Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘DB On WID’ Category

(2016-08-04) Forcing Sync On A Non-Primary ADFS Server When Using WID

Posted by Jorge on 2016-08-04


By default, when using WID, any secondary ADFS server pulls data from the primary ADFS server every 5 minutes (default value). To change the pull interval, it must be changed on all secondary ADFS servers, using the following command:

Set-AdfsSyncProperties -PollDuration <Number In Seconds>

However, if you want to force pull synchronization on any secondary ADFS to source it from the primary ADFS server, there is no default PowerShell cmdlet to do this. You must simply restart the ADFS server on the secondary ADFS server, like for example:

Restart-Service ADFSSRV

Remember that when you restart the ADFS service, you ADFS server temporarily becomes unavailable!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID | Leave a Comment »

(2016-07-24) Fixing Web Content Data In ADFS 2012 R2 (v3.0) When Leveraging WID As A Database Store

Posted by Jorge on 2016-07-24


This blog post only applies if you are using ADFS v3.0 (ADFS 2012 R2) AND you are using WID as the database store! It does not apply when using SQL, and it does not apply when using ADFS v4.0 (ADFS 2016) with WID!

In ADFS v3.0 (and higher) it is possible to configure custom web content for:

  1. Relying Party Trust Web Content (*)
  2. Global Web Content
  3. Authentication Provider Web Content (*)
  4. Web Config
  5. Web Theme

When using WID, you must execute the configuration on the primary ADFS server. After 5 minutes (default) at a maximum, the secondary ADFS servers, get the changes from the primary ADFS server. Well, with regards to web content, almost right

For the web content stuff marked with a (*), there is bug where the content defined at the primary ADFS server DOES NOT replicate to the secondary ADFS servers. Because of that users may experience inconsistent results

Example configurations for [1]:

Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage "<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access."

Example configurations for [3]:

Set-AdfsAuthenticationProviderWebContent -Name AzureMfaServerAuthentication -DisplayName ‘Azure AD MFA AuthN’ -Description ‘Azure AD MFA Based Upon SMS, Phone Call Or Authenticator App’

The user experience is as follows….

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a relying party trust:

image

Figure 1: Custom Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for a relying party trust:

image

Figure 2: Default Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a authentication provider:

image

Figure 3: Custom Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for an authentication provider:

image

Figure 4: Default Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

So, as you can see the user experience is quite different when hitting either the primary ADFS server or any secondary ADFS server

You might think to also execute the PowerShell commands on any secondary ADFS server. However, that’s not possible because secondary ADFS servers are not writable and therefore the PowerShell commands do not work. It will work however, if you temporarily configure a secondary to be a primary, execute the commands, then reconfigure it back to a secondary. If you have multiple WID based ADFS servers, that can be some extensive work, which is also subject to mistakes ending up in inconsistencies.

So, how to solve this?

I wrote a script, which is available here that helps in configuring the web content on secondary ADFS servers.

WARNING: I do not know if this is supported or not by Microsoft. However, it does solve the problem as currently unfortunately there is no hotfix that fixes this issue in ADFS v3.0. Make sure to test this FIRST in a test lab before using it in production!

Please provide feedback through the comments section OR you the contact page

DISCLAIMER (READ THIS!):

  • I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
  • The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
  • This script is furnished "AS IS". No warranty is expressed or implied!
  • I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
  • Always test first in lab environment to see if it meets your needs!
  • Use this script at your own risk!
  • I do not warrant this script to be fit for any purpose, use or environment!
  • I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
  • I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
  • I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script in any way and delete it immediately!

SYNTAX:

  • <PoSH Script File> [-adfsServers <FQDN ADFS server 1>,<FQDN ADFS server 2>,etc ] [-scriptBlock <PowerShell Command>] [-scriptFile <Path To Text File Containing PowerShell Commands>] [-showScriptOutput]

This script is well documented (look inside the script) or execute:

Get-help .\Process-Web-Content-On-WID-Based-ADFS-Servers.ps1 -full

….but I’ll explain the parameters that can be used

Parameter “adfsServers”

When this parameter is specified, the XML config file is NOT read and a separated list of FQDNs must be specified through this parameter listing the ADFS servers that must be targeted. This may for example be used when you have just one or more new secondary ADFS server to update after those have been installed in addition to the existing ones

However, if you have a new configuration that must be applied to all ADFS servers, you may still use this parameter, but you can also create an XML file that contains all ADFS servers. This can be handy when you must apply changes to all existing ADFS servers. When you want to use the XML config file, do not use this parameter and the script will look for the XML config file which must be in the same folder as the script itself. By default the script will look for the XML file! It will abort if it does not find the XML config file!

EXAMPLE Contents of “ADFS-STS-SCRIPT-CONFIG.XML”

<?xml version="1.0" encoding="utf-8"?>
<adfsScriptConfig xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <adfsServers>
        <adfsServer serverName="R1FSRWDC1.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC2.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC3.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC4.IAMTEC.NET" />
    </adfsServers>
</adfsScriptConfig>

Parameter “scriptBlock”

With this parameter one PowerShell command can be specified as a value for this parameter. Pay very special attention to the quotes used!

Example value: "Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage `"<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access.`""

Parameter “scriptFile”

With this parameter one or more PowerShell commands can be specified in a text file. The complete path of the text is then used as a value for this parameter.

Example value: "C:\TEMP\ScriptBlock.txt"

Parameter “showScriptOutput”

This parameter tells the script to display the output of the commands on screen, if there is anything to display at all.

Another thing to be aware of is that the script logs everything into an event log called “Custom – Support”. If the event log does not exist it will create it and also register the source. If you do not want this, scan through the script and remove or out comment those parts!

image

Figure 5: Example XML Config File

image

Figure 6: Example Script Block File Containing Multiple PowerShell Commands To Execute

image

Figure 7: Example Output – General Info

image

Figure 8: Example Output – Performing Checks

image

Figure 9: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC1.IAMTEC.NET)

image

Figure 10: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC2.IAMTEC.NET)

image

Figure 11: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC3.IAMTEC.NET)

image

Figure 12: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC4.IAMTEC.NET)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, PowerShell, Tooling/Scripting | Leave a Comment »

(2016-06-02) Required Port(s) For WID Replication In ADFS To Work Properly

Posted by Jorge on 2016-06-02


If you are running ADFS with WID and you see the following event IDs, the required ports between the secondary ADFS server(s) and the primary ADFS server are not open.

image

Figure 1: First Error Regarding The WID Replication Error

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional Data

Master Name : R1FSRWDC1.IAMTEC.NET
Endpoint Uri :
http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer
Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at
http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.1:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   — End of inner exception stack trace —
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()

And you will also see:

image

Figure 2: Second Error Regarding The WID Replication Error

There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional data

Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at
http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.1:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   — End of inner exception stack trace —
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.DoSyncDirect()
   at Microsoft.IdentityServer.Service.Synchronization.SyncBackgroundTask.Run(Object context)

User Action
Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.

As you may know, by default every secondary ADFS server will pull information form the primary ADFS every 5 minutes. Any secondary ADFS server will connect to the primary ADFS server over port 80 for WID replication. See the details in the error message above. When using WID make sure that any ADFS server can contact any other ADFS server for WID replication to work. This is needed is you ever transfer the primary role to another ADFS server.

Also see:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, Ports | Leave a Comment »

(2015-02-24) Migrating ADFS Databases From SQL To WID

Posted by Jorge on 2015-02-24


For whatever reason you may be interested in migrating your ADFS databases, currently hosted on WID, to SQL server. Information regarding that can be read through the following links:

Now some of you might think: "is it possible to migrate the ADFS databases, currently hosted on SQL server, to WID?"

Now why would you want to do that?

  • SQL features related to ADFS are not being used (Token Replay Prevention and Artifact Resolution)
  • Saving costs on SQL server licenses
  • Simplifying DR and high availability for ADFS

Now to answer the questions…NO, it is not possible to migrate ADFS databases from SQL server to WID!

I tried this myself. I did a backup of the ADFS databases on SQL server and then tried to restore those same databases on WID.

image

Figure 1: SQL Management Studio Connected To WID (Local) and SQL Server (Remote)

As soon as you try to do the restore, you will see an error similar to the following

image

Figure 2: Failing To Restore A Database Previously Hosted On SQL Server To WID

Now why is this? The simple answer is: WID basically uses an older version of SQL than SQL server itself. You can restore a database from a lower version of SQL to a higher version of SQL, but you CANNOT restore a database from a higher version of SQL to a lower version of SQL!

You can read more about this here.

The only way to go from SQL to WID is to export all the settings/configurations from ADFS on SQL and import that again into ADFS on WID. Also see: https://jorgequestforknowledge.wordpress.com/2014/03/12/additional-powershell-scripts-for-migrating-adfs-v2-x-to-adfs-v3-0/

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On SQL, DB On WID, Uncategorized, Upgrading | 5 Comments »

(2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not

Posted by Jorge on 2014-03-19


If ADFS was installed in the past by someone else and there is little to no documentation, how do you know, when using WID, which ADFS STS instance is the primary federation server or any other federation server? Keep reading to find out how to determine that!

How To Find The Primary Federation Server When Using WID?

The concept of a primary federation server and secondary federation servers only exists when leveraging WID. When using SQL all federation servers are equal. In the case of WID, the primary federation server has a read/write copy of the ADFS configuration database.

The primary federation server is always created when you use the ADFS Federation Server Configuration Wizard and select the option to create a new Federation Service and make that computer the first federation server in the farm. All other federation servers in this farm, also known as secondary federation servers, must synchronize changes that are made on the primary federation server to a copy of the AD FS configuration database that is stored locally.

image_thumb[13]

Figure 1: ADFS Leveraging WID – The ADFS MMC On The Primary Federation Server

image_thumb[15]

Figure 2: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is The Primary Federation Server

The secondary federation servers store a read-only copy of the ADFS configuration database from the primary federation server. Secondary federation servers connect to and synchronize the data with the primary federation server in the farm by polling it at regular intervals (5 minutes) to check whether data has changed. It is also possible to force synchronization. The secondary federation servers exist to provide fault tolerance for the primary federation server while acting to load-balance access requests that are made in different sites throughout your network environment. If a primary federation server crashes and is offline, all secondary federation servers continue to process requests as normal. However, no new changes can be made to the Federation Service until the primary federation server has been brought back online OR you have nominated an existing secondary federation server as the new primary federation server.

image_thumb[11]

Figure 3: ADFS Leveraging WID – The ADFS MMC On Any Secondary Federation Server

image_thumb[19]

Figure 4: The PowerShell CMDlet That Shows Whether Or Not The Federation Server Is The Primary Federation Server – In This Case It Is NOT The Primary Federation Server

How to transfer the primary computer role to another ADFS STS when using WID?

Unfortunately, it is not like the olf NT4 PDC/BDC model that by moving the primary computer role to another ADFS STS, the other ADFS STSes become aware of that.

  • On the ADFS STS becoming the new primary computer execute: Set-AdfsSyncProperties -Role PrimaryComputer
  • On all other ADFS STS execute: Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName <FQDN new ADFS STS With Primary Computer Role>

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, Security Token Service (STS) | 3 Comments »

(2014-03-17) Gathering Architectural Details From Your ADFS Infrastructure – ADFS Config DB On WID Or SQL

Posted by Jorge on 2014-03-17


If ADFS was installed in the past by someone else and there is little to no documentation, how do you know if you are using WID or SQL for the ADFS config database? Keep reading to find out how to determine that!

ADFS Configuration Database On WID Or SQL?

This is quite easy to determine by running the following PowerShell commands:

$ADFSSTS = Get-WmiObject -Namespace root/ADFS -Class SecurityTokenService $ADFSSTS

When you see the following connection string, your ADFS installation is using WID. In this case the screen dump was taken from a W2K8R2 server with ADFS v2.0.

image

Figure 1: Leveraging WID For ADFS v2.0 On W2K8R2

When you see the following connection string, your ADFS installation is using SQL. In this case the screen dump was taken from a W2K8R2 server with ADFS v2.0. It is also using the default SQL instance. If a custom SQL instance was used, you would see something like <Server Name>\<Instance Name>.

image

Figure 2: Leveraging SQL For ADFS v2.0 On W2K8R2

When you see the following connection string, your ADFS installation is using WID. In this case the screen dump was taken from a W2K12R2 server with ADFS v3.0.

image

Figure 3: Leveraging WID For ADFS v3.0 On W2K12R2

When you see the following connection string, your ADFS installation is using SQL. In this case the screen dump was taken from a W2K12R2 server with ADFS v3.0. It is also using the default SQL instance. If a custom SQL instance was used, you would see something like <Server Name>\<Instance Name>.

image

Figure 4: Leveraging SQL For ADFS v3.0 On W2K12R2

For differences between ADFS on WID or ADFS on SQL see: The Role of the AD FS Configuration Database.

To migrate the database from WID to SQL see: AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On SQL, DB On WID, Security Token Service (STS) | 2 Comments »

 
%d bloggers like this: