Restoring cloud services during an outage of the ADFS (Federation Services)

Share this:

The Federation Server role is crucial when integrating on-premises with the Microsoft Cloud and in this article we are going to demonstrate how an outage can impact the end-users. In order to avoid the workaround that we are going to perform here, make sure that you High Availability for the Federation Server role and on top of that my suggestion is to use a Load Balancer to improve performance and resilience for this crucial service.

Solution


The first step before we start bringing down the ADFS Server is to understand the scenario for this Tutorial. We will have in our internal network one server for each role: Windows Azure Active Directory Sync Tool, Active Directory Federation Server and Web Application Proxy. We do not have Exchange Server on-premises and all mailboxes are located in the Office365.

image[5]

We do have the Password Synchronization feature enabled, as we can check on the figure below.

image11

Bringing Federation Server down…

Let’s simulate an outage in our ADFS server, using services.msc we will stop the Active Directory Federation Services service as we show in the figure below.

image14

An user located in the internal network will try to logon on Office365 and the first page is to fill out the e-mail address which he has just done as we can see in the figure below, and then click next.

image17

Trouble in paradise? Yeah.. the end-user experience will be an error message, and if we look at the address on the address bar we can identify that is our Federation Server that is the culprit of the issue.

Note: Users that were logged on before the issue will not experience the issue.

image20

Buying time to fix the ADFS by re-establishing the authentication…

The goal is to restore the ADFS server as fast as we can however in some situation that may not be possible. We can disable Single Sign-On (SSO) for the time being, and the first step is to open Windows Azure Active Directory Module for PowerShell, and use the cmdlet below to authenticate on the Microsoft Azure.

Connect-MSOLService

image23

The next step is to change the authentication of the desired domain to Managed which will use the Windows Azure Active Directory to authenticate users instead of Federation Services. The cmdlet to perform the change is listed and shown below.

Set-MSOLDomainAuthentication –Authentication managed –DomainName apatricio.info

image26

After that, the end-user can go back to Office365 and after typing in the e-mail and hitting next.

image33

The end-user will notice something different, now the authentication is being requested, the user just need to type in the same password that he uses on Active Directory on-premises.

image29

Voilà! The user can have access to its e-mail even though the ADFS is not active because the changes that we just performed around authentication.

image36

Restoring the Single Sign-On..

Now that you have the users off your back, you will have time to restore the ADFS, and as soon as you have the server operational and validated we can restore the Single Sign-On. The process is simple, we just need to run the cmdlet below to bring the SSO back on.

Convert-MSOLDomainToFederated –DomainName apatricio.info

image39

Conclusion


In this Tutorial we tested what happens to the end-users when the Federation Services are down and the end-user experience. We also demonstrated a workaround to avoid a major service outage for the end-users by changing the authentication.

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).