Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by
  • When: 25 Nov 2010 1:12 AM
  • Last revision by (Microsoft Partner)
  • When: 15 May 2013 8:29 AM
  • Revisions: 17
  • Comments: 23
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  ADFS 2.0 High Availability and High Resiliency Walkthrough

ADFS 2.0 High Availability and High Resiliency Walkthrough

ADFS 2.0 High Availability and High Resiliency Walkthrough

ADFS 2.0 can be designed with high availability and resiliency to provide authentication service for the applications. Inspired by the MSIT technical case study: Enhancing Federation Services for Internal and External Partners (http://technet.microsoft.com/en-us/library/ff803566.aspx). This article is try to give simple walkthrough on how to achieve this (ADFS design planning is not in-scope, for more information on this topic, refer to AD FS 2.0 Design Guide (http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx).

The walkthrough scenario based on the following diagram, and it is simplified (without SQL Server cluster and AD FS proxy):



 


There will be 2 sites, called Datacenter and Disaster Recovery (DR) Site. At the Datacenter site, an AD FS 2.0 server called adfs1 will be installed here and connected to sql1 SQL Server 2008 server configuration database. At the DR Site, another AD FS 2.0 server called adfs2 will be installed as additional server and connect to the same configuration database, sql1. Another SQL Server 2008 server called sql2 will be installed and configured as mirrored database for sql1.

Off course, this scenario can be enhanced further by using the clustered SQL Server on both sites with more AD FS 2.0 server.

To configure the configuration above, the following steps are required:

1. Setup SQL Server (sql1)

2. Create AD FS 2.0 service account using the domain account and create login in SQL Server using this account (integrated security)

3. Installing first AD FS 2.0

  • Preparing service communications certificate
  • Create ADFS Farm Database

Fsconfig.exe CreateSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString “Database=AdfsConfiguration;server=<SQL Cluster Servername>;integrated security=SSPI” /FederationServiceName <NLB server name>

For Example:

 NOTE: Database name should be AdfsConfiguration, cannot be changed to othername. AD FS 2.0 will create database with this name.

  • Configuring AD FS 2.0 Signing and Decrypting certificates
  • Export 3 certificates with private key

4. Installing additional AD FS 2.0 server

  • Importing 3 certificates, the certificates must be the same, otherwise AD FS cannot be configured
  • Installing AD FS 2.0 software

FSConfig.exe joinSQLFarm /ServiceAccount <Domain\ServiceAccount>  /SQLConnectionString "database=<databasename>;server=<SQLservername>\<SQLInstancename>;integrated security=SSPI " /CertThumPrint “xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx”

For example:

NOTE: The certificate thumbprint is the AD FS 2.0 Service Communication certificate

5. Configuring Mirroring

  • Setup mirrored SQL Server (sql2)
  • Configuring database mirroring for AdfsConfiguration and AdfsArtifactStore databases

6. Update the connection string for both databases (I referred to this article http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx ) so ADFS 2.0 aware of the mirrored database

  • Perform this on adfs1, for the AD FS 2.0 configuration database:
    • Stop the ADFS service from Command prompt: net stop adfssrv
    • Open the Windows PowerShell and run the following command on all ADFS Federation Servers (adfs1 and adfs2 in the diagram above):
      • $temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService
      • $temp.ConfigurationdatabaseConnectionstring=”Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>;Initial Catalog=AdfsConfiguration;Integrated Security=true”
      • $temp.put()
      • Go back to Command Prompt and start the ADFS service: net start adfssrv
    •  For the AD FS, for the AD FS 2.0 artifact store database. Open the Windows PowerShell and run the following command:
      • Add-PSSnapin Microsoft.ADFS.PowerShell
      • Set-adfsproperties –artifactdbconnection ”Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>;Initial Catalog=AdfsArtifactStore;Integrated Security=true”
      • Confirm the change using command: Get-adfsproperties
      • Check for ArtifactDbConnection Properties

 NOTE:  For the SQL Server failover, it is suggested to use the TCP/IP protocol for the communication (rather than Named Pipes), to configure the TCP/IP communication, you need to perform these steps on each ADFS server:

  • Launch the client configuration utility. (Start -> Run cliconfg.exe.  It should bring up the dialog shown.
  • Make sure that only TCP/IP is on the list of Enabled protocols.

 

  • Click on OK.

 

, , , , , ,
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 28 Mar 2011 12:46 PM

    In Step 3, the "/FederatedServiceName" parameter for the "fsconfig.exe CreateSQLFarm" example is incorrect. It should read "/FederationServiceName". The parameter shown in the screen shot is correct, obviously.

  • 13 Apr 2011 1:20 AM

    Fixed the command line, thanks Fabio.

  • 27 Jul 2011 6:08 AM

    Based on the title of this article, I believe it should talk about how to configure NLB/IIS and ADFS.  For example - a piece I was missing, as a newb to all of this, was that you have to export the certificate from ADFS1 and import it to ADFS2.

  • 8 Aug 2011 10:37 AM

    The ADFS 2.0 design guide has a ")" in the link at the end. Here is the link without this: technet.microsoft.com/.../adfs2-design-guide(WS.10).aspx

  • 1 Sep 2011 7:07 PM

    Thanks guys, I've updated the article.

  • 4 Nov 2011 9:21 AM

    In Step 6, "temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService"

    Should read "$temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService" (missing $ in front of powershell variable)

  • 18 Nov 2011 1:44 AM

    Do I've to export the certificates from ADFS1 and import them into ADFS2, SQL1 and SQL2.

  • 24 Nov 2011 9:43 PM

    Miltek: Thanks for the feedback, that's the beauty of community. Updated the doc,

    Joe: Yes, you need to import certificates from ADFS1 to ADFS2 (and future additional ADFS server). You don't need certificate for SQL Servers.

  • 25 Nov 2011 4:53 AM

    Are Token Replay Detection and Artifact Resolution supported in this configuration? The reason I ask is “Active Directory Federation Services (AD FS) 2.0 Capacity Planning Guide” detailes "in a geo-redundant deployments, token replay detection and artifact resolution are not supported".

  • 30 Apr 2012 11:08 AM

    First; this is an awesome walkthrough. I noticed on step 4, the b in /CertThumbPrint is missing.

    Also, when I ran this command I was getting an error "The following error occurred: The argument "24" was not recognized." it had to do with the thumbprint switch, so I put an additional " at the end and it ran. I think it had to do with the spaces between the thumbprint numbers. I also have a problem/question, that i'm having in a few minutes.

Page 1 of 2 (19 items) 12