As per my previous post about DirSync for Enterprise organisations , We also need to install ADFS farms into SQL clusters for high availability and scalability. So below are the steps to install ADFS 2.0 into a SQL Cluster.
In this example on how to set this up for the purposes of this demo , Please take note of the following items.
ADFS Server : adfs.contoso.local
SQL Cluster: sqlclus
ADFS Service Account: contoso\adfs
ADFS Service Name: signin.contoso.com
- Download and install ADFS 2.0 RTW which you can download HERE The ADFS 2.0 installer installs the pre-requisites required for the software.
- Do not open the ADFS configuration wizard after the install has complete, Download and install ADFS 2.0 Rollup 3 which you can download HERE
- Now get your trusted ssl certificate for your adfs service name 'signin.contoso.com' and bind it to the default site. I always remove any http bindings for the default website on your adfs lan server.
- In certificate manager. Right Click on the trusted certificate 'signin.contoso.com' and select all tasks\manage private keys and then add the contoso\adfs service account permissions 'Full Control & Read'
- From a command prompt with elevated privileges make this the current directory C:\Program Files\Active Directory Federation Services 2.0\
- Now we are ready to create the ADFS farm and we do so with the following command
FSConfig.exe CreateSQLFarm /ServiceAccount "contoso\adfs" /ServiceAccountPassword "password" /SQLConnectionString "database=AdfsConfigurationServer;server=sqlclus;integrated security=SSPI" /port 443 /FederationServiceName "signin.contoso.com" /CleanConfig /AutoCertRolloverEnabled
And you will see the following output from the command prompt window
- Ideally the lan adfs servers will be load balanced , If you need to use a sql cluster for your adfs deployment then there is a good chance the customer will have load balancers like F5, Netscaler or Kemp.My preference would be Kemp.So there will be a virtual ip for the ADFS Service name 'signin.contoso.com'
- To enable kerberos authentication to Outlook Wep App and Sharepoint , place the https://signin.contoso.com into the intranet settings in Internet explorer for clients via group policy.
- ADFS proxy servers will be in a DMZ or else TMG Servers can also act as adfs proxy servers and will point at the loadbalanced 'signin.contoso.com' vip in the lan.
- Cloudfloor DNS provide GEO dns routing. So for example they can direct traffic from iso country codes to a location of choice. For example us adfs requests can hit us adfs servers. Irish requests can hit Irish adfs servers etc... So a service like this can take care of the external load balancing.
- So now we have all this done , time to federate the onpremise domain name 'contoso.com' with our Office365 tenant.
- Before we do this we need to ensure we have done the following.
A: Verify ownership of contoso.com
B:Activate Active Directory Synchronisation
C: Download and install the Microsoft Single Sign in Assistant HERE
D: Once the Single Signin Assistant has been installed , Download and install the Windows Azure Directory Module for Powershell HERE
- Now we are ready to run the commands to federate 'contoso.com' with Office365 and we will do so with the following command
Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer adfs.contoso.local # then enter contoso\adfs credentials
Convert-MsolDomainToFederated –DomainName contoso.com -SupportMultipleDomain
- You might have only one domain, But I always recommend using the -SupportMultipleDomain switch as it can future proof your adfs service. For example your customer could acquire a company.
- Finally we want to brand our ADFS Proxy pages with company logos and here is a great blog posting by Laurent Bel on how to customise the ADFS 2.0 login page HERE
- So now that we have created our first ADFS Server to connect to a SQL Cluster , How do we add more ADFS servers. We do so with the following command as per the original ADFS server setup.
FSConfig.exe joinSQLFarm /ServiceAccount 'contoso\adfs' /ServiceAccountPassword 'password' /SQLConnectionString "database=AdfsConfigurationServer;server=sqlclus;integrated security=SSPI"
The term “primary federation server” does not apply when the AD FS configuration database is stored in a SQL database instance because all federation servers can equally read and write to the AD FS configuration database that is using the same clustered SQL Server instance, as shown in the following illustration
I have not installed ADFS 2.1 on Windows Server 2012 into a SQL Cluster yet but I think it would be the exact same process. I will be doing this on a project coming up shortly and will create a new blog post for this.
I hope people find this blog posting useful as it took me quite a bit of time to get ADFS right when I first started working with ADFS.