Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-10-05) Exporting And Importing ADFS Configuration For Cloning Or Recovery Purposes

Posted by Jorge on 2016-10-05


Microsoft has released a tool to export and import the complete ADFS configuration to/from a file on either the local file system or in Azure.

With this tool the assumption is made your complete ADFS farm is dead and the only thing you got is a backup or the exported configuration, OR you want to rebuild ADFS farm in another environment. As it mandatory to encrypt the backup/export, make sure to store the password in a safe and controlled accessible location. You don’t want to end up with a backup/export and not knowing the password anymore to decrypt it! When you want to rebuild the ADFS farm in another environment (e.g. production environment to test environment), please be very careful where that backup/export ends up. Remember it contains all the certificates in used by the ADFS farm, and especially the Token Signing certificate and the Token Encryption certificate are very important.

With the backup, it exports everything in the ADFS configuration database. The ADFS configuration is stored in the files “config.xml”, “db.xml”, “installParams.xml” and “metadata.xml”. Except for that last file, the other files are encrypted with the password specified during the backup/export.

It also exports all ADFS related certificates and corresponding private keys from the local machine certificate store if those private keys are exportable. To find out which certificates to export to a PFX file, the tool looks in ADFS to find all the primary and secondary configured certificates for the service communication certificate, the token signing certificate and the token encryption certificate. It also looks which certificate is configured for the binding “<FQDN Federation Service>:443” as the SSL certificate (viewable with NET HTTP SHOW SSLCERT). The SSL certificate is stored in the file “SSLCert-<Thumbprint>.pfx”. The primary and secondary certificates for the service communication certificate, the token signing certificate and the token encryption certificate are exported to a file “OtherCert-<Thumbprint>.pfx”. All PFX files are protected with the password specified during the backup/export.

image

Figure 1: Backup/Export Created By The ADFS Rapid Creation Tool

As mentioned earlier, main use of the tool is to either recreate a dead ADFS farm or clone an ADFS farm in another environment. When using the tool during backup, it backups everything in ADFS.When using the tool during restore, it restored everything in from the export. It is not possible to select individual components from the backup and only restore those. Maybe in a next version. In theory it would be possible to also restore one or more ADFS configuration components after an admin mistake (e.g. deletion of one or more RP trusts). However if the backup/export used to restore a missing component still contains that missing component but is outdated you will restore that missing component, but it will also bring your ADFS farm back in time.

In a WID based ADFS farm I restored the backup/export that was created on the primary ADFS server on that primary ADFS server. The other secondary WID based ADFS servers were still running happily with no issues. After the backup you may still need to install software/DLLs to support any configured MFA provider or attribute store. This is especially important when cloning the ADFS farm. After that you need to start the ADFS service on the primary ADFS server. After restarting the ADFS service on the other already existing secondary ADFS servers, those secondary ADFS servers started to  replicate again from the primary ADFS server. Although I did not test it, I assume it would have a similar behavior when using a SQL based ADFS farm. Please be aware I did not check everything, and I do not know if this is a supported scenario or not. My advise is to not use this to restore individual components. To restore individual components (e.g. CP and/or RP trusts) use PowerShell scripting (see future blog post)

Now, let’s install this tool. After executing the MSI, the following screen is displayed

image

Figure 2: Welcome Screen

image

Figure 3: License Agreement Screen

The default installation folder by default is “C:\Program Files (x86)\ADFS Rapid Recreation Tool\”

image

Figure 4: Installation Folder And Who Will Be Using The Tool Screen

image

Figure 5: Install Confirmation Screen

image

Figure 6: Install Completed Screen

Afterwards to load the module execute the following command:

Import-Module "C:\Program Files (x86)\ADFS Rapid Recreation Tool\ADFSRapidRecreationTool.dll"

To find out all the available CMDlets, execute the following command:

Get-Command -Module ADFSRapidRecreationTool

image

Figure 7: Importing PowerShell Module And Listing All Available CMDlets

For example, to create a backup/export to some folder on the file system, execute the following command, and make sure to replace the values with your own values:

Backup-ADFS -StorageType FileSystem -BackupComment "2016-10-02 16:30:00" -StoragePath "C:\ADFS-Support\Config-Export\2016-10-02_16.30.00_FedSvcConfig_MSFT-Tool" -EncryptionPassword ‘Pa$$w0rd’

image

Figure 8: Creating A Backup/Export To The File System

For example, to restore a backup/export from some folder on the file system, execute the following command, and make sure to replace the values with your own values:

Restore-ADFS -StorageType FileSystem -StoragePath "C:\ADFS-Support\Config-Export\2016-10-02_16.30.00_FedSvcConfig_MSFT-Tool" -DecryptionPassword ‘Pa$$w0rd’

image

Figure 9: Restoring A Backup/Export From The File System – Entering The Credentials Of The ADFS Service Account

image

Figure 10: Restoring A Backup/Export From The File System

After the restore the ADFS service is not running! Also pay attention to the text file mentioned

image

Figure 11: Text File With Additional Steps To Execute Before Starting The ADFS Service

After installing the additional software or placing the DLLs on the ADFS folder to support additional MFA providers or attribute stores, restart the ADFS service

Also have a look a the following links for additional information and the download location of the tool:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: