ADFS 3.0/WAP (2012 R2) to ADFS 4.0/WAP (2016) Upgrade Gotchas

With the introduction of the new version of ADFS in Windows Server 2016, Microsoft introduced the possibility to run ADFS in compatibility mode and to upgrade your existing configuration to ADFS 4.0 (2016).

Although the upgrade path, as described in https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016 seems to be pretty simple, there are some issues that blocked my upgrade.

Permission Error Upgrading a SQL based ADFS Farm

If you upgrade a farm that’s using a SQL database for its configuration you might encounter the following error:

Invoke-AdfsFarmBehaviorLevelRaise : Database upgrade could not be performed on localhost. Error: Unable to connect to

the database. You may not have permission to create the AD FS configuration database in the specified SQL server. You

can do one of the following: (1) have the SQL administrator grant permissions to you to create the AD FS configuration

database in the specified SQL server or (2) have the SQL administrator create the AD FS configuration database by

running SQL scripts. Use the Export-ADFSDeploymentSQLScript to create the SQL scripts. After the SQL administrator

runs the scripts, try the command again specifying that the database is to be overwritten.

.

At line:1 char:1

+ Invoke-AdfsFarmBehaviorLevelRaise

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Invoke-AdfsFarmBehaviorLevelRaise], RemoteException

+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.InvokeUpgradeFarmBehaviorCommand

Although everything seems to be correct the upgrade fails. Error which is shown is related to install-adfsfarm (which probably is started within this command). In my situation this was not a proper solution because the following error was that the database already existed and the an overwrite parameter should be provided. This parameter is not possible in Invoke-AdfsFarmBehaviorLevelRaise.

In my situation the proper solution was explicitly provide a domain admin / SQL Admin account to Invoke-AdfsFarmBehaviorLevelRaise:

Invoke-AdfsFarmBehaviorLevelRaise -Credential (get-credential)

Afterwards the upgrade was successful.

WAP Published Application Issues

In my configuration I had some applications named “Application 1 (url:https://application.com/app)“. This was perfectly working on WAP 2012 R2, but in WAP 2016 it stopped to work resulting in a HTTP 500 error in in the client and a eventlog entry with eventid 12019:

Web Application Proxy could not create a listener for the following URL: https://application.com/app/.

Cause: The filename, directory name, or volume label syntax is incorrect.

(0x8007007b).

Somehow WAP 2016 cannot work with slashes in the name of the published application name.

The easiest way to solve this issue is to run the following command in the WAP node (as Administrator):

Get-WebApplicationProxyApplication -Name ” Application 1 (url:https://application.com/app) | Set-WebApplicationProxyApplication -Name “<NewName>”

Please note that you should run this on the existing 2012 R2 node when still running in compatibility mode.

Upgrade WAP 2012 R2 to WAP 2016 configuration version

I couldn’t find any official procedures for upgrading the WAP 2012 R2 configuration level to WAP 2016, so let me briefly describe how to do it. I’ts quite easy. To fully leverage the functionality of the Web Application Proxy role in Server 2016 you need to run the following command on a WAP 2016 node:

Set-WebApplicationProxyConfiguration -UpgradeConfigurationVersion

Afterwards you cannot use the old WAP 2012 R2 nodes in your farm anymore. So remove them from any HLB/NLB cluster you might have.

Documentation for the Set-WebApplicationProxyConfiguration command is found at https://technet.microsoft.com/en-us/library/dn283406.aspx.

Removing offline ADFS Farm Members

My lab ADFS farm is a farm where I did a lot of experiencing with ADFS 3.0. During the Technical Preview Period of Server 2016 I also had an ADFS 2016 farm node running in this farm for a while. And, all against the rules, I did not remove that node correctly. This farm node still exists in the ADFS configuration database and blocked the upgrade to ADFS 2016.

The official way to remove a ADFS farm node from a ADFS farm is by entering the following command:

Uninstall-WindowsFeature ADFS-Federation -IncludeManagementTools

But how to remove a farm member when it’s offline? You could use SQL to remove the specific farm node from the farm. Let me make a pre-caution here, this is not a supported way to do but in my situation it helped.

  1. Open SQL Management Studio and select to the ADFSConfigurationDatabase.
  2. Open a New Query
  3. Enter the following command to remove the node by using the FQDN of this node (you could consider to first query the table before actually remove this line):
    DELETE
    FROM [IdentityServerPolicy].[FarmNodes]


    WHERE
    FQDN =
    ‘ADFSNodeFQDN’

    GO

Now this final blocker was removed to upgrade I was able upgrade to ADFS 2016 finaly.

Posted on 7 December, 2016 by Mark van Eijken in Active Directory Federation Services, SSO, Technology

Tags: ,

leave your comment