Tips for Upgrading or Moving ADFS 2.0

  • Article

I recently spent too much time trying to get an ADFS Server upgraded, in my case from Windows Server 2008 to 2008 R2.  Like many SharePoint folks that are just trying to get along in a claims happy world, seemingly simple things like this can cause a surprising amount of churn.  Here are some tips that may help you get through it:

  • There really isn't a straight upgrade path from ADFS 2.0 on Windows Server 2008 to Windows Server 2008 R2.  It just completely uninstalled ADFS for me.  So once you're done you'll need to start over from scratch, sort of.  I recommend you back up the database first.  More on that next.
  • ADFS really wants to use that dang Windows Internal Database.  If you're just trying to get things up and going for your SharePoint farm then that's often okay.  So how do you manage it though when you need to backup and restore the database?  Fortunately there is a free download for managing it.  The link I found said SQL Server 2005 but it still worked fine with Windows Internal Database.  I downloaded the tool from https://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=8961, where it calls the tool "SQL Server Management Studio Express".
  • The connection you need to use when you open the tool is about as unintuitive as you will find, so I will just paste it here; you should be able to copy from here and paste into the tool when the connect dialog opens:  "\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query" (without the quote marks)
  • When you install ADFS again, you may get a warning after you complete the ADFS wizard that says something like the ADFS web site is already installed so it didn't overwrite the contents of it.  It then gives you a link that it tells you to follow if you want to redploy the web site.  NEWSFLASH:   the link is WORTHLESS!  Shocking, I know...please hold your gasps of disbelief in abeyance for now.  What's more irritating is that if you look in the IIS Manager snap-in you will not see any ADFS virtual directories.  Frustrating!  Turns out you need to use appcmd to delete the vdirs.  I did it with these two commands:
  • C:\Windows\System32\inetsrv>appcmd delete app "Default Web Site/adfs/card"
  • C:\Windows\System32\inetsrv>appcmd delete app "Default Web Site/adfs/ls"
  • Now, after you've done all that goo you can run the ADFS wizard again to get everything set up.  Once it's all up then you can restore the databases that you backed up from above.  Here's a tip to help with that though:
  • Close the ADFS Management app if you have it open
  • Stop the ADFS service
  • Restore the AdfsConfiguration database first
  • Start the ADFS service
  • Restore the AdfsArtifactStore database
  • Open up the ADFS Management app and everything should be working and restored
  • Finally you want to see what it's using for the token signing certificate.  It will again try to use the self-signed certificate that it creates at install time.  However if you had previously been using a different certificate that will of course break when you try to go to any SharePoint sites that were working prevoiusly with it (the old not trusted root authority message that I described at https://blogs.technet.com/b/speschka/archive/2010/02/13/root-of-certificate-chain-not-trusted-error-with-claims-authentication.aspx).  However, before you can just add a new token signing certificate you must run these PowerShell commands on the ADFS server:
  • add-pssnapin Microsoft.adfs.Powershell
  • set-adfsproperties -AutoCertificateRollover $false
  • If you add a token signing certificate, remember to make it the Primary certificate if that's how you had it configured previously.

Hope this is helpful to you.