WLM can be configured to use additional fail-over servers if the primary server is not available.
WLM configuration foraccess any SurePassID MFA server requires the setting of three fields in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\SurePassId\CredProv):
1. AuthServerURL - Set to MFA server URL
2. AuthServerToken - Set to Account Login Name. Starting with Release 23.1 this would be the Key Id field of the Application Key
3. AuthServerKey - Set to Account Login Password. Starting with Release 23.1 this is the Key field of the Application Key
In normal operations, if WLM makes a request to the AuthServerURL and receives an error, the system will not allow the user access (unless you set allow single factor access when system is unavailable - STRONGLY NOT RECOMMENDED). To mitigate this potential availability issue, WLM can be configured to use secondary fail-over MFA servers.
To define the first fail-over MFA servers, can define the following additional SurePassID registry keys by duplicating the existing MFA server keys and appending number starting with one (1). The first fail-over server would be defined by these additional registry entries:
1. AuthServerURL1 - Set this to the first fail-over MFA server URL
2. AuthServerToken1 - Set this to the first fail-over MFA server Account Login Name. Starting with Release 23.1 this would be the Key Id field of the Application Key
3. AuthServerKey1- Set this to the first fail-over MFA server Account Login Password. Starting with Release 23.1 this is the Key field of the Application Key
You can define up to 9 additional fail-over MFA servers in the following form:
We strongly recommend that you test your fail-over server configuration as part of your pre-production deployment. This can easily be accomplished by setting the primary AuthServerURL on a test user machine to something invalid and verify that a user can still login (the fail-over MFA server is now performing the user authentication). If this does not work, or you just want validation that fail-over processing is working you can turn tracing on that machine and verify the fail-over MFA server is handling the request properly.