No matter what service or solution you use, you need to consider the availability of the information. Do you have a fallback position to go to if the primary system is not available? There is always more cost involved as you try to reach uptime nirvana, so you need to balance cost against availability needs. The good news is, AuthAnvil Password Solutions were designed to support Microsoft’s Patterns and Practices for IT scaling and management, which means you have a whole host of options at your disposal.
On the backend, you can use SQL clustering. If you don’t wish to purchase the licensing and servers required to do SQL clustering, we also support the use of Microsoft’s SQL Azure, which is automatically configured in a high-availability clustering mode.
Tip: Realize that if you use SQL Azure for clustering you have to account for the latency of the roundtrip between the cloud-based database and any on-premise front-end servers. Our recommendation is that if you use SQL Azure, consider using Windows Azure Virtual Machines and select data centers in the same geographical affinity. This way you are using the data center backbone speeds for access to the information, avoiding much of the network latency over the Internet and gaining considerable performance.
If you are planning to use SQL Express and have a secondary hot-swap backup server, take advantage of our data forklifting through the AuthAnvil backup tools. You can automate the movement of the entire database infrastructure, cipher keys and certificates using command line tools that create an entire XML backup set that can be restored to any new AuthAnvil instance immediately. Please review the installation guides for your version of AuthAnvil to get complete information on how to create and restore backups of your dataset.
Note: An AuthAnvil backup file contains everything required to restore and recreate all the encryption keys and certificates of the system as well as the data. As such, this file should be considered EXTREMELY sensitive and should be properly safeguarded. The backup should be run with the output stored in a strongly ACL’d folder and should be backed up to encrypted media. While the data itself stays encrypted in the file, the cipher keys exist in a recoverable manner to permit restoration in the same file. Always keep a documented chain of custody of this file and destroy it as soon as it is no longer needed.
On the front-end, we recommend that you setup web server teaming using the built in Network Load Balancing (NLB) role in Windows Server. Having a minimum of two separate IIS servers and following our guidance on moving the appropriate keys between the servers will give you a reliable front end infrastructure. You can also use this to your advantage to handle load; if you start driving concurrent access to a level where you need more performance. By adding a new front-end server to the cluster you can distribute the load more evenly. If you are using dynamic / elastic computing resources you can spin up and down instances at critical times of the day, like first thing in the morning and just after lunch. You may find the most amount of load when having to handle hundreds of thousands of concurrent requests in the most demanding environments, such as when used with AuthAnvil Single Sign On and AuthAnvil Two Factor Auth for cloud services like Office 365 and MS Dynamics CRM online.
From a cost perspective, we have found that a combination of a couple of Windows Azure VMs using NLB with a SQL Azure backend database cluster fits the most demanding needs of a typical MSP. You get the benefit of moving the critical infrastructure to the cloud where it is typically better managed, and can take advantage of other network infrastructure like front end load balancers and data center environments. In many cases, you can completely build this out for less than $250/month. That includes all server and database licenses as well as the physical data store and virtual machine instances. Subscribe to our blog at http://blog.scorpionsoft.com for access to future eBooks that explain how to build fault tolerant environments using Windows Azure and Amazon EC2.
There is one thing to consider when you decide to use a secured, centralized password management system. You need to have network access to the environment. Since this will not be stored on your mobile device or laptop, this means you have to have access to an Internet connection. Consider this as you think about where staff may need access. If they are in a physical data center they may not permit smartphones in the building. Same with cell and wireless data services. If they are going to be in an area with spotty service, this may make things difficult. You should discuss this type of situation with staff to make sure you consider all contingencies.
In most cases you will be OK. You just have to consider the environments you will need to work in.
Tip: If you ever have an environment where staff will not be able to gain access to an Internet connection until after they need a password to login, consider NOT using the auto-generation feature within AuthAnvil for that particular password, and instead manually enter a passphrase or sentence that is long, but easier to say and type over the phone. You will annoy your team to no end if you have to try to tell them a complex 32 to 64 character password that is full of random letters, numbers and symbols to get logged in.
e.g. Use something like The datacenter infrastructure is really cool! instead of Lja#45#10(8]0%$2.,Vba5=:*$qodJs
Trust us; the first passphrase is far easier to say over the phone in emergency situations when staff cannot access the password manager.
This information was previously published in the AuthAnvil Password Playbook at http://www.scorpionsoft.com/docs/ebooks/The-Password-Management-Playbook.pdf
AuthAnvil Agents that support Backup / Secondary URL's
AuthAnvil RADIUS server
For the RADIUS server, you can set up and primary and a secondary SAS URL. As for redundancy on the RADIUS server level, you can set up multiple RADIUS servers and set up the RADIUS Server pools on the endpoint devices as required.
The Secondary SAS can be modified by editing C:\Program Files\Scorpion Software\AuthAnvil Radius Server\AuthAnvilRadius.exe.config
<add key="AuthAnvilSAS" value="http://localhost/AuthAnvil/SAS.asmx"/>
<add key="AuthAnvilSecondarySAS" value="http://localhost/AuthAnvil/SAS.asmx"/>
AuthAnvil Password Server Sync Agent
You can configure a Secondary Password Server service URL via C:\Program Files\Scorpion Software\AuthAnvil Password Sync Agent\SyncAgentControlForm.exe
AuthAnvil Windows Logon Agent / Credential Provider
1. When performing a Silent mode installation a secondary SAS URL can be defined. For more information see Appendix B – Silent Install Mode of the Installation Windows Integration .
2. Once installed the a Secondary SAS URL can be updated in the Registry HKLM/Software/Scorpion Software/AuthAnvilLogon
3. When deploying the the Logon Agent it can be pre-configured with a Primary and Secondary SAS URL. For more information please check out this Windows Integration .
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to email@example.com.