Embed Size (px)
Citation preview
ADConnect SSO over Network Load Balance Cluster This article outlines the steps required to configure ADConnect SSO over Network Load Balance Cluster. Example settings and installation/configuration steps in this article use Network Load Balancing, a clustering technology included in the Microsoft Windows Server 2008 operating systems. If you are using a different network load balancing solution, please consult with your vendor’s documentation to replicate the steps covered in this document. Contents 1 Configuring NLB Cluster for ADConnect SSO high avaliability
1.1 Pre-‐requisites & example settings
1.2 Installation
1.3 Configuration
1.4 Using ADConnect SSO with cluster 2 Notes 3 Links 1. Configuring NLB Cluster for ADConnect SSO high availability 1.1 Pre-‐requisites & example settings Example is given for minimal possible NLB cluster configuration 1xAD + 2xIIS instances. 1. Active Directory running on dedicated windows box (Windows 2008R2)
1. static IP: 192.168.1.1
2. hostname: ad.acme.com
3. servicing domain: acme.com 2. First IIS server
1. joined to acme.com
2. 2 NIC interfaces (one for domain communication, another for NLB communication)
1. dhcp of static IP: 192.168.1.129 (for domain)
2. static IP: 172.16.194.6 (for NLB)
3. hostname: iis1.acme.com 3. Second IIS server
1. joined to acme.com
2. 2 NIC interfaces (one for domain communication, another for NLB communication)
1. dhcp of static IP: 192.168.1.130 (for domain)
2. static IP: 172.16.194.7 (for NLB)
3. hostname: iis2.acme.com
1.2 Installation 1. Install ADConnect on iis1.acme.com and ii2.acme.com 2. Disable ADConnect Provisioner Service on one of the instances:
1. Start -‐> Administrative Tools -‐> Services -‐> ADConnect Provisioner Service -‐> Stop, Startup Type -‐> Disabled
3. Export signing certificate with private key from master node (iis1.acme.com)
1. Open MMC application: Start -‐> Run... -‐> mmc -‐> OK
2. Add Certificates snap-‐in for Local Computer account: File -‐> Add/Remove Snap-‐in... -‐> Choose Certificates -‐> Add -‐> Choose Computer Account
-‐> Next -‐> Choose Local Computer -‐> Finish -‐> OK
3. Navigate to Certificates (Local Computer) -‐> Personal -‐> Certificates -‐> locate signing cert (it matches full domain name of computer) -‐> Right click -‐> All tasks -‐> Export...
è Next -‐> Choose Yes, export the private key -‐> Next -‐> Next -‐> type password for certificate file -‐> Next -‐> choose filename -‐> Next -‐> Finish
4. Import signing certificates to other nodes (iis2.acme.com)
1. Open MMC Application -‐> Add Certificates snap-‐in for Local Computer account -‐> Navigate to Personal/Certificates -‐> Right click -‐> All Tasks -‐> Import... -‐> Select certificate file -‐> Enter password -‐> Finalize wizard
2. Repeat same procedure for Trusted People/Certificates 5. Grant IIS process access to signing keys on child nodes (iis2.acme.com)
1. Open MMC Application -‐> Add Certificates snap-‐in for Local Computer account -‐> Navigate to Personal/Certificates -‐> Right click -‐> All Tasks -‐> Manage private private keys... -‐> Add -‐> type IIS_IUSRS -‐> OK -‐> OK
6. Update Web.config file to use new signing certificate 1. Open c:\Program Files (x86)\Ping Identity\ADConnect\SSO\Web.config 2. change value for saml.signing.cert to match new signing certificate
7. Install Network Load Balancing feature on both IIS nodes: iis1.acme.com and
iis2.acme.com 1. Server Manager -‐> Features -‐> Add Features -‐> Network Load Balancing
1.3 Configuration 1. Open Network Load Balancing Manager: Start -‐> Administrative Tools -‐>
Network Load Balancing Manager 2. Create new cluster:
1. Cluster -‐> New 2. Enter first IIS box NLB IP in the Host field: 172.16.194.6 , click Connect
3. Select NLB NIC from the list: 172.16.194.6, click Next
4. Assign unique host id (1), click Next
5. Press Add to create virtual Cluster IP (or IPs), it should be in the same subnet with NLB hosts, enter: 172.16.194.100, specify appropriate network mask, click Next when done
6. Select virtual Cluster IP: 172.16.194.100 , provide optional internet name
7. Set cluster operation mode to Multicast (also see Notes section below), click Next
8. Finalize wizard by setting port rules if needed (or skip)
9. Wait until first cluster node enter Converged state
10. Right click on Cluster node -‐> Add Host to Cluster 11. Enter second IIS box NLB IP in the Host field: 172.16.194.7, click Connect 12. Select NLB NIC from the list: 172.16.194.7, click Next
13. Assign unique host id (2), click Next 14. Finalize wizard by setting port rules if needed (or skip) 15. Wait until all cluster nodes enter Converged state
1.4 Using ADConnect SSO with cluster
1. Use virtual cluster IP to access ADConnect SSO application: https://172.16.194.100/adconnect/startsso.aspx (don't use individual IIS boxes ip addresses)
2. Now it's possible to turn off and on IIS boxes configured as part of cluster with automatic failover to alive nodes. Also additional IIS nodes can be transparently added to cluster if needed.
2. Notes
1. Microsoft recommends using Unicast cluster operation mode, which is compatible with all routers/switches/network devices. But VMWare recommends using Multicast if configuring NLB cluster on virtualized hardware.
2. NLB ips must be static, NLB does not support DHCP protocol
3. Links
1. MSDN: http://technet.microsoft.com/en-‐us/library/cc770558.aspx
2. VMWare: http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1006778&sliceId=1&docTypeID=DT_KB_1_1&dialogID=256272877&stateId=1%200%20256278596
