Adding an additional ADFS Server to your ADFS Farm when using SQL for the Configuration Database

Hi All,

In this blog, I would like to discuss adding an additional ADFS server to your ADFS farm when using SQL as your configuration database. I will be building on my original lab which I discussed in Configuring ADFS Server as the First server in the ADFS Farm using SQL for the Conguration Database. This blog assumes that you have already installed the ADFS 2.0 software on your additional ADFS server. If you haven’t, you can refer to Installing Active Directory Federation Services (ADFS) 2.0. You do not need a load balancer to perform the steps in this blog, but if you are going to have more than one ADFS server you will need to use a load balancer resolving to federation service name to send traffic to the servers in your farm. Load balancing the traffic to your ADFS farm is out of the scope of this blog.

The first thing you will need to do is export the service communication cert (with its private key)used on the first ADFS server that was set up in your farm. This cert needs to be the same across all ADFS servers in the farm. For the Token signing and Decrypting certs, I am using the self signed certs which were generated  during the configuration of the first ADFS server in the farm using the /AutoCertRolloverEnabled switch. When I ran the configuration to add the new server to the farm using the self-signed Token Signing and Token Decrypting certs, the certificates where shared across the farm so there was no additional work needed for these.

Export the cert from the first ADFS Server in the Farm

1. Open the Certificate MMC console.

  • Log on to the original ADFS server which contains the service communications certificate with the private key.
  • Open the Start Menu and type “MMC” in the search box and press enter.
  • When the console opens click “File” and select “Add/Remove Snapin”.
  • Select “Certificates” from available snap ins and click the “Add” button to move to the “Selected Snapins” window and click “OK”.
  • When the “Certificate Snap-in” windows appears, select the “Computer Account” radio button and click “Next”.
  • On the “Select Computer” window, select the “Local Computer” radio button.
  • You will now see that it has been added to the selected snap-ins.  Click “OK”.

2. Now that you have the local certificate MMC open you can start to Export the cert.

  • Expand “Certificates (Local Computer)” then expand “Personal” and highlight “Certificates”.
  • Right click the certificate to be exported (in my case adfs.pipe2text.com), select “All Tasks” then “Export” from the menu.
  • Click “Next” on the “Welcome to the Certificate Export Wizard” screen.
  • On the “Export Private Key” screen Select “Yes, Export Private Key” and click “Next”.
  •  On the “Export File Format” screen Select the “Personal Information Exchange = PKCS #12 (.PFX)” radio button and Check off “Include all certificates in the certification path if possible” and “Export all extended properties”. Make sure “Delete the private key if export is successful” is deselected. Click “Next”.
  • On the “Password” screen, enter a password and make note of it (This is the password you will use when importing the cert to the new server).
  • On the “File to Export” enter a name and location for the file and click “Next”.
  • On the “Completing the Certificate Wizard” screen review your settings and Click “Finish”.
  • Retrieve the cert file and copy it to the new ADFS server you will be adding to your farm.

Import the cert from the first ADFS Server to the new ADFS Server

1. Open the Certificate MMC console.

  • Log on the new ADFS server that you will be adding to your farm.
  • Open the Start Menu and type “MMC” in the search box and press enter.
  • When the console opens click “File” and select “Add/Remove Snapin”.
  • Select “Certificates” from available snap ins and click the “Add” button to move to the “Selected Snapins” window and click “OK”.
  • When the “Certificate Snap-in” windows appears, select the “Computer Account” radio button and click “Next”.
  • On the “Select Computer” window, select the “Local Computer” radio button.
  • You will now see that it has been added to the selected snap-ins.  Click “OK”.

2. Now that you have the local certificate MMC open you can start to Import the cert.

  • Expand “Certificates (Local Computer)” then expand “Personal” and highlight “Certificates”.
  • Right click the “Certificates” container”, select “All Tasks” then “Import” from the menu.
  • Click “Next” on the “Welcome to Certificate the Import Wizard” screen.
  • On the “File to Import” screen, browse to the cert file you exported and copied over to this server and Click “Next”.
  • On the “Password” screen, enter the password you created when you exported the cert. You can check off “Include all extended properties”. Deselect “Mark Key as Exportable.This will allow you to backup your transport keys at a later time” and click “Next”.
  •  On the “Certificate Store” screen make sure that “Personal” is selected (If not then browse to it). Click “Next”.
  • On the “Completing the Certificate Wizard” screen review your settings and Click “Finish”.
  • Your certificate will now appear in your Personal certificate store.
Note:If you are using a self signed cert for your service communications cert as in a lab scenario like I am, you will also need to complete the steps for importing the cert again but to “Trusted Root Certificate Authorities” store since the cert is not trusted. If you purchased your cert from a 3rd party CA such as Verisign, the cert will already be trusted and this is not necessary.
 
Binding the Imported Cert to the Default Website

Now that you have imported the certificate, you will need to bind it the default website in IIS following these steps:

1. Open the IIS Manager and right click the “Default Website” and select “Edit Bindings”.

2. Under “Type” choose “https” and under “SSL Certificate” choose the cert that you imported and click “OK”.

3. You will now see “https” and “443″ in the list of site bindings. Click “Close”.

Joing your ADFS Server to an Existing Federation Farm

Now its time to configure and join your ADFS server to the farm. Since we are adding this server to a farm that is using SQL for the configuration database we will need to run the configuration from the command line. To do this you will need to use the fsconfig utility. To use the fsconfig utility, open a command prompt as administrator and switch to the “Active Directory Federation Services 2.0″ folder under the “Program Files” directory where fsconfig.exe is located.
Type the following command replacing the information with information that is specific to your environment:
 
FSConfig.exe JoinSQLFarm /ServiceAccount pipe2text\adfslabuser /ServiceAccountPassword Password /SQLConnectionString “database=AdfsConfiguration;server=sqlservername\instance;integrated security=SSPI”

 

You will see the following output if everything ran OK.

Having a look around

If you open the ADFS console you will see that everything is configured exactly the same as the orignal server since they are sharing the same database. You can can look around and make sure you see all of your relying parties if you have some already and verify any other configurations you may have made.

 

Verifying your ADFS Server is Operational

Depending on you load balancing situation, you may need to shutdown your other ADFS servers before performing the next steps to test and see if this server is the one serving up the pages at the URLs below. As mentioned earlier, load balancing is out of the scope of this blog. I also put an example below for how you can hit the server directly.

Verify the ADFS server is now operational you can hit the following URL using your Federation Service name:

https://federationservicename/adfs/fs/federationserverservice.asmx

For Example using my federation service name it would be as follows:

https://adfs.pipe2text.com/adfs/fs/federationserverservice.asmx

If the server is working properly you will see an XML document displayed with the service description document.

If you wanted to, you could replace the federation service name in the URL with the new ADFS server name to ensure you are hitting that server. You will get certificate name mismatch errors doing this but they can be safely ignored. For example:

https://ADFSSERVERNAME/adfs/fs/federationserverservice.asmx

Note: If you are using self signed certs for the service communications cert as in my lab scenario, you will get a certificate error when connecting to the site since the cert is not trusted. You can just click continue to site. To avoid getting this error, you can export the certificate from your ADFS Server and import it to the “Trusted Root Certificate Authorities” of your client machine or just deal with the error.

Another step in verifying your ADFS server is by looking in the Event Viewer on the ADFS Server under “Applications and Service Logs\AD FS 2.0\Admin”. In the Admin log you should see event ID 100.

Now that you have your additional ADFS server added to the farm you can perform any additional testing you feel necessary. As always, I suggest fully testing everything in a lab first. I hope this was helpful. If you have any questions, comments or feedback please feel free to post them. Thanks.

Related Links:

Installing Active Directory Federation Services (ADFS) 2.0

Configuring ADFS Server as the First server in the ADFS Farm using SQL for the Configuration Database

Installing and Configuring an ADFS 2.0 Proxy Server

4 Responses to Adding an additional ADFS Server to your ADFS Farm when using SQL for the Configuration Database

  1. Lots of helpful information. I have bookmarked your site.

  2. Vinh says:

    Hi

    I have two adfs server in a farm. How would I remove the last added or secondarg server to the farm and any AD cleanup required afterwards?

    Thx

    • BC says:

      Hi Vinh,

      You have 2 ADFS servers in a farm using a sql database and you are only removing one of the ADFS servers?

  3. Imran says:

    In our existing ADFS server and how can we add another ADFS server into that ADFS farm?

Leave a Reply

Your email address will not be published. Required fields are marked *