If you wish to use AuthAnvil Two Factor Auth in a redundant fail over scenario in isolated or teamed web farms or clusters, you will need to ensure that you transfer the encryption keys from the primary (first) SAS to all other web servers that you configure in the farm. Failing to do so will prevent secondary IIS servers from properly deciphering the key data stored in the SQL database, preventing authentications from occurring.
NOTE: Configuring a redundant web server is currently only available for AuthAnvil v4.1 and v3.5. AuthAnvil Two Factor Auth v4.5 and v4.6 are currently under testing for a multiple-server redundant configuration. This article will be updated with further information to document the steps for our latest versions.
The following steps should help you to deploy multiple AuthAnvil Two Factor Auth SAS servers on IIS6 or IIS7. You will need to download and unzip ManageCipherKey.exe from our support website before you begin:
NOTE: When converting an existing AuthAnvil Two Factor Auth deployment for redundancy, always take a backup of your existing database first. Instructions for backing up an AuthAnvil Two Factor Auth Database can be found in the Backing up the AuthAnvil Two Factor Auth Database section of the AuthAnvil Two Factor Auth Installation Guide.
- Install AuthAnvil Two Factor Auth on SRV1 using the instructions in the AuthAnvil Two Factor Auth Installation Guide.
- Open a command prompt window on SRV1. If you are on Windows Server 2008 or newer, you must elevate this window (Run as Administrator).
- Navigate to the location where you unzipped ManageCipherKey and run the following command: ManageCipherKey.exe -b. This will create a filename.key file.
- Install AuthAnvil Two Factor Auth to SRV2. During the install, use a dummy database. You can either allow the installer to install a SQL Server instance for you, or you can install to an existing SQL server.
NOTE: This dummy SQL instance or database can be uninstalled after this procedure is complete.
NOTE: In AuthAnvil v3.5, after the installation is complete the AuthAnvil Configuration Wizard will open. Close this tool and do not complete the configuration as it is storing these values in the dummy database.
- Copy ManageCipherKey.exe and the filename.key file from SRV1 to SRV2.
- Open a command prompt window on SRV2. If you are on Windows Server 2008 or newer, you must elevate this window (Run as Administrator).
- Run the following command: ManageCipherKey.exe -r filename.key. This will import the cipher keys into the appropriate DPAPI store.
- Reset the password on the AADBuser account in Active Directory to a known value. If you are not in an Active Directory environment you will need to reset the passwords on both servers, as they refer to 2 separate user accounts. In that case, make sure that the passwords are identical.
- On both SRV1 and SRV2, run the AAWebConfigEditor.exe, located by default in C:Program FilesScorpion SoftwareAuthAnvilAuthAnvilToolsAAWebConfigEditor.exe. Tab through the controls until Apply is highlighted, then press Ctrl + O. This will enable editing of the impersonation fields.
- On SRV1, enter the new AADBuser password and click Apply.
- On SRV2, set the database connection string to match the database connection string on SRV1 by changing the server name in the Server parameter, then enter the new AADBuser password and click Apply.
- Run an IISReset on both SRV1 and SRV2 to reload the configurations.
At this point, you can configure AuthAnvil Two Factor Auth agents to use either server. Of course, in an environment with a load balancer this will be taken care of for you. With the proper cipher keys on all front end servers, AuthAnvil Two Factor Auth should be able to authenticate to the database(s) on the backend from any point.
If during this process you have any difficulties, please open a new case in the Customer Portal. You can find instructions on how to do that here.