locked
AD FS Rapid Restore Tool backup fails with SQL database RRS feed

  • Question

  • When taking a backup of AD FS configuration the AD FS Rapid Restore Tool fails. This only happens with a federation farm using an SQL database, no problems with WID.

    PS C:\> Backup-ADFS -StorageType "FileSystem" -StoragePath "D:\ADFSBackup" -EncryptionPassword "Passw0rd"
    Backup-ADFS : Failed to connect to the database associated with ADFS
    At line:1 char:1
    + Backup-ADFS -StorageType "FileSystem" -StoragePath "D:\ADFSBackup" -Encry ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Backup-ADFS], Exception
        + FullyQualifiedErrorId : System.Exception,Microsoft.ADFSRapidRecreationTool.BackupADFS
    
    PS C:\>

    Trying to capture the traffic to see what port and/or protocol is used for the connection used by the backup tool yields no results. Any ideas how to troubleshoot and what? The federation service itself is working perfectly with its SQL connection.

    AD FS Rapid Restore Tool documentation makes no mention of database connection parameters or such when using Backup-ADFS cmdlet, only with Restore-ADFS cmdlet.

    • Edited by AnttiS-FI Friday, January 13, 2017 2:26 PM
    Friday, January 13, 2017 1:53 PM

All replies

  • You can use the parameter:

    -DBConnectionString "DataSource=np:\\.\pipe\microsoft##wid\tsql\query;InitialCatalog=AdfsConfiguration;Integrated Security=True"

    Followed with the actual connection string. Here it a WID.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 16, 2017 12:08 AM
  • Thanks, but as mentioned there is no parameter "-DBConnectiongString" with Backup-ADFS cmdlet, only with Restore-ADFS. However, there is an undocumented "-db" parameter in Backup-ADFS, but it doesn't accept the connection string as its input and since it's undocumented I don't know what it would accept.

    PS C:\> Backup-ADFS -StorageType "FileSystem" -StoragePath D:\ADFSBackup -EncryptionPassword "Passw0rd" -db "Data source=SQLSERVER.CONTOSO.COM,1234;Initial Catalog=AdfsArtifactStore;Integrated Security=True"
    Backup-ADFS : A positional parameter cannot be found that accepts argument 'Data source=SQLSERVER.CONTOSO.COM,1234;Initial Catalog=AdfsArtifactStore;Integrated Security=True'.
    At line:1 char:1
    + Backup-ADFS -StorageType "FileSystem" -StoragePath D:\ADFSBackup -Encrypt ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Backup-ADFS], ParameterBindingException
        + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.ADFSRapidRecreationTool.BackupADFS
    
    PS C:\>


    • Edited by AnttiS-FI Monday, January 16, 2017 7:32 AM
    Monday, January 16, 2017 7:21 AM
  • Okay, I got this somewhat sorted: The user account I'm running the Backup-ADFS cmdlet does not have a permission to access the ADFS database instance. Once the permissions were granted the backup was taken successfully.

    However, this made me think why - and how - this does not happen with WID, so I installed an ADFS farm (using WID) in my lab environment and SQL Server 2012 Express alongside it as per this MSDN blog post. I had to login to Windows using the specified ADFS service account to use the SQL Management Studio "Windows Authentication" successfully and the "\\.\pipe\microsoft##wid\tsql\query" instance also shows that only the ADFS service account has permission to access the database.

    So this leads me to my next question: How is the AD FS Restore Tool itself able to access the database when it's WID but not when it's SQL? With the farm using SQL we're using a gMSA as a service account if that makes any difference.




    • Edited by AnttiS-FI Wednesday, January 18, 2017 1:58 PM
    Wednesday, January 18, 2017 1:57 PM
  • Hi AnttiS-FI,

    The local administrators group has access to the Windows Internal Database as well. Though I wasn't able to find it documented anywhere, it can be inferred because you cannot run any ADFS commands unless you "Run as Administrator" on PowerShell.

    The UAC features of windows essentially render usage of the Administrators group permissions useless unless a process is running as a Adminsitrator. So it is the Local Administrator group privilege that gives the access.

    Good Luck!

    Shane


    • Edited by Shane Wright Monday, January 23, 2017 3:06 AM Grammar
    Monday, January 23, 2017 3:06 AM
  • Hi AnttiS-FI,

    The local administrators group has access to the Windows Internal Database as well. Though I wasn't able to find it documented anywhere, it can be inferred because you cannot run any ADFS commands unless you "Run as Administrator" on PowerShell.

    The UAC features of windows essentially render usage of the Administrators group permissions useless unless a process is running as a Adminsitrator. So it is the Local Administrator group privilege that gives the access.

    Good Luck!

    Shane


    Thanks Shane for clarification.

    And AnttiS-FI if you really want to investigate this further I can suggest to run Proccess Explorer and look at in which mode/level WID is running and compare it to your powershell-session, I cannot say you will find anything but it might give some kind of information. 

    Monday, January 23, 2017 4:55 PM