AdfsConfiguration;server=<SQL Cluster Servername>;integrated security=SSPI”
/FederationServiceName <NLB server name>
NOTE: Database name should be AdfsConfiguration, cannot be changed to othername. AD FS 2.0 will create database with this name.
4. Installing additional AD FS 2.0 server
FSConfig.exe joinSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString "database=<databasename>;server=<SQLservername>\<SQLInstancename>;integrated security=SSPI " /CertThumPrint “xx xx xx xx xx xx
xx xx xx xx xx xx xx xx xx xx xx xx xx xx”
NOTE: The certificate thumbprint is the AD FS 2.0 Service Communication certificate
5. Configuring Mirroring
6. Update the connection string for both databases (I referred to this article
) so ADFS 2.0 aware of the mirrored database
NOTE: For the SQL Server failover, it is suggested to use the TCP/IP protocol for the communication (rather than Named Pipes), to configure the TCP/IP communication, you need to perform these steps on
each ADFS server:
In Step 3, the "/FederatedServiceName" parameter for the "fsconfig.exe CreateSQLFarm" example is incorrect. It should read "/FederationServiceName". The parameter shown in the screen shot is correct, obviously.
Fixed the command line, thanks Fabio.