none
How easy is it to trash and rebuild an ADFS server? RRS feed

  • Question

  • I have a single ADFS server which has 2 WAP servers authenticating against it.

    The Group Managed Service Account used by the ADFS server was accidentally deleted in AD. After restoring the account, the ADFS server refused to work correctly any more and the WAP servers couldn't connect to it, even though they are still working with a cached(?) configuration.

    I have no ADFS Claims or Relying Trusts defined, in fact it's pretty much a vanilla configuration, so nothing complex.

    Can I simply blow it away, rebuild it, and still be able to re-establish the WAP servers' trust with the new server?


    • Edited by AndyChips Tuesday, July 16, 2019 2:23 PM
    Tuesday, July 16, 2019 11:25 AM

Answers

  • Actually you dont even need an ADFS for your WAP, as you are using pass-through. So applications are just using whatever authentication they have configured :)

    • Marked as answer by AndyChips Wednesday, July 17, 2019 12:03 PM
    Wednesday, July 17, 2019 11:54 AM
  • OK, just finished the rebuild. A few observations:

    1. As soon as the ADFS server was rebuilt the WAP servers could no longer be administered. The Remote Access Console reported:

    • Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure the Web Application Proxy can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command (0x8007520C)

    2. All the published web apps disappeared from the console, meaning they could no longer be administered. I wasn't expecting that.

    3. Running the command Get-WebApplicationProxyApplication produced the following error (again, I didn't expect this):

    • Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure that the WebApplication Proxy server can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command.
      (0x8007520c)
      At line:1 char:1
      + Get-WebApplicationProxyApplication
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (WmiPSProvider:root/Microsoft/...roxyApplication) [Get-WebApplicationProxyApplication], CimException
          + FullyQualifiedErrorId : WIN32 13,Get-WebApplicationProxyApplication

    4. I had to remove the ADFS role and the server from the domain and re-add it after manually removing the existing computer account from AD.

    5. I had to manually remove the Windows Internal Database from C:\Windows\WID\Data

    6. I had to remove the existing Managed Service Account from AD.

    7. I was then able to re-add the ADFS server back into the domain and add the ADFS role - which configured successfully.

    8. I then ran the WAP wizard again after first setting the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\ProxyConfigurationStatus to 1

    9. The WAP server then re-established trust with the ADFS server but all published web apps had disappeared. This was a bit of a surprise, as I thought their configuration was stored on the WAP server. Either way it wasn't a major pain as I only had a few to recreate.
    Moral of the story: back up the WAP server's published apps before you start the process.

    So, it didn't go quite as expected but at least I'm up and running again. I hope this helps someone else.

    • Edited by AndyChips Wednesday, July 17, 2019 3:46 PM
    • Proposed as answer by Jesper Arnecke Wednesday, July 17, 2019 6:43 PM
    • Marked as answer by AndyChips Thursday, July 18, 2019 7:38 AM
    Wednesday, July 17, 2019 3:10 PM

All replies

  • Hiya,

    To answer your question directly, it really depends on the amount of customizations in your solution. Claims definitions etc.

    Secondly, how about just changing the ADFS service account?

    https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-ddb67df0

    Has the account been restored using the same SID, if not, that is your root cause. Anyway, just change the service account and you should be rolling.

    Wednesday, July 17, 2019 8:28 AM
  • Thanks Jesper,

    As I mention in my original post, I don't have any custom claims or definitions. It's basically a vanilla build.

    I did try that script but it came up with all kinds of errors - sorry, but I didn't take note. I did persist with it for a long time but concluded my ADFS server was just too far gone.

    I can't confirm whether the SID is the same as I have nothing to compare it with. All I could do was restore the account, and that's the SID I ended up with.

    I'm more than happy to build a new ADFS server, as it really doesn't take long. I just need to know that my WAP servers will stay up and doing their web publishing until it comes to re-establish their trust with the new server - I have only assumed that this is how it should work. Can you confirm this?


    Wednesday, July 17, 2019 8:58 AM
  • Hi Andy,

    Your ADFS server will continue to operate until the service is restarted, one way or the other and thereby fail reauthentication. The trust is "not based on the account", but a running service. So as long as your ADFS service does not restart, you should be fine.

    If you dont have any custom claims or definition, you can spin up an ADFS farm up, same name and everything, run it in parallel, test using host file name change and whenever it needs to switch, update the DNS.

    Wednesday, July 17, 2019 11:09 AM
  • Thanks Jesper,

    I just want to clarify something. You say "Your ADFS server will continue to operate until the service is restarted". I hope you mean the WAP servers?

    Wednesday, July 17, 2019 11:15 AM
  • Different, but same :) - Your WAP wont be able to authenticate any "PreAuthentication" type applications, using ADFS, when the ADFS service is not running.

    So if your ADFS service is not running currently, your WAP is not working either. (Unless it's not even using the ADFS)

    ADFS is only a dependency for WAP, if your using Preauthentication, not for pass-through. <-- This is not true. Corrected, see below post by asker.


    • Edited by Jesper Arnecke Wednesday, July 17, 2019 6:48 PM Faulty post edited
    Wednesday, July 17, 2019 11:25 AM
  • OK, all the published web apps on the WAP servers are using Pass-through, so I guess I can go ahead and completely rebuild my ADFS server - as long as I don't restart the WAP servers until I've re-established trust.
    Wednesday, July 17, 2019 11:40 AM
  • Actually you dont even need an ADFS for your WAP, as you are using pass-through. So applications are just using whatever authentication they have configured :)

    • Marked as answer by AndyChips Wednesday, July 17, 2019 12:03 PM
    Wednesday, July 17, 2019 11:54 AM
  • Oh, I never realised that - thanks.
    Wednesday, July 17, 2019 12:03 PM
  • Welcome :) - Money in the bank! :)
    Wednesday, July 17, 2019 12:11 PM
  • OK, just finished the rebuild. A few observations:

    1. As soon as the ADFS server was rebuilt the WAP servers could no longer be administered. The Remote Access Console reported:

    • Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure the Web Application Proxy can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command (0x8007520C)

    2. All the published web apps disappeared from the console, meaning they could no longer be administered. I wasn't expecting that.

    3. Running the command Get-WebApplicationProxyApplication produced the following error (again, I didn't expect this):

    • Web Application Proxy could not connect to the AD FS configuration storage and could not load the configuration. Make sure that the WebApplication Proxy server can connect to the AD FS server, and if not, run the Install-WebApplicationProxy command.
      (0x8007520c)
      At line:1 char:1
      + Get-WebApplicationProxyApplication
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (WmiPSProvider:root/Microsoft/...roxyApplication) [Get-WebApplicationProxyApplication], CimException
          + FullyQualifiedErrorId : WIN32 13,Get-WebApplicationProxyApplication

    4. I had to remove the ADFS role and the server from the domain and re-add it after manually removing the existing computer account from AD.

    5. I had to manually remove the Windows Internal Database from C:\Windows\WID\Data

    6. I had to remove the existing Managed Service Account from AD.

    7. I was then able to re-add the ADFS server back into the domain and add the ADFS role - which configured successfully.

    8. I then ran the WAP wizard again after first setting the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\ProxyConfigurationStatus to 1

    9. The WAP server then re-established trust with the ADFS server but all published web apps had disappeared. This was a bit of a surprise, as I thought their configuration was stored on the WAP server. Either way it wasn't a major pain as I only had a few to recreate.
    Moral of the story: back up the WAP server's published apps before you start the process.

    So, it didn't go quite as expected but at least I'm up and running again. I hope this helps someone else.

    • Edited by AndyChips Wednesday, July 17, 2019 3:46 PM
    • Proposed as answer by Jesper Arnecke Wednesday, July 17, 2019 6:43 PM
    • Marked as answer by AndyChips Thursday, July 18, 2019 7:38 AM
    Wednesday, July 17, 2019 3:10 PM