locked
What is the impact if the ADFS database not available and why? RRS feed

  • Question

  • we do not have multiple environment but we need to do maintenance activities on the database,

    we want to know what is the role of the ADFS database? will it keep serving the SSO features for all the RPT's if the database is down or not?

    Monday, July 8, 2019 3:33 PM

Answers

All replies

  • No database = no service.

    No new authentication, no new token issuance. It's like you turned off the ADFS farm.

    Now, why are you using SQL? In many cases, a WID database is enough, and since each ADFS servers will have its own WID database, there is no availability issue as long as you don't turn off all ADFS servers at the same time. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 8, 2019 5:23 PM
  • thanks for the answer, we are using MS SQL server for the HA, so that the 2nd ADFS server is also having the same information or the RPT's when the primary ADFS server is down.

    do you have any URL for the official documentation where it says that ADFS service will not work if the database is not available?


    Monday, July 8, 2019 6:20 PM
  • You can achieve this scenario even without SQL. That's the point of my remark. The only limitations with WID are the following:

    • A WID farm has a limit of 30 federation servers if you have 100 or fewer relying party trusts.
    • A WID farm does not support token replay detection or artifact resolution (part of the Security Assertion Markup Language (SAML) protocol).

    More info here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-wid

    You can move from SQL to WID using ADFS Rapid Restore (which basically is doing a backup of your SQL-based ADFS farm and restoring in on a server specifyin a local WID database option): https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool

    If you want to do HA with SQL, you can refer to this documentation: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server

    Regarding a document that states that the database must be available for the service to work, there is nothing I am aware of. It is self explanatory though as the database is a requirement. You can infer it reading the SQL troubleshooting guide: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Salman Rafiq Tuesday, July 9, 2019 1:59 PM
    Monday, July 8, 2019 8:58 PM
  • Thanks for the answer, I will take this as an answer and confirm if the database is having outages then all the SSO will be impacted
    Tuesday, July 9, 2019 1:59 PM