Problem summary:
HTTP probes towards ADFS & WAP is not enough if the ADFS service is still running but the connection between ADFS and SQL database is dead.
ADFS Environment:
ADFS Environment
Using HTTP probes in Environment:
ADFS environment with HTTP Probes
HTTP probes:
The normal way of having health checks towards the ADFS environment, is to setup HTTP probes that runs HTTP checks towards each WAP & ADFS server URL or IP.
They run health checks over HTTP port 80. Gets a 200 (OK) returned.
The response to these probe endpoints is an HTTP 200 OK and is only checking the server/service locally, with no dependence on back-end services(SQL cluster\Database)
Conclusion:
Using HTTP probes towards ADFS & WAP servers is not enough
Problem description:
The HTTP port is going directly to the WAP and ADFS servers respectively.
This means that they only check if the servers & services themselves are OK.
There's a known problem where the connection between the ADFS backend
and the SQL server dies for 2-3 minutes. During this time,
the ADFS backend server times out, if you're unlucky.
The problem here is when the ADFS backend server times out,
the ADFS service
itself is still running.(so as far as the HTTP probe is concerned the ADFS is
still upp and running.) The HTTP probe is signalling that the
ADFS service is OK.
So the load balancer is till sending end users to the
ADFS service that has a dead connection towards the SQL database
because its service is still running.
End-users ends up getting error during authentication.
Question:
How can I setup a proper health check between ADFS --> SQL cluster/database?
So that you can see that communication between ADFS --> SQL does not work
as intended. As in the case when the service on the ADFS servers are still running, but the database connection between ADFS and SQL database is dead.
I would want that health check to be used for monitoring as a first stop. Secondary, you could build some recovery steps that could be executed thanks to this health check.
• You can create an ‘UDL’ file and mention the required database connection details in it along with the username and password of the account used to access the SQL Server DB instance mentioned in ADFS server. Please find the steps below to create an UDL file: -
Create a text file and change its extension to ‘.udl’ and open it.
In the providers tab, select the ‘Microsoft OLE DB Provider for SQL Server’ and on the connection tab, enter the server’s name, username and password, also check the box which states ‘allow saving password’.
Then select the database from the dropdown when initial connection for database existence is done through the file and hit the test connection button.
You will get a proper result whether the connection from that server is successful or not.
You can also specify the connection timeout in seconds along with the permissions to that database to be selected. Also, in the ‘All’ tab, you can select and set various parameters regarding this database connection check including saving the security information used for testing the DB connection.
Once done, you can then set a task scheduler through a script to be run periodically and check the status of the connection through this file by the following command: -
'Get-content C:\UDLs\Test.udl' --> after running this file
In this way, you can probe whether the connection between your ADFS and SQL servers is intact or not as a first stop towards health check.
Please refer the screenshots below for reference: -
https://learn.microsoft.com/en-us/sql/connect/oledb/help-topics/data-link-pages?view=sql-server-ver15
Related
I created an ASP.NET Core Web API and deployed it in Azure as an App Service.
I created a Hybrid Connection and installed the Hybrid Connection Manager on the On-Premise Database Server, set the Hybrid Connection Status to Connected (Successfully connected the App Service with On-Premise Db Server).
When sending Get Request or accessing the Web API on the web browser or Postman
The Result I receive is:
500 - The request timed out. The web server failed to respond within
the specified time.
When developing the Web API on my local machine it works smoothly and I could connect to the On-Premise through a VPN connection.
I also added this piece of code
services.AddDbContext<RepositoryContext>(o => o.UseSqlServer(connectionString, sqlServerOptionsAction: sqlOptions =>
{
sqlOptions.EnableRetryOnFailure(
maxRetryCount: 5,
maxRetryDelay: TimeSpan.FromSeconds(60),
errorNumbersToAdd: null);
}));
In the absence of more information, the 500 error, I guess the most likely reason is that there is a problem connecting to the On-Premise sql server.
TroubleShooting:
Click Diagnose and solve problems to view Application Event Log to view specific logs.
(Optional) Open Application Logging (Filesystem) and Detailed error message.
Specifically, you can log in to the scm website to view the error log.
If you test the interface and connect to the database locally or using vpn, there is definitely no problem. Now the problem must be the database connection part. It is recommended to recheck Hybrid connections. You also can raise a support ticket on portal, let them check logs and help you.
Related Posts:
1. Hybrid Connection Shows “Connected”, but Application Fails to Connect
2. Azure Web App Hybrid Connection Failing
Problem
The Hybrid Connection's Endpoint/Host I made in Azure had a different name as the SQL server. I named the endpoint randomly instead of giving it the actual name/IP address.
Additional info
Even if you installed the Connection Manager on the Server and the Status is set to Connected, this doesn't mean that your App Service will communicate with the Database.
Solution
Create a new Hybrid Connection and set the Endpoint Host name with the actual name/IP address, where the Hybrid Connection Manager is installed.
I'm having trouble connecting to an Active Directory server from my computer and server. I get "The server is not operational" error when trying to connect. The server I'm trying to connect to is in a different country than me.
LDAP Url is in the usual format:
LDAP://ip_address:389/CN=Users,DC=domain_name,DC=local
I've added the application that connects to the AD to the firewall (even disabled the firewall briefly to test) and added the IP to my hosts file but I can't seem to get past the error.
Now usually at this point, I would conclude that the issue is on the AD server side (or their server firewall) that is blocking requests from our server, however, the person in charge of the AD server has tested the same LDAP url using the same utility I'm using from an external network in their country and is able to authenticate without issues.
Any ideas on what we can try next?
Ok, it turns out the client's ISP was blocking international traffic over port 389. They had to write a letter to request the ISP to allow international traffic over that port. It is now working after they've done that.
Didn't know ISPs block traffic, but I suppose ISPs for corporate clients might as in this case.
I have an IIS hosted WCF Service that uses SSL encryption. This service makes requests to a SQL Server 2014 database instance. When I make a call to the service the response message is encrypted. So, the connection between the client (browser) and the service is secure. I also want the connection between the service and the SQL Server 2014 database to be secure.
This is where my question comes in. I am not exactly sure how to do this. I read the following article Enable Encrypted Connections to the Database Engine and I was able to successfully add the certificate to the SQL server database engine and changed the Force Encryption flag to True. But now I am a bit confused as to whether I want to configure the server to accept encrypted connections or the client to request encrypted connections. Based on the scenario I presented above it seems I want the client to request encrypted connections from the SQL Server DB correct? I guess one reason I am confused is because this is ALL happening on my development machine. SQL Server is being hosted there as is the IIS Service.
If someone with experience could maybe clarify that for me I would greatly appreciate it.
If you haven't restarted the service, then do so to complete the configuration change. It sounds like you applied the change correctly and using a domain or public CA certificate will prevent a man in the middle attack. To verify that the connections are secure, you can use a DMV named sys.dm_exec_connection which should display true for the encrypt_option for all sessions, as below:
select session_id, net_transport, encrypt_option from sys.dm_exec_connections
I'm not certain that connections from the host to SQL Server will be encrypted by SSL\TLS since they would be using the shared memory protocol and Windows manages the security of shared memory.
I have to check the connectivity to the portal which is behind the WebSeal Server. I need the response code of the actual server and WebSeal server code too. Please help me.
Try turning on debugging. Ideally, you are the only traffic on the server. Make sure to turn it on before you do anything that may be related to the problem (i.e. logging in) then wait at least 1 min after the problem occurs to let the logs catch up.
server task default-webseald-xxxx trace set pdweb.snoop 9 file path=c:/pdweb.snoop.txt,rollover_size=100000000
server task default-webseald-xxxx trace set pdweb.debug 9 file path=c:/pdweb.debug.txt,rollover_size=100000000
Make sure to turn it off afterwards as it will destroy your hard drives.
server task default-webseald-xxxx trace set pdweb.snoop 0
server task default-webseald-xxxx trace set pdweb.debug 0
WebSEAL constantly checks the backend servers within the junction. If you use pdadmin to do server task SERVER show /junction you can see if the backend server is online or offline.
I am assuming you mean HTTP response code. You can get that from WebSEAL by doing a simple HTTP/S get like you would any regular HTTP server. However, for the backend server, you will need to go around WebSEAL and connect to the backend directly to perform your checks.
If you are trying to setup monitoring, you can do one of two things. Either watch the msg__webseal-default.log for the following lines:
DPWWA2025W IBM Security Access Manager WebSEAL has lost contact with junction server:
Or you can use the server task command to show the junction and look for the Server State: being running or not running.
I am trying to understand the working of HTTP , IIS and sql server.
I am having an IIS 7 server in my environment which is interacting with a sql database server.
The architecture is
Apache ----> IIS -----> SQL server
The Apache is a reverse proxy server which is sending the HTTP request to the IIS server and from there IIS server is interacting with the SQL database connecting by different application pools for different applications.
My query is if some request has been forwarded by the Apache server and it has reached the IIS ; after that, if the network between the Apache and IIS is having any packet drops ;
Will that have any affect to the performance of IIS and database server?
Will there be any long running queries in the worker process of the IIS? Because my concern is what will happen after the queries that has successfully executed in the Database server. But since the network between the IIS and Apache is broken how can they be forwarded further to the Apache and further to the end user.
Will these queries keep on holding the resources till they are forwarded from IIS to Apache? Because they have successfully completed their tasks but because of network issue they are not being forwarded further. Or are such request stacked up somewhere by the IIS to free up the resources for the upcoming requests??
Once a request has reached IIS it will go and do the required actions, and format the reply. It will try to send the reply to the requestor but if the link has gone, it will be unable to. It will then abandon the request. Resources it is holding for that request will be freed.
To get the data it had for you, Apache has to repeat the request.