The BizTalk Server and another Microsoft Server product, Host Integration Server (HIS), both support an extension of the Windows Enterprise Security integration called Enterprise SSO. You will notice that Enterprise SSO is one of the BizTalk features during installation. Enterprise SSO in total is provided by a set of processes that run on network servers to provide the following services for heterogeneous systems:
User account and password mapping and caching
SSO to multiple Windows domains and host security systems
Password synchronization to simplify administration
The services mentioned earlier are mandatory for the BizTalk Server, even if you do not require them. The BizTalk Server uses the SSO to help secure information for the receive locations. When the Enterprise SSO service gets started, it retrieves the encryption key called master secret from the Master Secret Server. The Master Secret Server is another Enterprise SSO service that has an additional subservice that distributes and maintains the master secret. What the Enterprise SSO service does is that it caches the master secret after it has been retrieved. Every 60 seconds the service synchronizes the master secret with the Master Secret Server.
As you can see, the Master Secret Server plays an important role like MSDTC (refer to the Configuring MSDTC for multi-server BizTalk platforms recipe later in this chapter). Regardless of whether you will use the Enterprise SSO service for credential mapping or not, it has to be available in any kind of BizTalk configuration.
With the Microsoft Management Console
(MMC) or command line ssomanage
utility, you are able to manage the SSO system. With either of these tools, you can update the SSO database, adding, deleting, and managing applications, and administer user mappings. In the MMC, you will find all programs of your operating system. Refer to the following screenshot:
The command line ssomanage
is available in C:\Program Files\Common files\Single Sign On
. You will also find the ssoconfig
command-line tool at the specified location, which is a utility to configure your password synchronization settings.
The following steps describe how to work with the ssomanage
and ssoconfig
commands:
You can start
ssomanage
from the command line and with the commandssomanage -?
. You will see all the functions, as shown in the following screenshot:You can change the global information in the SSO database, such as the Master Secret Server identification, the account names, and so on. This information can be updated by using the
–update
command providing theupdate
file containing this information. Refer to the following command line:ssomanage –updatedb <update file>, where <update file> is the path and name of the file
The
update
file (xml) will have the following format:<sso> <globalnfo> <ssoAdminAccount>YourDomain\Accountname</ssoAdminAccount> <ssoAffiliateAdminAccount> YourDomain \Accountname</ssoAffiliateAdminAccount> <secretServer>ServerName</secretServer> <auditDeletedApps>1000</auditDeletedApps> <auditDeletedMappings>1000</auditDeletedMappings> <auditCredentialLookups>1000</auditCredentialLookups> <ticketTimeout>2</ticketTimeout> <credCacheTimeout>60</credCacheTimeout> </globalInfo> </sso>
The
ssoconfig
command can be started from the command line and with the commandssoconfig -?
. You will see all the functions again, as shown in the following screenshot:One of the common commands used with
ssoconfig
is the restoreSecret for restoring the SSO master secret as a part of the recovery scenario. For restoring the SSO master secret, you should type the following command:ssoconfig –restoreSecret <backup file>
The backup file has the name of the master secret file that you backed up during configuration.
See How to Update the SSO database document at http://msdn.microsoft.com/en-us/library/aa559867.aspx.
With the
ssomanage
functions, you can find out, for instance, which SSO server is used, what is the SSO administrator account, and if everything is correctly enabled. ssomanage
also plays a role during clustering of the Master Secret Server (http://msdn.microsoft.com/en-us/library/aa561823.aspx ).
With the functions of ssoconfig
, you can get to know where SSO database is created or upgraded, and also where the SSO master secret is restored in case it has become unavailable.
Besides the ssoconfig
command-line tool, now there is also an MMC Snap-in available and you are able to troubleshoot SSO with command-line tools. Finally, you will find high availability options for a multi-machine BizTalk environment on Microsoft TechNet.
SSO configuration application MMC Snap-in: It provides the ability to add and manage applications, add and manage key value pairs, as well as import and export configuration applications so that they can be deployed to different environments. You can download the MMC Snap-in from Microsoft (http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=94e07de1-1d33-4245-b430-9216979cd587).
It also provides a client-side class that makes accessing the SSO system to retrieve your key/value pairs easy.
Troubleshoot Enterprise SSO: To troubleshoot your SSO environment, it may be useful to walk through certain items described in the troubleshoot enterprise single sign-on table found on MSDN (http://msdn.microsoft.com/en-us/library/aa953861%28v=bts.70%29.aspx).
High availability installation options: Microsoft TechNet provides high availability options for Enterprise SSO in a multicomputer BizTalk deployment (http://technet.microsoft.com/en-us/library/aa578263%28BTS.70%29.aspx).
Through MSDN, you can find information on how to use SSO (http://msdn.microsoft.com/en-us/library/aa561654.aspx).