Share via


ADFS 2.0 High Availability and High Resiliency Walkthrough


ADFS 2.0 can be designed with high availability and resiliency to provide authentication service for the applications. Inspired by the MSIT technical case study: Enhancing Federation Services for Internal and External Partners (http://technet.microsoft.com/en-us/library/ff803566.aspx). This article tries to give the simple walkthrough on how to achieve this (ADFS design planning is not in-scope, for more information on this topic, refer to AD FS 2.0 Design Guide (http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx).

The walkthrough scenario based on the following diagram, and it is simplified (without SQL Server cluster and AD FS proxy):

 

There will be 2 sites, called Datacenter and Disaster Recovery (DR) Site. At the Datacenter site, an AD FS 2.0 server called adfs1 will be installed here and connected to sql1 SQL Server 2008 server configuration database. At the DR Site, another AD FS 2.0 server called adfs2 will be installed as an additional server and connect to the same configuration database, sql1. Another SQL Server 2008 server called sql2 will be installed and configured as mirrored database for sql1.

Off course, this scenario can be enhanced further by using the clustered SQL Server on both sites with more AD FS 2.0 server.

To configure the configuration above, the following steps are required:

1.Setup SQL Server (sql1)

2. Create AD FS 2.0 service account using the domain account and create a login in SQL Server using this account (integrated security)

3.Installing first AD FS 2.0

  • Preparing service communications certificate
  • Create ADFS Farm Database

Fsconfig.exe CreateSQLFarm /ServiceAccount <Domain\ServiceAccount> /SQLConnectionString “Database=AdfsConfiguration;server=<SQL Cluster Servername>;integrated security=SSPI” /FederationServiceName <NLB server name>

For Example:

 NOTE: Database name should be AdfsConfiguration, cannot be changed to othername. AD FS 2.0 will create database with this name.

  • Configuring AD FS 2.0 Signing and Decrypting certificates
  • Export 3 certificates with private key

4. Installing additional AD FS 2.0 server

  • Importing 3 certificates, the certificates must be the same, otherwise, AD FS cannot be configured
  • Installing AD FS 2.0 software

FSConfig.exe joinSQLFarm /ServiceAccount <Domain\ServiceAccount>  /SQLConnectionString "database=<databasename>;server=<SQLservername>\SQLInstancename>;integrated security=SSPI " /CertThumPrint “xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx”

For example:

NOTE: The certificate thumbprint is the AD FS 2.0 Service Communication certificate

5. Configuring Mirroring

  • Setup mirrored SQL Server (sql2)
  • Configuring database mirroring for AdfsConfiguration and AdfsArtifactStore databases

6. Update the connection string for both databases (I referred to this article http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-migrate-your-ad-fs-configuration-database-to-sql-server.aspx ) so ADFS 2.0 aware of the mirrored database

  • Perform this on adfs1, for the AD FS 2.0 configuration database:
    • Stop the ADFS service from Command prompt: net stop adfssrv
    • Open the Windows PowerShell and run the following command on all ADFS Federation Servers (adfs1 and adfs2 in the diagram above):
      • $temp= Get-WMIObject -namespace root/ADFS -class SecurityTokenService
      • $temp.ConfigurationdatabaseConnectionstring=”Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>;Initial Catalog=AdfsConfiguration;Integrated Security=true”
      • $temp.put()
      • Go back to Command Prompt and start the ADFS service: net start adfssrv
    •  For the AD FS, for the AD FS 2.0 artifact store database. Open the Windows PowerShell and run the following command:
      • Add-PSSnapin Microsoft.ADFS.PowerShell
      • Set-adfsproperties –artifactdbconnection ”Data Source=<Principal SQLServer>; Failover Partner=<Mirror SQLServer>;Initial Catalog=AdfsArtifactStore;Integrated Security=true”
      • Confirm the change using command: Get-adfsproperties
      • Check for ArtifactDbConnection Properties

 NOTE:  For the SQL Server failover, it is suggested to use the TCP/IP protocol for the communication (rather than Named Pipes), to configure the TCP/IP communication, you need to perform these steps on each ADFS server:

  • Launch the client configuration utility. (Start -> Run cliconfg.exe.  It should bring up the dialog shown.
  • Make sure that only TCP/IP is on the list of Enabled protocols.

 

  • Click on OK.