ADFS v2 WID farm limitations RRS feed

  • Question

  • Hi,

    We have an ADFS v2 WID farm spread across 2 geographically dispersed datacenters (Europe and US) in an active-active mode behind 2 geo-load balancers (one in each datacenter); the farm consist of 4 applications ADFS v2 servers (2 in each datacenter) and 4 proxies servers (2 in each datacenter); the number of protected applications is 150 applications. The performance of the platform in terms of CPUs and RAM usage is very good and there are no delays or slowness in serving authentication tokens requests during peak hours.

    We have studies the option of moving to SQL but as ADFS v2 product do not support SQL AlwaysOn design we will lose the HA design by relying on 1 datacenter to host the SQL instance DB plus the fact that all token requests should come to that datacenter to query the DB which will create dependencies and latency.

    My questions are the following:

    As the number of protected application is growing (we believe it will reach 200 applications) and according to MS the WID farm can support 5 servers and recommends SQL for above 100 applications:

    - Is the barrier of 5 WID servers in the farm is technical or because it was not tested by MS's testing team?

    - Is there any technical limitations for the number of applications protected by ADFS v2 WID farm?

    I truly appreciate any shared experience or insight on these questions.

    Thank you.

    Tuesday, January 27, 2015 9:52 AM


  • It's mostly a question of performance. WID just can't handle that much workload, or at least, it wasn't designed to.

    As for the actual numbers of 5 servers and 100 apps: not sure it was ever detailed. My guess is that those are just easy to remember numbers, and the actual number is slightly higher and more tied to the resources available on the machine running each instance.

    There are also high availability concerns as well. There are only so many available pipes to the WID service open and the more load there is, the more likely they'll be totally saturated and drop/block any future calls. SQL can scale way better.

    Developer Security MVP | www.syfuhs.net

    • Marked as answer by EnyMay Monday, February 2, 2015 3:02 PM
    Friday, January 30, 2015 6:48 PM