Sysadminsblog.com Anything for sysadmins!

28Jun/110

Migrating the ADFS 2.0 Configuration Database to MS SQL

By default when you configure ADFS 2.0 it will create a Windows Internal Database for its configuration database. However if you have a MS SQL server running already this is kind of unnecessary. Thankfully it's possible to migrate the ADFS 2.0 databases to MS SQL.

Preparations

It's smart to start with a backup of the Federation Server.

If your federation server is running in a farm and it's behind a load balancer, temporarily remove it from the load balancing configuration.

On the Primary federation service

  1. Download the SQL Server 2008 Management Studio Express software and install it (you'll need sqlcmd)
  2. Stop the ADFS 2.0 service. Start an elevated command prompt and type:
    net stop adfssrv
  3. Connect to the Windows Internal Database and detach the databases by running the following commands:
    sqlcmd -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query<br/>use master<br/>go<br/>sp_detach_db 'adfsconfiguration'<br/>go<br/>sp_detach_db 'adfsartifactstore'<br/>go
  4. Connect to the MS SQL server and attach the databases by running the following commands (note that the paths are local paths on the SQL server so make sure that the files are on the local server):
     sqlcmd -S &lt;SQLServer\SQLInstance&gt;<br/>use master<br/>go<br/>sp_attach_db 'adfsconfiguration', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration.mdf', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration_log.ldf'<br/>go<br/>sp_attach_db 'adfsartifactstore', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore.mdf', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore_log.ldf'<br/>go<br/>alter database AdfsConfiguration set enable_broker with rollback immediate<br/>go
  5. Change the configuration database connection string to point to the new MS SQL server by running the following PowerShell commands:
    $SecTokenServ = Get-WmiObject -NameSpace root/ADFS -Class SecurityTokenService<br/>$SecTokenServ.ConfigurationdatabaseConnectionstring="data source=&lt;SQLServer\SQLInstance&gt;; initial catalog=adfsconfiguration;integrated security=true"<br/>$SecTokenServ.Put()
  6. Start the ADFS 2.0 service. Start an elevated command prompt and type:
    net start adfssrv
  7. Change the configuration database connection string to point to the new MS SQL server by running the following PowerShell commands:
     Add-PSSnapin Microsoft.ADFS.PowerShell<br/>Set-ADFSProperties -ArtifactDBConnection "data source=&lt;SQLServer\SQLInstance&gt;; initial catalog=adfsartifactstore;integrated security=true"
  8. Stop and start the ADFS 2.0 service:
    net stop adfssrv
    net start adfssrv

Don't forget to add the primary federation server to the load balancing configuration.

To migrate other ADFS 2.0 servers in the farm start by removing the server from the load balancing configuration and stopping the service (net stop adfssrv) on that server. Then start at step 5 of steps above.

Afterwards add the servers back into the load balancing configuration to have it accept requests.

Filed under: ADFS, Microsoft No Comments
28Jun/118

Token Signing Certificate: The Root Certificate is invalid

When you try to add a trust relationship in SharePoint 2010 using the Central Administration you might get an error.

The root certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.

I was certain that the certificate was correct and should be accepted. I managed to import the certificate through PowerShell.

  1. Import the certificate into the Windows Certificate Store. Specifically the Personal store
            
  2. Start a SharePoint 2010 Management Shell session
  3. Locate the certificate in the Personal folder of the Windows Certificate Store and copy the Thumbprint
    dir cert:\CurrentUser\My

        

  4. Run the following commands:
     $Cert = Get-Item("cert:\CurrentUser\My\" + "&lt;thumbprint&gt;".Replace(" ", "").ToUpper())
    New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $Cert

The certificate should now be imported and the trust should be visible in the Central Administration.

28Jun/110

Enable Claims based authentication on an existing web application

When you provision a web application in SharePoint 2010 you get the option to enable Claims based authentication. However, after the provisioning there's no option in the GUI to turn it on. PowerShell saves the day again with the option to change from classic to claims based authentication using the lines below.

$WebApp = Get-SPWebApplication "http://site:80"
$WebApp.UserClaimsAuthentication = "True"
$WebApp.Update()

The user running these command should be a member of the SharePoint_Shell_Access role on the config DB, and a member of the WSS_ADMIN_WPG local group.

There are some cases where the web.config wasn't updated automatically with the appropriate entries to enable claims based authentication. This will then have to be done manually. To do so read step 5 from this blog post.

27Jun/110

ADFS Error: The AD FS auditing subsystem could not register itself with the system. The auditing privilege is not held.

This error might occur when the ADFS service account doesn't have the audit permissions to log audit events.

To fix this error you have to grant the ADFS service account the permission in the local security policy of the server running ADFS, or when the server is a Domain Controller in the Default Domain Controller Policy.

Local Security Policy

  1. Start the Local Security Policy console
  2. Locate the User Rights Assignment container and select it (Security Settings\Local Policies\User Rights Assignment)
        
  3. Double-click the Generate security audits node
        
  4. Add the service account of ADFS to the list

Default Domain Controller Policy

  1. Start the Group Policy Management Console
  2. Edit the Default Domain Controllers Policy (<Forest>\Domains\<Domain>\Group Policy Objects\Default Domain Controllers Policy)
        
  3. Locate the User Rights Assignment container and select it (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment)
        
  4. Double-click the Generate security audits node
        
  5. Add the service account of ADFS to the list
        

You might have to run gpupdate and restart the service to have the changes take effect.

Filed under: ADFS, Microsoft No Comments