Enterprise SSO Whitepaper

7/21/2019 Enterprise SSO Whitepaper

http://slidepdf.com/reader/full/enterprise-sso-whitepaper 1/91

Single Sign-on Services for MicrosoftEnterprise Application IntegrationSolutions:Enterprise Single Sign-On Integrated with Microsoft BizTalk

Server 2004 and Microsoft ost Integration Server 2004Microsoft Host Integration Server 2004 Technical Article

Publishe! "ece#$er 2004



!op"right

The infor#ation contained in this doc%#ent represents the c%rrent view of Microsoft&orporation on the iss%es disc%ssed as of the date of p%$lication' Beca%se Microsoft#%st respond to changing #arket conditions( it sho%ld not $e interpreted to $e aco##it#ent on the part of Microsoft( and Microsoft cannot g%arantee the acc%rac) of

an) infor#ation presented after the date of p%$lication'This *hite +aper is for infor#ational p%rposes onl)' MI&,OSOT M./ES O*.,,.TIES( E1+,ESS( IM+IE"( O, ST.T3TO,( .S TO TE IO,M.TIO ITIS "O&3MET'

&o#pl)ing with all applica$le cop)right laws is the responsi$ilit) of the %ser' *itho%tli#iting the rights %nder cop)right( no part of this doc%#ent #a) $e reprod%ced(stored in or introd%ced into a retrieval s)ste#( or trans#itted in an) for# or $) an)#eans 5electronic( #echanical( photocop)ing( recording( or otherwise6( or for an)p%rpose( witho%t the e7press written per#ission of Microsoft &orporation'

Microsoft #a) have patents( patent applications( trade#arks( cop)rights( or otherintellect%al propert) rights covering s%$8ect #atter in this doc%#ent' E7cept as

e7pressl) provided in an) written license agree#ent fro# Microsoft( the f%rnishing of this doc%#ent does not give )o% an) license to these patents( trade#arks(cop)rights( or other intellect%al propert)'

9 2004 Microsoft &orporation' .ll rights reserved'

Microsoft( .ctive "irector)( BizTalk( Share+oint( S: Server( and *indows are eitherregistered trade#arks or trade#arks of Microsoft &orporation in the 3nited Statesand;or other co%ntries'

The na#es of act%al co#panies and prod%cts #entioned herein #a) $e thetrade#arks of their respective owners'

2



&ontents

<'0 Introd%ction to Enterprise Single Sign-on'''''''''''''''''''''''''''''''''''''''''''''''''''''''4

2'0 SSO &o#ponents and Services'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''<=

='0 SSO ,oles and .cco%nts''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''<>4'0 I#ple#entation Scenarios''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''22

?'0 SSO Installation and &onfig%ration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''40

@'0 SSO &lient 3tilit) and .d#inistration tools'''''''''''''''''''''''''''''''''''''''''''''''''''4A

>'0 SSO Mappings and .ffiliate .pplication T)pes'''''''''''''''''''''''''''''''''''''''''''''''4

A'0 &onfig%ring ost Initiated SSO'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''?>

'0 &onfig%ring +assword S)nchronization'''''''''''''''''''''''''''''''''''''''''''''''''''''''''@<

<0'0 Sec%rit)'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''A4

<0'< Sec%re "eplo)#ent'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''A?

<<'0 Tro%$leshooting''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''A>

,eferences'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''2

3



Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions

<'0 Introd%ction to Enterprise Single Sign-onIn an enterprise-wide co#p%ting environ#ent( %sers are likel) to access differentapplications as the) go a$o%t their da)-to-da) ro%tines' . %ser #a) $egin his or her

da) $) t%rning on a Microsoft *indows 1+ workstation( logging on to a *indows

network( and then accessing applications on a #ainfra#e s)ste# or an S.+application r%nning on an .S;400' Each s)ste# with which the %ser co#es into

contact enforces its own sec%rit) reC%ire#ents and logon proced%res' or e7a#ple( a*indows do#ain acco%nt #a) reC%ire a si7-character %ser na#e and an eight-

character( #i7ed-case password( whereas a #ainfra#e environ#ent #a) reC%ire a

seven-character %ser na#e and seven-character alphan%#eric password' reC%entl)(%sers have to re#e#$er several different co#$inations of %ser na#es and

passwords to gain access to vario%s reso%rces on the network' In addition( s)ste#ad#inistrators have to #anage #%ltiple acco%nts for a single %ser'

. ke) pro$le# within #an) enterprise organizations is cross-platfor# sec%rit)(

s)ste# integration( and #anage#ent' or e7a#ple( when ine-of-B%siness 5OB6applications and other s)ste#s reC%ire separate logons %sers #%st keep track of(

and %se( #%ltiple credentials' or #an) IT s%pport tea#s the #ost co##on s%pportincidents are password resets' This sit%ation red%ces end-%ser prod%ctivit) while

significantl) increasing help desk e7penses' If a %ser co##%nit) #ishandles IBM#ainfra#e or .S;400 #idrange logon credentials this can represent an increased

sec%rit) risk and co#pro#ise access to vital enterprise co#p%ting reso%rces'

In this doc%#ent( we refer to #ainfra#es and .S;400s as Host systems and to S.+(+eopleSoft( and Sie$el applications as OB applications' The) are also referred to

elsewhere in this white paper as $ack-end s)ste#s or $ack-end applications' One ofthe pro$le#s with #i7ing *indows 2000 and *indows 200= s)ste#s with ost

s)ste#s is that each t)pe of platfor# has its own wa) of dealing with sec%rit)' It isnot %nco##on to have one %ser acco%nt and password to access a local *indows

2000 or *indows 200= do#ain while also having another %ser acco%nt and passwordto access the #ainfra#e and;or .S;400' In addition( #ainfra#e and;or .S;400

applications #a) also have their own %ser acco%nts and passwords' .fter a while

%sers $egin to forget these #%ltiple passwords and $egin to write the# down andkeep the# in an insec%re location' This defeats the p%rpose of having passwords in

the first place'

The ind%str)-proposed sol%tion for sec%rit) in heterogeneo%s s)ste#s is for IT to

p%rs%e an Identity Management 5IdM6 strateg)' One co#ponent of s%ch a strateg) is Account Mapping for the p%rpose of providing end %sers and application developers

with a Single Sign-On 5SSO6 capa$ilit) across their entire enterprise'

ost Integration Server and BizTalk Server $oth s%pport an e7tension of *indows

Enterprise Sec%rit) integration called Enterprise Single Sign-On (SSO)' EnterpriseSSO is provided $) a set of processes that r%n on network servers to provide thefollowing services for heterogeneo%s s)ste#s!

• 3ser acco%nt and password #apping and caching

• Single Sign-on to #%ltiple *indows do#ains and ost sec%rit) s)ste#s

• +assword S)nchronization to si#plif) ad#inistration

Enterprise SSO offers ad#inistrators a #eans to efficientl) #ap acco%nts across*indows .ctive "irector) and ost s)ste#s or OB applications' This incl%des

4




s%pporting <!< and gro%p!< associations' These #appings are stored sec%rel) in acentralized &redential "ata$ase %sing S: Server' Based on a sec%re end-to-end

architect%re( ost Integration Server and BizTalk Server can call into SSO to o$tainforeign credentials and access reso%rces on these ost s)ste#s or OB applications

with the appropriate credentials'

.nother co#ponent of a pr%dent IdM is password #anage#ent' SSO provides the$ase infrastr%ct%re that( along with third-part) software prod%cts( provides a sec%re

password #anage#ent sol%tion' This incl%des $oth *indows Initiated and ostInitiated +assword S)nchronization' &o#$ined with SSO( +assword S)nchronization

can help enterprise IT #ove toward Identit) Manage#ent $) f%rthering the goal ofaccessing all s)ste#s with a single set of credentials'

<'< Enterprise .%thentication ScenariosThere are several t)pes of SSO scenarios' To $etter %nderstand the specific SSOpro$le# space $eing addressed $) Enterprise SSO( the different t)pes of SSO

reC%ire#ents are divided into three categories!• &o##on *indows .%thentication

• Internet;*e$ .%thentication

• eterogeneo%s .pplication .%thentication

<'<'< &o##on *indows .%thentication&o##on *indows .%thentication scenarios allow )o% to connect to #%ltipleapplications within )o%r network that are %sing a co##on a%thentication

#echanis#' o%r credentials are reC%ested and verified once when )o% log onto thedo#ain( and then these credentials are %sed to deter#ine the actions that )o% can

perfor# $ased on )o%r per#issions' or e7a#ple( if )o%r applications are integratedwith /er$eros( after )o%r %ser credentials are a%thenticated )o% can access an)

other reso%rce that is integrated with /er$eros in )o%r network'

.nother e7a#ple is when dealing Microsoft *indows S: Server' *hen S: Server is

config%red to %se *indows Integrated Sec%rit)( an a%thenticated *indows %ser doesnot have to provide additional credentials to access a S: Server data$ase' This

co##on sec%rit) can appl) to non-*indows applications as well( if the) areintegrated with a co##on a%thentication sche#e'

<'<'2 Internet;*e$ .%thenticationIn this for# of a%thentication( )o% are a$le to access reso%rces thro%gh the Internet

$) %sing a single set of %ser credentials to log onto different *e$ sites that $elong to

different organizations' .n e7a#ple of this t)pe of Single Sign-on is when #%ltiple*e$ sites %se Microsoft 'ET +assport a%thentication' .n) application that is

integrated with +assport can %se this #echanis#'

5




<'<'= eterogeneo%s .pplication Integration.lso called Enterprise .pplication Integration 5E.I6( this for# of a%thenticationena$les )o% to integrate heterogeneo%s applications and s)ste#s within the

enterprise environ#ent' These applications and s)ste#s #a) in fact not $e %sing aco##on a%thentication #echanis#' Each application #a) have its own %ser

director) store and sec%rit) s)ste#' or e7a#ple( in a given organization( *indows.ctive "irector) #a) $e %sed $) *indows to a%thenticate a %ser while the ,.&

sec%rit) s)ste# #a) $e %sed $) a #ainfra#e to a%thenticate the sa#e %ser for a

different application' *ithin the enterprise( front-end and $ack-end applications #a)$e integrated $) %sing #iddleware applications' These applications #a) not have

$een designed to #ake the #ost of a co##on a%thentication #echanis#'

In environ#ents s%ch as these( Enterprise Single Sign-on 5SSO6 provides services to

ena$le Single Sign-on' SSO is ena$led for %sers in the enterprise when front-endapplications( *e$ portals and #iddleware applications are all integrated with SSO'

This white paper foc%ses on the eterogeneo%s .pplication Integration scenario' It

provides )o% with an overview of Enterprise SSO and disc%sses the integration ofSSO Services with Microsoft BizTalk Server 2004 and Microsoft ost Integration

Server 2004' It also e7plains how to ena$le end-to-end +assword S)nchronizationscenarios for SSO' It covers $oth *indows Initiated SSO and ost Initiated SSO as

%sed with the Transaction Integrator co#ponent of ost Integration Server 2004' Italso disc%sses SSO Services when integrated and %sed with BizTalk Server 2004 and

Share+oint +ortal Server 200='

6




<'2 Enterprise SSO Overview and &oncepts

<'2'< .n Integrated Sol%tion with SSOEnterprise .pplication Integration is s%pported in a heterogeneo%s platfor# and

application environ#ent $) the Microsoft Enterprise Single Sign-On 5SSO6 s)ste#'This s)ste# consists of co#ponents and services together with e7ternal %sers thatset %p and %se these co#ponents and services' ig%re < gives an overview of this

sol%tion'

Figure 1 Integrated solution with Enterprise SSO

7




<'2'2 "istri$%ted .rchitect%reSSO is $ased on a distri$%ted architect%re' It consists of services r%nning on one or#ore co#p%ters working with a centralized S: Server data$ase' .ll changes and

%pdates are #ade in the centralized data$ase $) ad#inistration co#ponents of SSO'

.ll SSO Servers receive these changes fro# the centralized data$ase' These SSOservers can $e distri$%ted as long as the) are within tr%sted do#ains' or instance(

one SSO Server co%ld $e located in Tok)o while another one co%ld $e located in&hicago' .lso( $eca%se S: Server is $eing %sed( it is possi$le to take advantage of

the relia$ilit) and scala$ilit) feat%res of S: Server( s%ch as failover cl%stering and

data$ase replication'

<'2'= .ffiliate .pplications.n Ailiate Application is a logical entit) in Enterprise Single Sign-on 5SSO6' It isdefined $) the .d#inistrator and represents a s)ste# or s%$s)ste# s%ch as a ost(

$ack-end s)ste#( or line-of-$%siness application to which the %ser can connect' It is

specified in SSO $) a set of definitions that an ad#inistrator creates' .n .ffiliate.pplication can represent a non-*indows s)ste# s%ch as a #ainfra#e or .S;400

co#p%ter' It can also represent an application s%ch as S.+ or a s%$division of anapplication s%ch as the S.+ .cco%nts +a)a$le transaction posting progra#'

<'2'4 *indows .ccess .cco%nts 5,oles6These acco%nts are the individ%als in the *indows gro%p that f%lfill a certain rolehaving specific responsi$ilities and privileges' The) are represented $) the individ%al

%ser acco%nts and gro%p acco%nts in the SSO s)ste#' There are fo%r ke) accessacco%nts in the SSO s)ste#' These acco%nts are listed in hierarchal order( starting

with the #ost powerf%l ad#inistrator role'• SSO .d#inistrators

• SSO .ffiliate .d#inistrators

• .pplication .d#inistrators

• .pplication 3sers

<'2'? *indows Initiated Single Sign-onThe #ost co##onl) %sed scenario is *indows Initiated Single Sign-On' *hen the%ser signs on fro# the *indows side and then accesses non-*indows reso%rces( this

is called !indows Initiated Sign-on' This reC%ires the end %ser to $e an

a%thenticated *indows do#ain %ser' The end %ser initiates the reC%est fro# the*indows s)ste#' In BizTalk Server 2004 and ost Integration Server 2004(Enterprise SSO ena$les *indows Initiated Single Sign-on'

<'2'@ ost Initiated Single Sign-onIn ost Integration Server 2004( Enterprise SSO has $een e7tended to s%pport ostInitiated SSO in addition *indows Initiated SSO' This #eans that the end %ser

8




initiates the reC%est fro# a non-*indows s)ste# 5for e7a#ple( a &I&S application ona #ainfra#e6 which is integrated with ost Integration Server 5IS6 co#ponents and

%sed to access a *indows reso%rce 5for e7a#ple( a S: Server data$ase6' This*indows reso%rce allows access to *indows a%thenticated %sers onl)( which #ean

the non-*indows %ser who initiates the reC%est on the non-*indows s)ste# needsto access this *indows reso%rce with their corresponding .ctive "irector) acco%nt'

ost Initiated SSO is s%pported onl) in a native *indows 200= .ctive "irector)

do#ain environ#ent with *indows 200= servers' The *indows 200= +rotocolTransition feat%re is #ade the #ost of $) SSO Services to #ake this possi$le' 5or

#ore infor#ation on this feat%re( refer to

http"##www$microsot$com#technet#prodtechnol#windowsser%er&''#technologies#se

curity#constdel$msp '6

This +rotocol Transition feat%re allows SSO Services to o$tain an i#personation-level*indows %ser token $) providing the do#ainD%serid infor#ation fro# the SSO

&redential "ata$ase' This token is %sed $) applications integrated with SSO to

access *indows reso%rces that the *indows %ser represented $) the token isallowed to access'

#ote: To o$tain a windows token %sing +rotocol Transition the SSO Server #%sthave Act as part o the operating system privilege for its service acco%nt' Beca%se of

this( it is ver) i#portant that an SSO server s%pporting ost Initiated SSO $esec%rel) locked down' This incl%des ens%ring that the SSO Service acco%nt for this

server is not %sed for an) other p%rpose' ike other SSO Service acco%nts( thisservice acco%nt #%st $e a #e#$er of the SSO Administrators acco%nt'

<'2'> SSO TicketsSSO Services provide an SSO ticketing #echanis# to ena$le E.I prod%cts to deal

with the pro$le# of #aintaining a %ser token across #%ltiple co#p%ters andprocesses when working with Enterprise Single Sign-On' This lets the %ser achieve aSingle Sign-on in a sec%re #anner %sing Enterprise Single Sign-on' o% sho%ld $e

aware that this ticket is not a /er$eros ticket' It is referred to as an SSO *ic+et andis for %se onl) within the SSO s)ste#' This is $ased on iss%ing a ticket on one

co#p%ter 5or $) a certain process6 and redee#ing the ticket on a different co#p%ter5or a different process6' Iss%ing a ticket #eans that a co#ponent calls into SSO

Service to o$tain an SSO ticket that represents the *indows %ser' ,edee#ing theticket #eans that a co#ponent provides the ticket to SSO Service to o$tain the ost

credentials corresponding to the *indows %ser who initiated the original reC%est'

.n SSO ticket is iss%ed onl) to an a%thenticated %ser for #aking a reC%est on his orher own $ehalf' In other words( 3ser . can onl) o$tain a ticket for 3ser .' Even an

SSO ad#inistrator cannot reC%est a ticket for another %ser' The %ser #aking thereC%est to o$tain a ticket #%st $e a valid a%thenticated do#ain %ser' This #eans

that if the %ser is .non)#o%s or not a valid do#ain acco%nt then access will $edenied when a reC%est to o$tain the ticket is #ade'

The ticket generated $) SSO Services pri#aril) contains the %ser logon identit)

5do#ainD%serid6 and a ti#e sta#p indicating when the ticket was iss%ed' This ticket

is also encr)pted $) SSO Services' There is also a ticket ti#eo%t val%e config%red at

9

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx







the SSO s)ste# level that deter#ines when the ticket will e7pire' The ticket can $eredee#ed $) a service acco%nt that is a #e#$er of the .pplication .d#inistrators

acco%nt for an .ffiliate .pplication'

<'2'A +assword S)nchronization+assword S)nchronization is %sed to si#plif) the #anage#ent of passwords stored in

the Enterprise SSO &redential "ata$ase 5disc%ssed later6' *hen a %ser changes theirpassword on a non-*indows s)ste#( the password in the &redential "ata$ase is

%pdated with that password %sing +assword S)nchronization' The IT ad#inistratorscan also set a r%le that password changes sho%ld alwa)s $e done fro# their *indows

environ#ent'

Beca%se of this( Enterprise SSO s%pports <-wa) and 2-wa) +asswordS)nchronization' The SSO &redential "ata$ase contains %ser #appings that #ap

*indows %serids to non-*indows %serids and non-*indows passwords'

+assword S)nchronization can also keep the non-*indows password in the &redential"ata$ase s)nchronized with the %sers *indows password when a %ser or

ad#inistrator changes their password' .n ad#inistrator has three options toconfig%re +assword S)nchronization!

1) #on-$ino%s to $ino%s &ull Pass%or S"nchroni'ation( This %ses

the sa#e %ser password for *indows access and for access to non-*indows

s)ste#s' *hen a password change is received fro# the non-*indows s)ste#(the password is changed in the SSO &redential "ata$ase and in the .ctive

"irector)'

2) #on-$ino%s to $ino%s Partial Pass%or S"nchroni'ation( In this

case( a different password e7ists for the %ser in the *indows and non-*indows s)ste#s and the password is changed onl) in the SSO &redential

data$ase

3) $ino%s to non-$ino%s Pass%or S"nchroni'ation( In this case( the

sa#e password is %sed for %sers in the *indows and non-*indows s)ste#s'The difference $etween this and option F< is that the password change occ%rs

on the *indows side' The change is sent to the non-*indows s)ste# and thepassword is then changed in the SSO &redential "ata$ase'

Enterprise SSO also provides +assword S)nchronization .+Is to allow +assword

S)nchronization .dapter vendors to develop +assword S)nchronization .dapters thatcan $e integrated with SSO Services' These +assword S)nchronization .dapters can

capt%re %ser password changes on non-*indows s)ste#s and pass the# on to SSOfor %pdating in the SSO &redential "ata$ase and for optionall) %pdating in .ctive

"irector)' Or the) can receive password changes fro# SSO Services and pass the#

on to a non-*indows s)ste# to #ake an appropriate password change in the %serdirector) on that s)ste#' The) can also $e written to work in $oth directions'

10




<'2' Sec%re &onfig%ration StoreEnterprise SSO is e7tended to act as a Sec%re &onfig%ration store as well' The&redential "ata$ase and SSO Services can $e %sed to store and access config%ration

properties sec%rel)' This is %sed $) BizTalk Server 2004 to store c%sto# config%rationinfor#ation for BizTalk Server .dapters' +assword S)nchronization .dapter

config%ration data is also stored in the centralized &redential "ata$ase %sing this#echanis#' The sec%re config%ration store is pri#aril) designed to allow #%ltiplead#inistrators to #anage the sa#e config%ration data and it allows #%ltiple service

acco%nts to access the sa#e config%ration data d%ring r%nti#e operations in asec%re #anner' The config%ration data is stored encr)pted( 8%st like the credentials

for Single Sign-on scenarios' This %ses the sa#e concept of .ffiliate .pplications to

define the entit) for which the config%ration data is stored' The .ffiliate .pplication isdefined as a G&onfig StoreH t)pe application and the .pplication .d#inistrators and

.pplication 3sers acco%nts are defined for this application as well' .d#inistratorshave read;write access and %sers 5service acco%nts6 have read access to the

config%ration data that is stored for a G&onfig StoreH t)pe .ffiliate .pplication'

<'2'<0 Ease of InstallationEnterprise SSO provides a wizard driven fle7i$le installation progra# that allows the

SSO co#ponents to $e installed with either ost Integration Server or BizTalk Server'*e disc%ss this in greater detail in the Installation and &onfig%ration section of this

doc%#ent'

<'2'<< le7i$le .d#inistration ModelThe SSO ad#inistration #odel relies on *indows gro%p acco%nts' The pri#ar)

o$8ective of SSO .d#inistration is to #anage the SSO s)ste# that consists of the

Master Secret Server( &redential "ata$ase and #%ltiple SSO servers' &redential"ata$ase #anage#ent incl%des #anaging the .ffiliate .pplications and #appings'One or #ore .d#inistrators can $e given access to #anage one .ffiliate .pplication

alone witho%t having access to an) other applications' The) can also $e given accessto #anage #%ltiple applications' Each .ffiliate .pplication can have #%ltiple %ser

#appings' or e7a#ple( a %ser in .ctive "irector) can $e #apped to theircorresponding ,.& #ainfra#e credentials' .lso availa$le are capa$ilities s%ch as

ena$ling and disa$ling the entire SSO S)ste#( an .ffiliate .pplication( or even anindivid%al %ser acco%nt #apping' SSO .d#inistrators can also delegate

ad#inistration to other %sers for certain operations' or e7a#ple( .ffiliate .pplicationcreation and #anage#ent can $e assigned to a different gro%p of ad#inistrators'

<'2'<2 Sec%rit)SSO provides a sec%re set of services to store and pass encr)pted %ser credentialsacross local and wide area network $o%ndaries' These credentials are alwa)s stored

encr)pted in a protected &redential "ata$ase' Beca%se SSO provides a genericsol%tion #iddleware applications and c%sto# adapters do not have to invent their

own #echanis#s to store credentials sec%rel)( nor do end %sers have to re#e#$er#%ltiple set of credentials' Instead( the) can %se a single acco%nt to log on to

11




*indows and $ack-end s)ste#s' Middleware applications can now also connect to a$ack-end application with the credentials of the %ser that initiated the original

reC%est' .ll access to the &redential "ata$ase thro%gh SSO Services reC%ires theappropriate a%thorit) as defined in the SSO s)ste#'

.%diting is critical in a sec%re environ#ent' .ll operations perfor#ed on the

&redential "ata$ase are a%dited $) SSO Services' This is acco#plished $) %singevent logs and $) creating a%dit logs in the &redential "ata$ase itself' .d#inistrators

can set the positive and negative a%dit levels that s%it their corporate policies'

<'2'<= E7tensi$ilit)SSO Services also provide an e7tensi$le o$8ect #odel' This o$8ect #odel ena$les the

integration of BizTalk Server .dapters with SSO' It allows BizTalk Server ISs tointegrate their adapters with SSO Services there$) e7tending the sol%tion to

h%ndreds of $ack-end applications' %rther#ore( c%sto# applications can $eintegrated with these SSO Services to achieve #ore advanced for#s of Single Sign-

on'

12




2'0 SSO &o#ponents and ServicesThe Enterprise Single Sign-on 5SSO6 s)ste# consists of a set of co#ponents( serversand services that work together to provide Single Sign-on across #%ltiple platfor#s

and applications' These co#ponents and services consist of!

•

SSO &lients and .d#inistrators• SSO Servers

• SSO &redential "ata$ase

• SSO Master Secret Server

• "o#ain &ontrollers

Figure & ,omponents and Ser%ices

SSO Services are i#ple#ented on one or #ore *indows Server co#p%ter s)ste#s'

The pri#ar) co#ponents are a &redential "ata$ase 5&red"B6( a Master Secret

Server 5MSS6( and one or #ore Single Sign-on 5SSO6 Servers' The ad#inistrationco#ponents can $e %sed $) ad#inistrators fro# a re#ote co#p%ter' The client

co#ponents are for end %sers to #anage their own #appings'

13




2'< Master Secret ServerThe Master Secret Server contains the secret ke) that is %sed for encr)ption anddecr)ption of credentials in the SSO &redential "ata$ase' This is the onl) server in

the SSO s)ste# that contains a persisted cop) of the ke)' This secret ke) can $eregenerated $) the SSO .d#inistrator %sing the ssoconfig'e7e co##and line %tilit)'

*hen a new ke) is generated( the Master Secret Server will perfor# a rollingdecr)ption with the old ke) and re-encr)ption with the new ke) for all the encr)pted

data in the &redential "ata$ase'

#ote: o% cannot generate a second secret %ntil this re-encr)ption process is

co#pleted' The ti#e it takes to co#plete this operation is $ased on the n%#$er of

credentials stored in the &redential "ata$ase'

In an Enterprise SSO s)ste# there can $e onl) one &redential "ata$ase 5in S:Server6 and one Master Secret Server'

I)portant: It is strongl) reco##ended that the co#p%ter 5Master Secret Server6

that contains the ke) for encr)pting and decr)pting the credentials $e stored on adifferent co#p%ter fro# the one that contains the encr)pted data 5S: Server with

&redential "ata$ase6'

2'2 &redential "ata$ase.ll SSO Servers co##%nicate with the centralized SSO &redential "ata$ase

5&red"B6 and centralized Master Secret Server 5MSS6' This is where glo$alinfor#ation s%ch as SSO .d#inistrators acco%nt( affiliate applications( and #appings

are stored' Both the &red"B and the MSS can $e cl%stered %sing MS&S.ctive;+assive cl%stering' 5See the &l%stering sections of this doc%#ent6'

I)portant: It is strongl) reco##ended that )o% $ack %p the &redential "ata$ase

on a reg%lar $asis' ollow the S: Server g%idelines for $ack%p and restore ofdata$ase' If )o% lose the data in credential data$ase and do not have a $ack%p( all

the config%rations #%st $e redone'

2'= SSO ServersThese servers can!

• .ct as a ,%nti#e Server for *indows Initiated SSO scenarios'

• .ct as a +assword S)nchronization Server to receive password changes fro#

*indows "o#ain &ontrollers'• .ct as a +assword S)nchronization Server to receive password changes fro#

third-part) adapters'

• .ct as a ,%nti#e Server for ost Initiated SSO scenarios

• .ct as an .d#inistration Server that can $e %sed $) re#ote ad#inistration

co#ponents'

In ig%re 2 5preceding6 three SSO Servers contact the Master Secret Server %sing

encr)pted ,+& to o$tain the secret' This secret is then stored encr)pted in #e#or)

14




within each SSO Server' The SSO Server contin%es to poll the data$ase ever) =0seconds to o$tain glo$al infor#ation and other data' Most SSO config%ration is done

at the data$ase level thro%gh one of the SSO servers' This ena$les all SSO servers ina distri$%ted environ#ent to access the sa#e centralized data'

&ailure !onitions

.fter the SSO Server has o$tained a cop) of the secret( all r%nti#e operations willcontin%e to work even if the Master Secret Server is not reacha$le' In the event of a

fail%re( however( an) ad#inistrative operation that involves encr)pting data will fail'*hen the Master Secret Server is reacha$le again( all operations will contin%e to

work witho%t an) ad#inistrative intervention'

#ote: If the Master Secret Server goes down and then an SSO Server is restarted(it will not $e a$le to perfor# an) r%nti#e operations an) #ore $eca%se it does not

have the secret in #e#or)' It is reco##ended to cl%ster the Master Secret Server%sing MS&S .ctive;+assive &l%stering'

If the connection to the SSO &redential "ata$ase is lost then all SSO Servers will gooffline te#poraril)' This #eans that an) cons%#er of SSO Services will receive

.ccess "enied #essages' *hen the SSO &redential "ata$ase is %p and r%nningagain all the SSO Servers will co#e $ack on line and operations will contin%e to workwitho%t an) ad#inistrative intervention'

I)portant: Beca%se of the possi$ilit) of fail%re conditions occ%rring( it is strongl)

reco##ended that )o% cl%ster the SSO &redential "ata$ase %sing MS&S

.ctive;+assive cl%stering'

or #ore infor#ation on cl%stering!

S: &l%stering! http!;;s%pport'#icrosoft'co#;Jk$idKA42<2

MS"T& &l%stering! http!;;s%pport'#icrosoft'co#;defa%lt'asp7Jk$idK24=204

,efer to the cl%stering section in this doc%#ent for cl%stering the Master Secret

Server

2'4 "o#ain &ontroller &o#ponents"o#ain &ontrollers receive password change reC%ests directl) fro# *indows %sers'

In ost Integration Server 2004( Enterprise SSO incl%des co#ponents that reside on"o#ain &ontrollers to intercept these change reC%ests so that SSO can s)nchronize

passwords $etween *indows and non-*indows s)ste#s'

The +assword S)nchronization co#ponent that is installed on the "o#ain &ontrollers

is called +assword &hange otification Service 5+&S6' This is part of the +&S

install package and is located on the ost Integration Server &" atL&",OOTD+latfor#D+&S' This package contains a co##and line %tilit)

5pcnscfg'e7e6 that is %sed for config%ring +&S co#ponent'

2'? .d#inistration &o#ponents.d#inistration co#ponents of SSO can $e %sed to config%re and #anage the SSO&redential "ata$ase' There are co##and line %tilities provided to allow this

15

http://support.microsoft.com/?kbid=842192

http://support.microsoft.com/default.aspx?kbid=243204

http://support.microsoft.com/?kbid=842192





ad#inistration' ,e#ote ad#inistration is also s%pported for #ost ad#inistrativeoperations' In the release with BizTalk Server 2004( Enterprise Single Sign-on has

two co##and-line %tilities availa$le for the ad#inistrator( ssoconfig'e7e( andsso#anage'e7e'

Ssoconfig'e7e is %sed for server level config%ration( incl%ding the #anage#ent of the

Master Secret Server'

Sso#anage'e7e is %sed for ad#inistration of the centralized infor#ation stored in the&red"BNthis incl%des glo$al settings for the SSO s)ste#( .ffiliate .pplications( and

#appings' In ost Integration Server 2004( Enterprise SSO incl%des anotherad#inistration %tilit) 5ssops'e7e6 %sed for +assword S)nchronization ad#inistration'

.n o$8ect #odel is also availa$le that allows ad#inistrators to develop scripts to

perfor# ad#inistrative operations'

2'@ &lient &o#ponentsSSO also provides a co##and line %tilit)( ssoclient'e7e( to allow end %sers to

#anage their own %ser #appings in the SSO &redential "ata$ase'

.n o$8ect #odel is also availa$le here as well' It can also $e %sed to $%ild c%sto#%ser interfaces to #anage these credentials thro%gh scripts and;or progra#s'

16




='0 SSO ,oles and .cco%ntsTo config%re and #anage the SSO s)ste# there are fo%r t)pes of roles with specificlevels of privilege' These roles are i#ple#ented thro%gh the assign#ent of %sers to

gro%p acco%nts or( in li#ited cases( to individ%al %ser acco%nts' This section

descri$es each of those acco%nts and contains reco##endations for config%ringthe#'

These roles are

• SSO .d#inistrator

• SSO .ffiliate .d#inistrator

• .pplication .d#inistrator

• .pplication 3ser

='< SSO .d#inistrator .cco%nt

Single Sign-on .d#inistrators have the #ost privileges in the Single SSO s)ste#'The) can!

• &reate and #anage the &redential "ata$ase'

• &reate and #anage the Master Secret on the Master Secret Server'

• Ena$le and disa$le the SSO S)ste#'

• &reate and #anage +assword S)nchronization .dapters'

• Ena$le and disa$le +assword S)nchronization in the SSO S)ste#'

• Ena$le and disa$le ost Initiated SSO'

• &onfig%re a%dit levels'

• +erfor# all the ad#inistration tasks that the Single Sign-on .ffiliate

.d#inistrators( Single Sign-on .pplication .d#inistrators( and Single Sign-on

.pplication 3sers can perfor#'

It is highl) reco##ended that SSO .d#inistrators $e assigned as #e#$ers of a

do#ain gro%p 5especiall) in a distri$%ted environ#ent6' If )o% %se an individ%alacco%nt( )o% will not $e a$le to change this acco%nt to assign it to another individ%al

acco%nt' Therefore( we do not reco##end %sing an individ%al acco%nt' o% canchange the SSO .d#inistrator acco%nt to a gro%p acco%nt as long as the original

acco%nt is a #e#$er of the new gro%p' *e do not reco##end that )o% specif) anindivid%al do#ain acco%nt as the SSO .d#inistrator $eca%se )o% cannot change this

acco%nt fro# one individ%al acco%nt to another individ%al acco%nt later on'

I)portant: The service acco%nt r%nning the Enterprise Single Sign-on service#%st $e a #e#$er of this gro%p' o% #%st ens%re that no other services 5orapplications6 in )o%r enterprise are %sing this SSO Service acco%nt to sec%re )o%r

deplo)#ent' I)portant: It is strongl) reco##ended that )o% %se do#ain gro%ps when

config%ring SS0'

#ote: B%ilt-in acco%nts are not allowed.

17




='2 SSO .ffiliate .d#inistrator .cco%ntsThese ad#inistrators define the .ffiliate .pplications that the SSO s)ste# contains'.ffiliate .pplications are logical entities that represent a s)ste# or s%$s)ste# s%ch

as a ost( $ack-end s)ste#( or line-of-$%siness application to which )o% areconnecting %sing Single Sign-on' The) can!

&reate and #anage .ffiliate .pplications'

Specif) the .pplication .d#inistrator and .pplication 3ser acco%nts for each

.ffiliate .pplication'

+erfor# all the ad#inistration tasks that the .pplication .d#inistrators and

.pplication 3sers can perfor#'

#ote: In BizTalk Server &onfig%ration Store scenarios( G&onfig StoreH t)pe .ffiliate

.pplications are created in SSO &redential "ata$ase' In s%ch a case( when a BizTalk

Server adapter is created( .ffiliate .pplications that represent ,eceive andlers(

Send andlers( Send +orts( and ,eceive ocations are created for each adapter inthe SSO &redential "ata$ase' This is $eca%se BizTalk Server %ses SSO to storeBizTalk Server .dapters c%sto# config%ration infor#ation' Beca%se of this( when a

BizTalk Server .dapter is $eing created( the BizTalk Server .d#inistrator perfor#ingthis operation #%st $elong to the SSO .ffiliate .d#inistrators acco%nt'

='= .pplication .d#inistrator .cco%ntsThere is one .pplication .d#inistrators gro%p per .ffiliate .pplication' The) can!

• &hange the Single Sign-on .pplication 3sers gro%p acco%nt'

• &reate( delete( and #anage credential #appings for all %sers of the specific

.ffiliate .pplication'

• Set credentials for an) %ser in that specific .ffiliate .pplication 3sers gro%p

acco%nt'

• +erfor# all the ad#inistration tasks that the .pplication 3sers can perfor#'

='4 .pplication 3ser .cco%ntsThere is one Single Sign-on .pplication 3ser acco%nt for each .ffiliate .pplication'

These %sers can!

ook %p their credentials in the .ffiliate .pplication'

Manage their credential #appings in the .ffiliate .pplication'

18




='? SSO .cco%nt and 3sage ScenariosThe following ta$le co#pares the rights associated with each of the fo%r SSO acco%ntgro%ps $) %sage scenario'

SS* +roup

Accounts

Single-Sign *n anPass%orS"nchroni'ation

Scenarios !onfiguration Store Scenarios

SSO .d#inistrators Manage the SSO s)ste#'

&reate and config%re SSOcredential data$ase'

Ena$le;disa$le *indowsInitiated SSO( ost Initiated

SSO( or +assword

S)nchronization in the SSOs)ste#'

&onfig%re and #anage

+assword S)nchronization.dapters'

&onfig%re and #anage SSO

tickets'

Manage all operationsrelated to the Master Secret

Server'

#ote: .ll SSO Services

need to r%n as %nder theSSO .d#inistrator acco%nt'

SSO s)ste# level ad#inistrator

operations'

SSO .ffiliate

.d#inistrators

&reate .ffiliate .pplications'

Specif) the .pplication.d#inistrator acco%nt and

.pplication 3ser acco%nt forthe .ffiliate .pplication'

&reates .ffiliate .pplications for

adapters'The BizTalk Server .d#inistrator

perfor#ing this operation needs to$e a #e#$er of the SSO .ffiliate

.d#inistrator acco%nt' Thead#inistrator also specifies the

.pplication .d#inistrator acco%ntand .pplication 3ser acco%nt for the

.ffiliate .pplication' #ote: *hen a BizTalk .dapter is

created( .ffiliate .pplications are

also created'Si#ilarl)( to create a +assword

S)nchronization .dapter a&onfig%ration Store t)pe .ffiliate

.pplication is created.

19




.pplication

.d#inistratorsManage the specific .ffiliate.pplication'

&reate( delete( and #anage#appings'

Set credentials' Thecredentials are stored

encr)pted' 3sers in thisgro%p can redee# the ticket

for an .ffiliate .pplication'

&an add config%ration data for an.ffiliate .pplication as a #apping'

This acco%nt specifies BizTalk Server.d#inistrators $) defa%lt'

&an read and write config%rationdata' *hen )o% create a Send +ort

or ,eceive ocation( )o% also createa corresponding #apping in the

data$ase to represent this data'This config%ration data is stored

encr)pted'

.pplication 3sers Me#$ers of this acco%nt are

end %sers that can accessthe $ack-end application

with the appropriate $ack-end acco%nts' o% create

SSO credential #appings for#e#$ers of this gro%p for a

specific .ffiliate .pplication'

&an read config%ration data' B)

defa%lt( )o% specif) the ost.pplication 3ser acco%nt as the

.pplication 3ser acco%nt for aspecific handler 5.ffiliate

.pplication6' The BizTalk Server,%nti#e Service acco%nt needs to

$e a #e#$er of the appropriate.pplication 3ser acco%nt to retrieve

this config%ration data'

='@ *orking in a onactive "irector)Environ#ent

SSO is designed to work in con8%nction with *indows .ctive "irector)' In an

environ#ent where )o% do not have .ctive "irector) installed onl) the BizTalk.dapter &onfig%ration Store scenarios are s%pported' In this case( )o% are working

with local acco%nts' This is onl) s%pported in a single $o7 scenario' Single Sign-Onscenarios are not s%pported for e7a#ple( a local acco%nt cannot $e #apped to a

non-*indows acco%nt' Single Sign-On is %sed to e7tend the reach of .ctive "irector)acco%nts to non-." acco%nts'

='> *orking with ocal Pro%ps*hen working with local gro%ps that incl%de do#ain acco%nts and individ%alacco%nts there are the following considerations' ocal gro%p acco%nts are s%pported

and need to e7ist on S: Server and the individ%al SSO Server co#p%ters' It isstrongl) reco##end that )o% %se do#ain gro%p acco%nts' In a test or develop#ent

environ#ent( however( it co%ld $e diffic%lt to create do#ain gro%ps' In this case( )o%can %se local gro%ps for SSO .d#inistrators( SSO .ffiliate .d#inistrators( .pplication

.d#inistrators( and .pplication 3sers' This sho%ld not $e %sed for prod%ction(however'

The SSO .d#inistrators acco%nt( SSO .ffiliate .d#inistrators acco%nts( and.pplication .d#inistrator acco%nts can $e individ%al acco%nts as well' This is

s%pported onl) in a de#o;eval%ation scenario $eca%se it is not sec%re and does not

20




work well in a distri$%ted environ#ent' "o#ain gro%ps are reco##ended for allacco%nts in SSO'

#ote: The .pplication 3sers acco%nt in SSO does not s%pport individ%alacco%nts'

21




4'0 I#ple#entation ScenariosBeca%se there are so #an) different sit%ations in which SSO can $e %sed this sectionof the paper contains a set of scenarios descri$ing the %se of SSO with co#$inations

of other Microsoft prod%cts'

ost Integration Server( BizTalk Server( and BizTalk Server .dapters together provide

an E.I sol%tion to integrate front-end *e$ portals with $ack-end applications ands)ste#s'

ost Integration Server 5IS6 sea#lessl) integrates *indows applications with IBM

#ainfra#e and #idrange 5.S;4006 s)ste#s and applications' IS co#ponentsintegrate with SSO Services to provide end %sers with a Single Sign-on e7perience

when accessing non-*indows applications on #ainfra#es and .S;400 s)ste#s'Si#ilarl)( BizTalk Server $ack-end .dapters s%ch as S.+( +eopleSoft( Sie$el and other

.dapters are integrated with these SSO Services to provide end %sers with an SSO

e7perience' ront-end BizTalk .dapters s%ch as the TT+ and SO.+ 5*e$ Services6.dapters integrate with SSO to #ake this possi$le' Single Sign-on thro%gh SSO is

f%rther availa$le for end %sers accessing *e$ +arts in Share+oint +ortal Server forscenarios where it is integrated with BizTalk Server 2004 thro%gh the *e$ Services.dapter' This allows +ortal %sers to access non-*indows applications witho%t $eing

pro#pted to provide non-*indows credentials' This provides an end-to-end E.Isol%tion to the end %ser with Single Sign-on' .fter the end %ser is a%thenticated in

the *indows do#ain( he or she does not have to provide f%rther credentials toaccess disparate $ack-end applications'

The following sections ass%#e that )o% have an %nderstanding of BizTalk Server(

ost Integration Server( BizTalk Server .dapters( and Share+oint +ortal Server' So#eof the concepts and ter#inolog) %sed is applica$le onl) to those prod%cts' To learn

#ore a$o%t these prod%cts( refer the appropriate prod%ct doc%#entation'

4'< BizTalk Server &onfig%ration Store Scenario

This specific scenario is not a$o%t achieving Single Sign-on for end %sers( $%t a$o%t%sing SSO Services and the &redential "ata$ase to sec%rel) store and retrieve

BizTalk config%ration data'

SSO is tightl) integrated with BizTalk Server' Enterprise Single Sign-on can $e takenadvantage of to store config%ration infor#ation that #%st $e treated in a sec%re

#anner while #aking it readil) availa$le in a distri$%ted s)ste#' or e7a#ple(

BizTalk Server 2004 %ses Enterprise Single Sign-on Services to sec%rel) store c%sto#

config%ration infor#ation a$o%t BizTalk Server .dapters'

In &onfig%ration Store scenarios for BizTalk Server( the G&onfig StoreH t)pe .ffiliate.pplication is associated with an adapterQs ,eceive andler or Send andler' or

ever) adapter that is created( there are fo%r G&onfig StoreH t)pe .ffiliate .pplicationscreated in SSO &redential "ata$aseNone for the Send andler( one for the ,eceive

andler( one to represent the Send +orts and another to represent the ,eceiveocations'

22




#ote: Beca%se creating a BizTalk Server .dapter corresponds to creating an.ffiliate .pplication( the BizTalk .d#inistrator that is perfor#ing this operation #%st

$e a #e#$er of the SSO .ffiliate .d#inistrators gro%p acco%nt'

*hen these applications are created( the corresponding BizTalk ost 3sers gro%p isspecified as the .pplication 3sers gro%p acco%nt for the .ffiliate .pplication' 3sers

that $elong to this gro%p will have read-onl) privileges to the config%ration data forthat specific handler corresponding to the .ffiliate .pplication' The BizTalk Server

.d#inistrators gro%p acco%nt is specified as the .pplication .d#inistrators gro%pacco%nt for that .ffiliate .pplications' .d#inistrators have read;write privileges for

the config%ration data'

*hen a Send +ort or ,eceive ocation is created in BizTalk Server( a corresponding#apping is created in the SSO &redential "ata$ase to store that config%ration

infor#ation' or e7a#ple( if a Send +ort is created for an TT+ .dapter( then a#apping is created %nder the .ffiliate .pplication that corresponds to the TT+ Send

+ort'

4'2 BizTalk Server End-to-End Scenarios for*indows Initiated SSOront-end BizTalk .dapters s%ch as TT+ ,eceive .dapters and *e$ Services 5SO.+6

,eceive .dapters are integrated with the Iss%e Ticket f%nction of SSO' *hen areC%est is #ade $) the end %ser the TT+ and SO.+ co#ponents i#personate the

end %ser and call SSO to o$tain a ticket' . ticket is iss%ed onl) for the caller $) SSOand this ticket is encr)pted' The caller #%st $e an a%thenticated *indows do#ain

acco%nt' The ticket contains the do#ain and %serid of the %ser and a ti#eo%t val%e'The ticket ti#eo%t is config%red at the glo$al SSO s)ste# level' These front-end

adapters also set the OriginatorSI" propert) in the BizTalk #essage conte7t to the

identit) of the end %ser who #ade the reC%est' The) also set the SSOTicket propert)with the encr)pted ticket'

I)portant! *indows Integrated a%thentication needs to $e set %p for an IIS

virt%al director) $eca%se a ticket is iss%ed onl) for an a%thenticated *indows %ser' #ote: .t this stage the BizTalk Server adapter does not know which $ack-end the

#essage is destined for' Beca%se of this( there is no association of the adapter withan .ffiliate .pplication' .lso( SSO does not contact the centralized SSO &redential

"ata$ase to iss%e a ticket' . ticket is iss%ed for an) caller as long as it is a valid*indows do#ain acco%nt'

If )o% have Orchestration Services in )o%r end-to-end scenario( it is i#portant that)o% cop) the OriginatorSI" and SSOTicket conte7t properties when creating a new

#essage' This wa) these properties are #aintained in the #essage'

#ote: Onl) a tr%sted BizTalk Server ost Instance can perfor# this operation

$eca%se the OriginatorSI" can $e set to an) val%e as long as a tr%sted ost

s%$#itting the #essage to the Message Bo7 of BizTalk Server' If an %ntr%sted osttries to perfor# this operation( the Message Bo7 sec%rit) will override the

OriginatorSI" propert) to the service acco%nt of the %ntr%sted ost that iss%$#itting the #essage'

23




The *e$ Services Send .dapter( TT+ Send .dapter( S.+ Send .dapter( or an) othersend-side adapters that are integrated with SSO call into SSO to redee# the ticket

and o$tain the appropriate $ack-end credentials' The onl) config%ration that theBizTalk .d#inistrator needs to do here with respect to the Send +ort is to specif) the

.ffiliate .pplication na#e' The adapter calls SSO to redee# the ticket and passes the

.ffiliate .pplication na#e that is config%red and the #essage that contains the ticket

itself' irst( the SSO Service validates the caller and then the ticket is validated $)checking if the OriginatorSI" and the SSOTicket #atch' If this s%cceeds then the

SSO Service will redee# the ticket and ret%rn the non-*indows credentials to theadapter' The adapter can then %se these credentials when accessing the $ack-end

s)ste# to get a%thenticated'

#ote: The service acco%nt of the adapter redee#ing the ticket( which is t)picall)

the BizTalk Server ost service acco%nt( #%st $elong to the .pplication

.d#inistrators gro%p acco%nt for the .ffiliate .pplication it is config%red to redee#the ticket for' If there are #%ltiple adapters hosted within the sa#e BizTalk ost

service acco%nt and the) are config%red for different .ffiliate .pplications( then theservice acco%nt sho%ld $e added to the .pplication .d#inistrators gro%p acco%nt for

all those .ffiliate .pplications' ig%re = shows this scenario'

Figure $ i.*al+ Ser%er end-to-end with Enterprise SSO

4'= Share+oint +ortal Server Integrated withBizTalk Server and Enterprise SSO

24




Share+oint +ortal Server 5S+S6 also works with SSO to provide Single Sign-on 5SSO6services to %sers and there are also scenarios where it can $e %sed with BizTalk

Server 5BTS6' This section serves to clarif) how to %se SSO when working with S+S200= and BTS 2004'

This scenario is concept%all) ver) si#ilar to the BizTalk scenario disc%ssed previo%sl)altho%gh the %nderl)ing code is so#ewhat different' The) $oth share a ver) si#ilarticketing and sec%re credential store i#ple#entation'

BizTalk Server 2004 s%pports S+S;SSO %sing the SO.+ ,eceive .dapter' There arethree $asic S+S;SSONBTS;SSO integration options!

<' 3se onl) Enterprise SSO Services in BizTalk Server

• Manage one &redential "ata$ase

• S+S *e$ +arts and SO.+ ,eceive .dapters are on the sa#e co#p%ter'

2' 3se onl) Enterprise SSO Services in BizTalk Server when the SO.+ ,eceive

.dapter and S+S are on different co#p%ters

• Manage one &redential "ata$ase• S+S *e$ +arts and SO.+ ,eceive .dapter are on the different co#p%ters'

• &onfig%re &onstrained "elegation in a *indows 200= do#ain environ#ent

=' 3se Enterprise SSO fro# BizTalk and S+S;SSO Services

• Manage two &redential "ata$ases 5one for Share+oint +ortal Server and one

for BizTalk Server6'

• S+S *e$ +arts and SO.+ ,eceive .dapter can $e on the sa#e or different

co#p%ters'

In the first two scenarios #entioned previo%sl)( the ke) is that when the *e$

Services .dapter receives the reC%est fro# the *e$ +art it #%st receive an

i#personation level token for the end %ser' The *e$ +art then %ses this token too$tain an SSO ticket fro# SSO Service'

"isc%ssed ne7t are f%rther details on these deplo)#ent options availa$le for

achieving Single Sign-on when %sing S+S and BTS in )o%r Enterprise with Enterprise

Single Sign-On'

,se onl" Enterprise SS* Services in i'Tal. Server %hen the i'Tal. $ebServices /S*AP Aapter an $eb Parts are on the sa)e co)puter or

ifferent co)puters(

In this scenario( S+S *e$ +arts wo%ld depend on an Enterprise SSO i#ple#entation'The *e$ +art wo%ld send a SO.+ reC%est to a local BizTalk *e$ Service .dapter' To

ena$le SSO on the *e$ Service .dapter )o% #%st check the Enable SS* check $o7on the ,eceive ocation properties for the Soap .dapter d%ring config%ration' The

*e$ Services .dapter wo%ld then reC%est a ticket $ased on the originala%thenticated %ser placing it in the SSOTicket conte7t propert) of the #essage' To

o$tain a ticket the *e$ Services .dapter i#personates the caller $efore calling SSOServices to get a ticket iss%ed for the end %ser' The *e$ Services .dapter also sets

the OriginatorSI" conte7t propert) as the original a%thenticated %ser'

25




In order for this scenario to work )o% #%st either install the *e$ Service .dapterand BizTalk ,%nti#e on the sa#e server as the S+S *e$ +art or ena$le delegation'

BizTalk .dapters cannot $e installed on a co#p%ter witho%t the BizTalk ,%nti#e'Beca%se the Soap .dapter is an o%t-of-process adapter r%nning in the conte7t of an

IIS process )o% do not need BizTalk Orchestration r%nning on the S+S co#p%ter' o% 8%st need the BizTalk ,%nti#e co#ponents installed to ena$le the ro%ting of

#essages to the Message Bo7'

"elegation on the other hand does not reC%ire the installation of the BizTalk ,%nti#eor SO.+ .dapter on the S+S Server' It will pass the original a%thenticated %sers

credentials to the *e$ Service' *hen the *e$ +art calls the *e$ Service .dapter(the *e$ Service .dapter will receive an i#personation level token for the *indows

%ser that originated the reC%est on the S+S server' The *e$ Service .dapter theni#personates the end %ser and calls the BTS;SSO Service to iss%e the ticket for the

originall) a%thenticated %ser' To iss%e a ticket the SSO Service onl) checks if the %seris an a%thenticated *indows %ser' . ticket is iss%ed for onl) the caller' If the %ser is

not a do#ain acco%nt( a ticket is not iss%ed'

*hen a Send .dapter config%red to %se SSO receives a reC%est( it will call the

/alidateAnd0edeem*ic+et SSO .+I #ethod to redee# the ticket and o$tain the%sers e7ternal credentials fro# the BTS;SSO &redential "ata$ase' &redentials areretrieved fro# the SSO &redential "ata$ase if the validation s%cceeds' alidation is

done $) co#paring the OriginatorSI" and the %sers SI" in the encr)pted SSO ticket'This validation is to ens%re that a tr%sted s%$s)ste# 5s%ch as onl) tr%sted BizTalk

hosts6 can $e %sed for these end-to-end SSO scenarios' In this scenario( )o% need to#anage onl) the BTS;SSO Service and SSO &redential "ata$ase' . diagra# of this

scenario %sing delegation is shown in ig%re 4' . diagra# of this scenario with theBizTalk ,%nti#e installed on the S+S server is shown in ig%re ?'

26




Figure $ S2S Integration with *S and Enterprise SSO 0untime on the same 3o

Figure 4$ S2S Integration without the *S 0untime on the S2S computer$

BizTalk Orchestration and SSO

In orchestration( two &onte7t +roperties need to $e copied over when creating a new#essage that wo%ld $e cons%#ed $) the Send .dapter' These two properties are the

SS*Tic.et and the *riginatorSI1' BizTalk Orchestration also needs to r%n within aTruste Host in BizTalk Server' Onl) Tr%sted osts have per#ission to s%$#it a

#essage to the Message Bo7 with an) OriginatorSI"'

4'4 ost Integration Server *indows Initiated

SSO for E#%latorsThe S. Server co#ponent of ost Integration Server is the gatewa) that is %sed for

integration with $ack-end s)ste#s %sing S. protocols' This is a core feat%re of ostIntegration Server' It has server-side and client-side co#ponents' These client

applications and e#%lators are provided $) Microsoft and $) third parties' This isrepresented in ig%re @'

27




Figure 5$ !indows Initiated SSO or &6' or 4&4' *erminal Emulators

1etaile en-to-en processStep <' *hen an end %ser esta$lishes a session with the server( the %ser connects tothe Server %sing their *indows logon access token' The) are then a%thenticated $)

the *indows integrated sec%rit) #echanis# %sing their logged on *indowscredentials'

Step 2' "MO" Server calls S.SII as soon a new session reC%est is #ade'

Step 2a' S.SII caches the *indows logon access token' The token is kept in the

cache %ntil the %ser disconnects the session'

Step =' If SSO is config%red to $e %sed $) the ode then the ode calls S.SII to

get the $ack-end credentials' The ode passes the na#e of the .ffiliate .pplicationalong with the *indows do#ain na#e and %serid to do this'

Step 4' S.SII %ses the access token that corresponds to the *indows %seridspecified and i#personates the *indows %ser to call Pet &redentials

5ISSOook%p<'Pet&redentials6 as that *indows %ser' This ret%rns the ost %seridand password fro# the SSO &redential "ata$ase' S.SII calls are then #ade to the

ETSSO service of S. Server' This #eans that all look%ps are local to thatco#p%ter' The SSO Service gets the ost credentials fro# the data$ase encr)pted' It

then decr)pts the password and ret%rns it to the caller 5in this case( to S.SII6' Theode receives these credentials fro# S.SII and %ses the# to log on to the $ack-

end s)ste#' The $ack-end s)ste# then %ses the ost credentials to a%thenticate the%ser'

28




#ote: The session $etween the client and server co%ld $e left active for a few#in%tes( a few ho%rs( or a few da)s' The %ser co%ld $e perfor#ing #%ltiple

operations on a $ack-end s)ste# after the session has $een esta$lished' Onl) whenthe session is initiall) esta$lished and the %ser logs on to the server are the)

a%thenticated and their infor#ation cached' or s%$seC%ent operations on the $ack-end s)ste#( the %ser does not have to log on to the server again' owever( for each

reC%est #ade $) the %ser on the $ack-end s)ste# the %ser #ight have to providetheir ost credentials to $e a%thenticated again'

*hen the %ser disconnects his or her session( the %ser is no longer logged on theserver' To esta$lish a new connection to the server the %ser has to log on to the

server again' In other words( the %ser has to provide their *indows logon credentials

to $e a%thenticated $) the server' *hen the session is disconnected( the accesstoken is also cleared fro# the cache'

Sa)ple logon script for 230 Ter)inal E)ulator

SETTIMEO3T =0(E1IT

*.ITSESSIO SS&+

*ait for $anner' *ait Ldela) can $e replaced with *aitString RLstringR*.IT =SE" lE

*.ITSESSIO 33 *ait for screen after BI"' *ait Ldela) can $e replaced with *aitString

RLstringR*.IT =

SE" MSS.ME3SE" MSS.ME+

E1IT!

20 Ter)inal E)ulator

In the case of ?2?0 Ter#inal E#%lator( pass MSS.ME and MSS.ME as the %seridand password' These are the strings in the data strea# that are replaced $) IS with

the appropriate ost credentials retrieved fro# SSO that correspond to the *indows

do#ain %ser %sing SSO

4'? Transaction Integrator %sing *indowsInitiated SSOThis scenario descri$es how SSO works when %sed with ost Integration Server

5IS6 Transaction Integrator 5TI6 for *indows Initiated Transactions' TransactionIntegrator is %sed for integration with &I&S( IMS applications on IBM #ainfra#es(

and ,+P applications on OS;400' "escri$ed here is an end-to-end process when TI is%sed with Enterprise SSO' This is shown in ig%re >'

29




Figure 6$ *I with Enterprise SSO

1etaile en-to-en processIn this scenario( Transaction Integrator calls directl) into the ETSSO service to

perfor# look%ps and o$tain the ost credentials'

Step 5( The TI &lient #akes a reC%est to the server co#ponent' This %ses *indows

integrated a%thentication and the identit) of the %ser logged on to the *indows

do#ain' The server then a%thenticates the client'

I)portant: *hen %sing *e$ service( ens%re that the *e$ service on the server

has i#personation ena$led' This will allow the *e$ service to i#personate the end%ser while #aking the reC%est to TI( which in t%rn #akes the reC%est to SSO'

I)portant: 3se *indows Integrated Sec%rit) onl) for the server co#ponent' Thissetting is for the virt%al director) on *e$ server( or for &OM-$ased or 'et-$ased

server applications' "o not ena$le .non)#o%s access'

Step 2( TI calls the ETSSO service to get the *indows %sers ost credentials5ISSOook%p<'Pet&redentials6' TI specifies the na#e of the .ffiliate .pplication as

an inp%t para#eter'

Step ( ETSSO service gets the credentials fro# the &redential "ata$ase for the

*indows %ser and ret%rns these credentials to the caller 5in this case TI Server6'

Step 4( If S. protocols are $eing %sed TI will %se the IS node as a gatewa) toaccess the $ack-end s)ste#' If the T&+;I+ protocol is $eing %sed then TI will directl)

connect to the $ack-end s)ste#' The ost credentials retrieved fro# SSO ares%pplied as part of this connection'

30




Sa)ple %eb(config for Transaction Integrator (#et application

Lconfig%ration Ls)ste#'we$

Lientit" i)personate67true7 ;

Lauthentication )oe67$ino%s7 ;

Ltr%st levelKR%llR origin3rlKRR ; L;s)ste#'we$

Ls)ste#'r%nti#e're#oting LchannelSink+roviders

Lserver+roviders Lprovider idKRinterceptorR

t)peKRMicrosoft'ostIntegration'TI',e#otingInterceptor'InterceptorServer&hannelSink+rovider( Microsoft'ostIntegration'TI',e#otingInterceptorR ;

L;server+roviders L;channelSink+roviders

Lapplication Lservice

Lwellknownt)peKRT&+UinkT,MUET'&edarBank(&I&SUinkT,MU&edarBankUETR

o$8ect3riKR&I&SUinkT,MU&edarBankUET're#R #odeKRSingle&allR ; Lwellknown t)peKR&I&SUI/UET'&edarBank(&I&SUinkU&edarBankUETR

o$8ect3riKR&I&SUinkU&edarBankUET're#R #odeKRSingle&allR ; L;service

Lchannels Lchannel refKRhttpR

Lserver+roviders Lprovider refKRwsdlR ;

Lfor#atter refKRsoapR t)peilterevelKR%llR ; Lfor#atter refKR$inar)R t)peilterevelKR%llR ;

Lprovider refKRinterceptorR ;

L;server+roviders L;channel

L;channels L;application

L;s)ste#'r%nti#e're#oting

L;config%ration

4'@ Transaction Integrator and ost InitiatedTransactions

This scenario descri$es how SSO works when %sed with ost Integration Server

5IS6 Transaction Integrator 5TI6 and ost Initiated Transactions' These are ostInitiated +rocessing scenarios' The following is a walkthro%gh of this end-to-end

process'

31




Figure 7$ *ransaction Integrator using Host Initiated SSO

1etaile en-to-en process

Step 5( . Mainfra#e %ser logs on to a &I&S region %sing #ainfra#e 5,.&6

credentials and invokes a &I&S application' &I&S takes care of inserting theappropriate ,.& credentials into the data strea#' or T&+;I+ scenarios( the &I&S

application is responsi$le for inserting the ,.& credentials in the data strea#'

Step 2( or S. scenarios the reC%est is #ade to the ode;"MO" which in-t%rn

calls the I+ TI co#ponent' In T&+;I+ scenarios( this reC%est is #ade directl) to theI+ TI Server co#ponent'

Step ( If the TI I+ 5ost Initiated +rocessing6 co#ponent is config%red for SSO( it

calls SSO Services to o$tain the *indows access token that correspond to the ost%ser' 5ISSOook%p2!ogonE7ternal3ser6' The .ffiliate .pplication na#e and the ost

%serid are passed as inp%t para#eters' If the .ffiliate .pplication na#e is #arked todo validation then the ost %serid and the ost %ser password are passed in as inp%t

para#eters along with the na#e of the .ffiliate .pplication' The caller #aking this

reC%est #%st $elong to the .pplication .d#inistrator gro%p acco%nt or a$ove for that.ffiliate .pplication in #ost scenarios'

In addition( the caller co%ld also $e 8%st the *indows %ser itself' This is to ena$le thescenario where Pro%p #appings are %sed' In this case( an .ffiliate .pplication can $e

config%red to perfor# validation' If that s%cceeds( then f%rther operations can $eperfor#ed as that *indows %ser $) %sing the access token 5which it alread) has6' In

this wa)( the service calling SSO can r%n %nder a lower privileged acco%nt' This %sersho%ld $elong to the .pplication 3sers gro%p for that specific .ffiliate .pplication'

32




Step 4( SSO Services ne7t a%thenticates the caller and retrieves the *indows access

token for the appropriate ost %ser' SSO Services %ses the credential #apping in the&redential "ata$ase and +rotocol Transition to co#plete this operation'

saogon3ser with the /E,BUS43UOPO option is %sed in SSO Services to ena$lethis'

Step ( The I+ TI Server co#ponent i#personates the %ser %sing the *indows

access token and invokes a &OMV application 5or *e$ application6 as that *indows%ser' The &OMV application can f%rther i#personate and access a local or re#ote

*indows reso%rce'

Note: *he ,OM8 application itsel must 3e local to the *I Ser%er . I)portant! *hen %sing a *e$ service( ens%re that the *e$ service on the server

has I#personation ena$led' This will allow the *e$ service to i#personate the end

%ser while #aking the reC%est to TI( which in t%rn #akes the reC%est to SSO'

I)portant: 3se *indows Integrated Sec%rit) onl) for the server co#ponent' This

setting is for the virt%al director) on the *e$ server( or for &OM-$ased or 'et-$asedserver applications'

If S. protocols are $eing %sed TI will %se the IS node as a gatewa) to access the

$ack-end s)ste#' If the T&+;I+ protocol is $eing %sed then TI will directl) connect tothe $ack-end s)ste#' The ost credentials retrieved fro# SSO are s%pplied as part

of this connection'

4'> Server Side "ata +roviderN&onnectingover S. or T&+;I+This scenario covers Server Side "ata +rovider integration with a $ack-end ost

s)ste#' "ata providers in IS 2004 are %sed for integration with IBM "B2( S.M( orOS;400 ile S)ste#s' "escri$ed ne7t is an end-to-end process when a "ata provider

is %sed with Enterprise SSO'

33




Figure 9$ Ser%er Side :ata 2ro%ider using !indows Initiated SSO


In this scenario( a "ata +rovider calls directl) into the ETSSO service to perfor# the

look%ps and o$tain ost credentials' This applies to $oth T&+ and S. and is si#ilarto the previo%s TI scenario'

Step 5( "ata +rovider i#personates the end %ser that initiates the reC%est and callsthe ETSSO service to get the %sers credentials 5ISSOook%p<'Pet&redentials6' The

data provider specifies the .ffiliate .pplication as an inp%t para#eter when it callsSSO'

Step 2( The ETSSO Service gets the %sers *indows credentials fro# the SSO&redential "ata$ase and ret%rns the# to the caller 5in this case( the "ata +rovider6'

Step ( If S. is %sed then the "ata +rovider %ses the IS ode as a gatewa) toaccess the $ack-end s)ste#' If T&+;I+ is %sed then the "ata +rovider will directl)

connect to the $ack-end s)ste#' The ost credentials are s%pplied as part of thisconnection'

#ote: 12 !onnection Pooling an Enterprise SS*

. co##on approach to i#prove the perfor#ance of data integration sol%tions is to

%se Rconnection pooling'R Ind%str)-standard O"B& and &OM-$ased OE "B 5and."O6 offer connection pooling and reso%rce pooling as service co#ponents within thedata access co#ponents' These connection pooling #echanis#s do not work

efficientl) with Enterprise SSO'

In IS 2004( a new Microsoft "B2 data provider-specific connection pooling option isavaila$le' This #ethod works with Enterprise Single Sign-On when deplo)ing the

data providers on a *indows server co#p%ter' To %se this pooling( select the

34




&onnection +ooling check $o7 in the "ata So%rce *izard of the "ata .ccess Tool( orspecif) R&onnection +oolingKT,3ER in )o%r progra#Qs connection string'

4'A &lient Side "ata +roviderN&onnecting over

S.In this scenario( a "ata +rovider can also $e installed as a client co#ponent on anend %sers co#p%ter and the) can connect thro%gh ost Integration Server to the

ost s)ste#' This scenario does not s%pport connectivit) to the ost %sing T&+;I+'This is shown in ig%re <0'

Figure 1'$ ,lient Side :ata 2ro%ider using !indows Initiated SSO


Step <' *hen end %ser esta$lishes a session with the server( the %ser connects to

the Server %sing their *indows logon access token' The) are then a%thenticated $)the *indows integrated sec%rit) #echanis# %sing their logged on *indows

credentials' The "ata +rovider will specif) MSS.ME( MSS.ME in the data strea#as replace#ent strings to $e replaced $) the %sers %serid and password'

Step 2' "MO" Server calls S.SII to cache the access token as soon a new sessionreC%est is #ade $) the client'

Step 2a' S.SII caches the *indows logon access token' The token is kept in the

cache %ntil the %ser disconnects the session'

35




Step =' The ode calls S.SII to get the %sers ost credentials' The ode passes inthe na#e of the .ffiliate .pplication along with the *indows do#ain na#e and

%serid'

Step 4' S.SII %ses the access token that corresponds to the *indows %serid

specified to i#personate the *indows %ser' It calls Pet&redentials5ISSOook%p<'Pet&redentials6 as that *indows %ser' This ret%rns the ost %serid

and password fro# the SSO &redential "ata$ase' S.SII calls are #ade to theETSSO service' This #eans that all look%ps are local to that co#p%ter' The SSO

Service gets the ost credentials fro# the data$ase encr)pted' It then decr)pts thepassword and ret%rns it to the caller 5in this case( to S.SII6' The ode receives

these credentials fro# S.SII and replaces the replace#ent strings in the data

strea# which are %sed to logon to the $ack-end s)ste#' The $ack-end s)ste# then%ses these ost credentials to a%thenticate the %ser'

Step ?' *hen the %ser disconnects the session 5for e7a#ple( the session esta$lished

$etween "MO" &lient and Server is disconnected6 the %ser is no longer logged onthe server' To esta$lish a new connection to the server the %ser has to log on to the

server again' In other words( the %ser has to provide their *indows logon credentialsto $e a%thenticated $) the server'

Step @' *hen the session is disconnected then "MO" calls S.SII to clear theaccess token for that %ser fro# the cache'

4' *indows Initiated +asswordS)nchronizationIn this scenario( a *indows %ser changes their password and a *indows "o#ain&ontroller receives the password change' In *indows 2000 and *indows 200=( a

password change can $e #ade at an) "o#ain &ontroller' *hen a %ser changes their

password it is capt%red $) a +assword &apt%re ilter on the "o#ain &ontroller andthe change is then passed on to the +assword &hange otification Service 5+&S6 onthe "o#ain &ontroller' The "o#ain &ontroller then p%shes the password change o%t

to a cons%#er' This change is then propagated fro# the "o#ain &ontroller to theSSO Service config%red as a +assword S)nchronization Server' Based on

config%ration infor#ation the password co%ld $e changed in the SSO &redential"ata$ase or it co%ld si#pl) $e discarded' If the %ser is config%red for +assword

S)nchronization( then the password change is sent to the non-*indows s)ste# andthe password is then %pdated in the SSO &redential "ata$ase' ote that this

reC%ires the %se of third-part) co#ponents to co##%nicate the changes fro# the*indows to the non-*indows s)ste#'

. password change is capt%red onl) for %sers that are specified in an incl%sion gro%p'

The +assword S)nchronization #od%le of Enterprise SSO decides whether to send thepassword change to the $ack-end s)ste# $ased on the config%ration infor#ation in

the SSO &redential "ata$ase' *indows Initiated +assword S)nchronization isill%strated in ig%re <<'

36




Figure 11$ !indows Initiated 2assword Synchroni.ation

4.10 Non-Windows Initiated Password Synchronization

In this scenario a non-*indows %ser %pdates the password on a ost s)ste#' .

password capt%re co#ponent r%ns on the non-*indows s)ste#' This co#ponentcapt%res the change on the non-*indows s)ste# and notifies a corresponding*indows co#ponent' This then propagates the change to the +assword

S)nchronization co#ponent of Enterprise SSO Server( which then takes care of%pdating the SSO &redential "ata$ase' ote that this reC%ires the %se of third-part)

co#ponents to co##%nicate the password change fro# the non-*indows s)ste# to*indows' The ad#inistrator can config%re Enterprise SSO to 8%st %pdate the

&redential "ata$ase( or to %pdate the &redential "ata$ase and %pdate the %serspassword in .ctive "irector)' The for#er is referred to as +artial S)nchronization and

the latter as %ll S)nchronization' +artial S)nchronization is done t)picall) if thepasswords in .ctive "irector) and the ost s)ste# %ser data$ase 5,.&6 are

different( $%t it is still i#portant to %pdate the &redential "ata$ase for Single Sign-on to contin%e to work when the %sers ,.& password is changed' ig%re <2

ill%strates this scenario'

37




Figure 1&$ ;on-!indows Initiated 2assword Synchroni.ation

38




?'0 SSO Installation and &onfig%rationow )o% install SSO depends on whether )o% will $e installing it with either ostIntegration Server or BizTalk Server'

?'< Installing and &onfig%ring SSO with BizTalkServerBizTalk Server 2004 #akes the #ost of Enterprise Single Sign-on 5SSO6 capa$ilitiesfor sec%rel) storing critical infor#ation s%ch as sec%re config%ration properties 5for

e7a#ple the +ro7) 3ser I" and +ro7) +assword for TT+ .dapters6' Therefore(BizTalk Server reC%ires SSO( and as a res%lt( BizTalk Server a%to#aticall) installs

SSO on ever) co#p%ter where )o% install the BizTalk Server ,%nti#e'

Install options through custo) install of i'Tal. Server 2004

If )o% select onl) the Enterprise SS* ,%nti#e option then onl) Enterprise SSO willinstall'

If )o% select onl) the BizTalk Engine $oth the Engine and Enterprise SSO co#ponentswill install 5regardless of whether )o% select the SSO option6'

If )o% select $oth then $oth the Engine and Enterprise SSO co#ponents will install'%rther#ore( )o% have the option of selecting the SSO .d#inistration feat%re for

re#ote ad#inistration scenarios'

If )o% select onl) Enterprise SS* A)inistration8 onl) the SSO ad#inistrativeco#ponents will install'

If )o% select either the .d#inistration or "evelop#ent tools of BizTalk thenEnterprise SSO .d#inistration will install'

#ote 5: If )o% have the BizTalk Server ,%nti#e( "evelop#ent( or .d#inistration

feat%res installed )o% #%st first re#ove those feat%res $efore )o% will $e a$le to%ninstall the SSO ,%nti#e or .d#inistration co#ponents'

#ote 2: $) installing the server Enterprise Single Sign-on option( )o% will $e

installing the SSO .d#inistration co#ponents as well'

#ote : The SSO .d#inistration Install of Enterprise SSO incl%des a self-

e7tracting e7ec%ta$le called SSO&lientInstall'e7e that contains the client %tilit)

5ssoclient'e7e6 for end %sers' .d#inistrators can distri$%te this to end %sers to#anage their #appings in Enterprise SSO'

39




?'2 Installing the Master Secret Server and&onfig%ring the &redential "ata$aseThe first operation that needs to $e done $efore %sing the Enterprise SSO feat%re isto install the Master Secret Server and create the SSO &redential "ata$ase' The

Master Secret Server holds the ke) that is %sed for encr)ption and decr)ption'If )o% have s%fficient privileges( the config%ration wizard will tr) to create do#ain

gro%ps of glo$al scope a%to#aticall) when )o% specif) a do#ain gro%p for the SSO.d#inistrators acco%nt and SSO .ffiliate .d#inistrators acco%nt' If )o% do not have

s%fficient privileges )o% #%st ens%re that these gro%ps alread) e7ist and )o% canspecif) these gro%ps in the &onfig%ration *izard when creating the Master Secret

Server' o% can also %se gro%ps of "o#ain ocal or 3niversal scope as well'

To configure the Master Secret Server as a stan-alone server<' +erfor# a &%sto# installation of BizTalk Server or ost Integration Server'

Select onl) Enterprise Single Sign-on fro# the &%sto# tree'

2' *hen the installation is co#pleted( select the Start !onfiguration $i'ar

check $o7( and then click &inish' The config%ration wizard appears ne7t'=' In the &onfig%ration *izard on the !onfiguration *ptions page in the Isthis the master secret server drop-down list( select 9es and then click

#et'

This will #ake this co#p%ter the Master Secret Server and also create the Single

Sign-on &redential "ata$ase'4' &reate the SSO .d#inistrators acco%nt and the SSO .ffiliate .d#inistrators

acco%nt'?' Specif) the service acco%nt credentials for the SSO Service' This #%st $e a

#e#$er of the SSO .d#inistrators gro%p acco%nt'@' Specif) the location of the S: Server $ased SSO &redential "ata$ase

5SSO"B6'

>' ollow the rest of the step-$)-step proced%res reC%ired to co#plete the&onfig%ration *izard'

A' Back %p the Master Secret after co#pleting config%ration'

To bac. up the Master Secret<' On the Start #en%( click ;un'

2' In the ;un dialog $o7 t)pe c) and then click *<'=' .t the co##and line( go to the Enterprise Single Sign-on installation

director)' The defa%lt installation director) is <dri%e=!D+rogra#

ilesD&o##on ilesDEnterprise Single Sign-on'4' T)pe ssoconfig -backupsecret <backup file> where <3ac+up ile= is the

path and na#e of the file where the Master Secret will $e $acked %p' 5or

e7a#ple( .!Dsso$ack%p'$ak'6 o% can specif) either an TS location or adirector) on re#ova$le #edia'

?' +rovide a password to protect this file' o% will $e pro#pted to confir# the

password and to provide a password hint to help )o% re#e#$er thispassword'

I)portant! o% #%st save and store the $ack%p file in a sec%re location'

40




.s part of data recover) proced%res )o% #a) need to restore the Master Secret to $ea$le to re%se e7isting data'

To restore the Master Secret

1. .t the co##and line( go to the Enterprise Single Sign-on installation

director)'

2. T)pe ssoconfig -restoresecret <restore file> where Lrestore ile is thepath and na#e of the file where the Master Secret is stored'

To configure an aitional SS* Server in the SS* s"ste)

Install Enterprise Single Sign-on fro# &%sto# Install' On the &onfig%ration options

page )o% will $e pro#pted with the C%estion $ill this Single Sign-on server

/SS* hol the )aster secret .e"= Select #o fro# the drop-down list'

?'= Installing and &onfig%ring SSO with ost

Integration Server 2004Enterprise SSO is not a%to#aticall) installed with ost Integration Server $) defa%lt'

To install Enterprise SSO( d%ring set%p fro# the !usto) install of Server option)o% can elect to install Enterprise SSO $) clicking Securit" Integration and then on

Enterprise Single Sign-on' o% can optionall) elect to install Pass%or

S"nchroni'ation as well $) selecting this option' This option is a subfeature of the

Enterprise Single Sign-on option'

"%ring set%p fro# the !usto) install of client option( )o% can install the

.d#inistration and &lient %tilities' &lick Securit" Integration and then on

Enterprise Single Sign-on A)inistration to install the ad#inistrativeco#ponents' o% can also select the Enterprise Single Sign-on !lient ,tilit"option to install 8%st the client co#ponents of SSO on an end %sers co#p%ter' o%

can also optionall) elect to install Pass%or S"nchroni'ation as well $) selectingthis option' This option is a s%$feat%re of the Enterprise Single Sign-on option'

#ote! The ad#inistrative install of Enterprise SSO incl%des a self-e7tractinge7ec%ta$le 5SSO&lientInstall'e7e6 which contains the client %tilit) for end %sers as

well' .d#inistrators can then distri$%te this %tilit) to end %sers'

It is strongl) reco##ended that )o% install the Master Secret Server as a stand-

alone server in )o%r network and that it onl) $e responsi$le for $eing the MasterSecret Server'

.fter Enterprise SS* is installed( then the &onfig%ration *izard will la%nch and the

following C%estions will $e asked $) the wizard!

1o "ou %ant to create a ne% SS* S"ste) or >oin an eisting SS* S"ste)=!reating a ne% SS* s"ste) %ill create the creential atabase an )a.e

this co)puter the )aster secret server(

o% sho%ld select !reate fro# the drop-down list if this is the first SSO server )o%

are config%ring in )o%r SSO s)ste#' This will also create and config%re the SSO&redential "ata$ase' o% sho%ld $ack %p the secret on this secret server after

config%ration is co#pleted' o% can $ack%p the secret %sing the SSO co##and line

41




%tilit) SSOconfig'e7e located at D+rogra# ilesD&o##on ilesDEnterprise Single Sign-onD'

e7t follow the rest of the steps reC%ired to specif) the SSO .d#inistrators gro%p(SSO .ffiliate .d#inistrators gro%p( specif)ing the SSO data$ase )o% want to create(

and the SSO Service acco%nt config%ration' The steps to do this are si#ilar to those#entioned previo%sl) for BizTalk Server

To configure an aitional SS* Server in the SS* s"ste)

Select >oin fro# the drop-down list for s%$seC%ent SSO Servers in the SSO s)ste#'

These servers will $e the processing servers and ad#inistration servers'

ollow the rest of the steps of config%ring the SSO Service acco%nt and pointing it to

the SSO data$ase'

To reuse an eisting !onfiguration for SS*

o% will $e pro#pted! 1o "ou %ant to reuse the eisting configuration= If not8o "ou %ant to create a ne% SS* S"ste) or >oin an eisting SS* S"ste)=

!reating a ne% SS* s"ste) %ill create the creential atabase an )a.ethis co)puter the )aster secret server(

Select ;euse if )o% need to re%se an e7isting SSO &redential "ata$ase' This can $edone on a Master Secret Server or on a +rocessing SSO Server' or %pgrade

proced%res( refer section ?'@'

?'4 &l%stering the Master Secret Server

efore 9ou egin

Before )o% start config%ring SSO in a cl%ster environ#ent( it is reco##ended that

)o% %nderstand how cl%stering works' or #ore infor#ation( see the Microsoft&l%ster Server 5MS&S6 g%idelines on how to set %p an .ctive;+assive &l%ster'

#ote! o% #%st $e an SSO .d#inistrator to perfor# this proced%re'

Ens%re that )o% are %sing do#ain acco%nts and do#ain gro%ps for the SSO

.d#inistrators gro%p( SSO .ffiliate .d#inistrators gro%p and for the SSO Serviceacco%nts'

The following steps ass%#e that )o% have the two odes for the cl%ster and MS"T&alread) cl%stered for failover'

+uielines for Setting up 9our !luster

<' +erfor# a &%sto# Installation to install the Master Secret Server on the first5.ctive6 node of the cl%ster' or e7a#ple( )o% co%ld install it on a co#p%ter

whose na#e is &l%sterode<'

In the &onfig%ration *izard( on the !onfiguration ?uestions page( in the Is

this the )aster secret server drop-down list( select 9es and then click #et'

Specif) the Service .cco%nt credentials for the SSO Service' This #%st $e a

#e#$er of the SSO .d#inistrators gro%p acco%nt'Specif) the location of the SSO &redential "ata$ase'

Back %p the Master Secret on the .ctive ode'

42




+erfor# a &%sto# Install to install the Master Secret Server on the second5+assive6 node of the cl%ster 5for instance( on &l%sterode26' &onfig%re

Enterprise SSO Server on the +assive ode of the cl%ster %sing the&onfig%ration *izard' Beca%se this is not the initial installation of the Master

Secret Server in the &onfig%ration *izard on the &onfig%ration :%estionspage in the Is this the )aster secret server drop-down list( )o% sho%ld

select #o and then click e7t'

ro# the co##and line( t)pe the co##and net stop entsso to stop the SSO

Service'

.fter )o% have installed and config%red SSO on $oth the .ctive and +assive

cl%ster nodes and stopped the SSO Service change the Master Secret Serverna#e in the SSO &redential "ata$ase to the &l%ster a#e' 5or e7a#ple( )o%

wo%ld change the na#e fro# &l%sterode< to MSSU&3STE,'6

#ote! The &l%ster a#e is also the etwork a#e of the reso%rce that )o%

have created in the &l%ster Pro%p that contains the cl%stered EnterpriseSingle Sign On service

Open the te7t editor of )o%r choice' &%t and paste the following code intoan '7#l file 5for e7a#ple( MSS &3STE,'7#l6 and save the file!

Lsso

Lglo$alInfo

LsecretServerMSSU&3STE,L;secretServer

L;glo$alInfo

L;sso

.t the co##and line( navigate to the Enterprise Single Sign-on installation

director)' T)pe ssomanage -updatedb <name of the .xml file in the stepabove> to %pdate the Master Secret Server na#e in the data$ase'

&onfig%re the service and reso%rce para#eters for the cl%ster'

• &reate an E#TSS* service reso%rce and #ake it a generic service'

Make each node of the cl%ster a possi$le owner in the !lusterProperties dialog $o7'

• &heck the Securit" ta$ to ens%re that the %ser %nder which the

application is r%nning has s%fficient per#issions to access the cl%ster

5for e7a#ple( the) are not a local ad#inistrator6' Then add %sers asappropriate'

• In the +eneric Service Para)eters dialog $o7( check the option to

,se #et%or. #a)e for co)puter na)e'

• o registr) replication infor#ation is reC%ired 5See the following ote on

,egistr) ,eplication' If )o% have ,oa#ing +rofiles set %p for the SSO

service acco%nt then )o% can config%re ,egistr) ,eplication6'

Move the &l%ster Pro%p fro# the first to the second node %sing the &l%ster

.d#inistrator'

43




,estore the secret ke) on the second node' .t the co##and line( navigate to theEnterprise Single Sign-on installation director)' T)pe ssoconfig

-restoresecret <restore filename> where Lrestore ilename is the pathand na#e of the $ack %p file which contains the Master Secret'

#ote! .lternativel)( )o% can ena$le ,egistr) ,eplication in the &l%ster,eso%rce if the service acco%nt has a ,oa#ing +rofile set%p' This wa) )o% do

not have to restore the secret on the secondar) node each ti#e the secret isgenerated on the pri#ar) node' It is i#portant that )o% have a ,oa#ing

+rofile set%p( tho%gh( $eca%se the entr) in the registr) is encr)pted'

To set%p ,egistr) ,eplication in the cl%ster reso%rce( specif) the root registr) ke)

SOF*!A0E>Microsot>E;*SSO for registr) replication'

I)portant! o% #%st refer to .ctive "irector) doc%#entation on how to set

%p a ,oa#ing +rofile $efore )o% do this'

#ote! .lso refer to MS"T& &l%stering $eca%se ETSSO has a dependenc) on

MS"T&' *hen cl%stering Master Secret Server( MS"T& #%st also $e cl%stered on that

co#p%ter' ,efer to http!;;s%pport'#icrosoft'co#;defa%lt'asp7Jk$idK24=204 forMS"T& cl%stering'

?'? &l%stering SSO Servers

efore 9ou egin

These steps ass%#e that the Master Secret Server and SSO &redential "ata$ase

have $een set %p and config%red'

Before )o% start config%ring SSO in a cl%ster environ#ent for the SSO Server thatacts as a +assword S)nchronization Server it is reco##ended that )o% %nderstand

how cl%stering works' or #ore infor#ation( see the Microsoft &l%ster Server 5MS&S6g%idelines on how to set %p an .ctive;+assive &l%ster'

o% #%st $e an SSO .d#inistrator to perfor# this proced%re'

#ote! ost Initiated SSO is part of the Enterprise Single Sign-on Server feat%re'+assword S)nchronization is a s%$feat%re of Enterprise Single Sign-on that is not

selected for install $) defa%lt' o% can %se the following process to cl%ster an SSOServer with or witho%t the +assword S)nchronization feat%re ena$led'

+uielines for Setting up the !luster

<' +erfor# a &%sto# installation to install the SSO Server on the first 5.ctive6

node of the cl%ster' In !usto) Installation( select the Pass%orS"nchroni'ation feat%re listed %nder Enterprise Single Sign-on to ens%rethat )o% are installing +assword S)nchronization' Then co#plete the

config%ration' or e7a#ple( )o% co%ld install it on a co#p%ter na#ed&l%sterode<'

• In the &onfig%ration *izard on the !onfiguration ?uestions

page in the 1o "ou %ant to create a ne% SS* S"ste) or >oin

an eisting SS* S"ste)= !reating a ne% SS* s"ste) %ill

44






create the creential atabase an )a.e this co)puter the)aster secret server drop-down list( select >oin and then click

#et'

Specif) the service account creentials for SSO service' This #%st

$e a #e#$er of the SSO .d#inistrators gro%p acco%nt'

Specif) the location of the S?@ Server an SS* !reential

atabase /SS*1 and co#plete the config%ration'

=' ollow the sa#e steps on &l%sterode2 to config%re the ETSSO service with

the +assword S)nchronization feat%re' It is i#portant that )o% specif) thesa#e service acco%nt credentials for the ETSSO service'

4' &onfig%re the service and reso%rce para#eters for the cl%ster'

• &reate an E#TSS* service reso%rce and #ake it a generic service'

Make each node of the cl%ster a possi$le owner in the !lusterProperties dialog $o7'

• &heck the Securit" ta$ to ens%re that the %ser %nder which the

application is r%nning has s%fficient per#issions to access the cl%ster

5for e7a#ple( the) are not a local ad#inistrator6' .dd %sers asappropriate'

• In the +eneric Service Para)eters dialog $o7( check the option to

,se #et%or. #a)e for co)puter na)e'

• or ,egistr) ,eplication specif) the root registr) ke)

S*&T$A;EMicrosoftE#TSS*'

?' Move the cl%ster gro%p fro# the first to the second node %sing the &l%ster.d#inistrator to verif) that the ETSSO service starts %p and works as

e7pected'

?'@ 3pgrading an E7isting SSO &onfig%rationIf )o% are %pgrading SSO in an e7isting BizTalk server deplo)#ent( )o% #%st

%pgrade the Master Secret Server and the SSO &redential "ata$ase' These steps#%st $e followed when installing ost Integration Server on an e7isting installation

of BizTalk Server 2004'

If )o% are installing BizTalk Server 2004 on an e7isting deplo)#ent of Enterprise SSO

availa$le with ost Integration Server 2004( then BizTalk Server will $e a$le to workwith the newer version'

I)portant! Before )o% $egin the %pgrade process( it is i#portant that )o% have$acked %p the SSO "ata$ase and the Master Secret on the Master Secret Server'

I)portant! .s part of the %pgrade process( )o% #%st %pgrade the Master Secret

Server first'

45




On the Master Secret Server install( select Enterprise Single Sign-on fro# the&%sto# Install of ost Integration Server 2004' *hen the &onfig%ration *izard is

la%nched( )o% will $e pro#pted with the following C%estion!

1o "ou %ant to reuse the eisting configuration= If not8 o "ou %ant tocreate a ne% SS* S"ste) or >oin an eisting SS* S"ste)= !reating a ne%

SS* s"ste) %ill create the creential atabase an )a.e this co)puter the)aster secret server(

o% sho%ld select ;euse to perfor# the %pgrade on the Master Secret Server andthe SSO &redential "ata$ase' This will %pgrade the SSO &redential "ata$ase to

#ake the data$ase co#pati$le with the new feat%res of SSO in ost Integration

Server 2004'

#ote! Other SSO Servers installed with BizTalk Server 2004 need not $e %pgraded%nless )o% want to %se the new feat%res of SSO on those co#p%ters' SSO Servers

installed with BizTalk Servers or the newer version of SSO Servers installed with IS

are co#pati$le with the Master Secret Server and the SSO &redential "ata$asecreated as a part of Enterprise SSO installed with ost Integration Server 2004'

46




@'0 SSO &lient 3tilit) and .d#inistration toolsThe SSO &lient %tilit) 5ssoclient'e7e6 is %sed $) end %sers to #anage their owncredentials' The SSO .d#inistration %tilit) is %sed $) ad#inistrators to #anage

.ffiliate .pplications( #appings and glo$al infor#ation in the SSO &redential

"ata$ase

SSO client and ad#inistrator %tilities 5ssoconfig'e7e and sso#anage'e7e6 as well asother ad#inistration co#ponents can access an SSO Server re#otel) to perfor#

ad#inistrative operations' Sso#anage'e7e is %sed $) ad#inistrators to create(delete( and #anage .ffiliate .pplications and #appings' It is also %sed to config%re

data$ase level settings( s%ch as ticketing config%rations' Ssoconfig'e7e e7e is %sed$) ad#inistrators for per server config%ration s%ch as setting the a%dit levels for the

SSO Server' It is also %sed to #anage the Master Secret Server'

.d#inistrators can %se ssoclient'e7e and sso#anage'e7e fro# a re#ote co#p%ter'

The first step is to specif) the server that the) sho%ld %se for co##%nicating withthe SSO &redential "ata$ase'

E7a#ple!ssomanage ?ser%er ssoser%er1

ssoclient ?ser%er ssoser%er1

or +assword S)nchronization ad#inistration( there is another co##and line %tilit)(ssops'e7e' ,e#ote ad#inistration is possi$le for #ost of the ad#inistrative

operations for +assword S)nchronization( $%t so#e operations perfor#ed $)ad#inistrator %sing ssops'e7e #%st $e on the SSO Server itself' This is t)picall) done

on the server that is assigned as the +assword S)nchronization Server'

47




>'0 SSO Mappings and .ffiliate .pplicationT)pes*hen an Enterprise Single Sign-on 5SSO6 .d#inistrator or an SSO .ffiliate.d#inistrator defines an .ffiliate .pplication( he or she can define it as either an

application with Individ%al #appings or as an application with a Pro%p t)pe #apping'

>'< Individ%al T)pe .ffiliate .pplicationMappingsSSO Individ%al t)pe #appings ena$le ad#inistrators and %sers to create a one-to-

one #apping $etween *indows %sers and their corresponding non-*indowscredentials' *hen %sing Individ%al t)pe #appings %sers can #anage their own

#appings' The SSO s)ste# #aintains the one-to-one relation $etween the %serQs*indows acco%nt and the %serQs non-*indows acco%nt'

Figure 1 Indi%idual Mapping

.n SSO .pplication .d#inistrator 5or a$ove6 can create the co#plete #apping

incl%ding the e7ternal %sers password( or 8%st part of the #apping of a *indows%ser #apped to an e7ternal %serid witho%t specif)ing their e7ternal password'

$ino%s Initiate

. t)pical co#pleted #apping in this case contains!

G*indows "o#ainD*indows 3serI"H #apped to GE7ternal 3ser I"H and GE7ternal3ser +asswordH

Host Initiate

ost Initiated SSO validation of passwords co%ld $e #arked as reC%ired or not

reC%ired for the .ffiliate .pplication' In the case where validation of passwords isreC%ired( a t)pical co#pleted #apping is as follows!

G*indows "o#ainD*indows 3serI"H #apped to GE7ternal 3ser I"H and GE7ternal3ser +asswordH

48




In the case where validation of passwords is not reC%ired( a co#pleted #apping is asfollows!

G*indows "o#ainD*indows 3serI"H #apped to GE7ternal 3ser I"H

#ote 5: *indows end %sers can create and #anage their own #appings forindivid%al applications'

#ote 2: The sa#e .ffiliate .pplication can act as $oth a *indows Initiated SSOt)pe application and a ost Initiated SSO t)pe application' The difference in the

#apping is that a *indows Initiated Individ%al t)pe is co#plete onl) if the *indowsdo#ainD%serid( E7ternal %serid( and password are provided while a ost Initiated

Individ%al t)pe can $e co#plete with 8%st the *indows do#ainD%serid and e7ternal%serid when alidate +assword is not ena$led' *hen alidate +assword is ena$led for

ost Initiated SSO then there is no difference in the #apping itself $etween a*indows Initiated Individ%al t)pe #apping and a ost Initiated Individ%al T)pe

#apping'

>'2 Pro%p T)pe .ffiliate .pplication MappingsOnl) an .pplication .d#inistrator( SSO .ffiliate .d#inistrator( or SSO .d#inistrator

can create and #anage #apping for Pro%p t)pe .ffiliate .pplication'

$ino%s InitiateB+roup T"pe Affiliate Application

SSO Pro%p t)pe #appings consist of #apping a *indows gro%p that contains#%ltiple *indows %sers to a single e7ternal acco%nt in the .ffiliate .pplication' The

app3ser.cco%nt propert) is %sed in the .ffiliate .pplication to specif) the *indows

gro%p application'

. t)pical co#pleted #apping in this case contains!

G*indows "o#ainD*indows Pro%p acco%ntH #apped to GE7ternal 3ser I"H and GE7ternal 3ser +asswordH

Figure 1 @roup Mapping

49




Host InitiateBHost +roup T"pe Affiliate Application

This allows #%ltiple e7ternal %sers to $e #apped to a single *indows %ser acco%nt'

*hen the .ffiliate .pplication is created the .pplication %ser acco%nt5app3ser.cco%nt6 or *indows acco%nt 5windows.cco%nt6 needs to $e an individ%al

do#ain acco%nt' This is the acco%nt to which the e7ternal %serids will $e #apped'

In the case where validation of passwords is reC%ired( a t)pical co#pleted #apping isas follows!

GE7ternal 3ser I"H and GE7ternal 3ser +asswordH needs to $e specified'

In the case where validation of passwords is not reC%ired( a co#pleted #apping is asfollows!

GE7ternal 3ser I"H

Figure 14 Host @roup Mapping

#ote 5: *hen )o% %se Pro%p #appings in the case of *indows Initiated SSO onl)

the #e#$ers of the gro%p can o$tain the credentials infor#ation

#ote 2: o% cannot specif) the sa#e gro%p application for *indows Initiated SSO

and ost Initiated SSO

>'= &onfig%ring .ffiliate .pplicationsThe SSO &redential "ata$ase pri#aril) consists of %ser #appings' In a Mapping( a

*indows acco%nt is #apped to non-*indows credentials'

50




.n .ffiliate .pplication in SSO can represent an)thing that the .d#inistrator wants itto represent' This is a ke) decision that the .d#inistrator needs to #ake $efore

creating an .ffiliate .pplication' The .d#inistrator can create different t)pes of.ffiliate .pplication definitions incl%ding!

<6 *indows Initiated Individ%al t)pe

26 ost Initiated Individ%al t)pe

=6 *indows and ost Initiated Individ%al t)pe

46 *indows Initiated Pro%p t)pe

?6 ost Initiated Pro%p t)pe

@6 &onfig%ration t)pe 5BizTalk Server 2004 creates &oniguration Store t)pe.ffiliate .pplications to store config%ration data for adapters sec%rel)' It

creates one .ffiliate .pplication each for Send andler( ,eceive andler( Send

ocation( and ,eceive ocation' The +assword S)nchronization .dapterconfig%ration is stored here as well'6

*hen the SSO .d#inistrator or the SSO .ffiliate .d#inistrator defines an .ffiliate

.pplication the) #%st also deter#ine who will ad#inister the .ffiliate .pplication5the .pplication .d#inistrator6( who the %sers of the .ffiliate .pplication are 5the.pplication 3sers6( and what para#eters are reC%ired to a%thenticate the %sers of

this .ffiliate .pplication 5their %serid( passwords( pin n%#$ers( and so on6 in thee7ternal s)ste#' The .pplication 3sers gro%p #%st contain the do#ain %sers for

who# the #appings need to $e created 5for e7a#ple( the end %sers who will $e%sing the Single Sign-on f%nctionalit)6'

Before creating an .ffiliate .pplication( the SSO .ffiliate .d#inistrator or the SSO

.d#inistrator has to #ake the following decisions!

<' $hat %ill this Affiliate Application represent= o% need to know the non-*indows application that the .ffiliate .pplication will represent in the SSO

s)ste#' or e7a#ple(

.pplication na#e! Mainfra#e<

"escription! Mainfra#e application for SSO&ontact! ad#inistratorco#pan)na#e'co#

<' $ho %ill a)inister this Affiliate Application= o% need to deter#ine the.d#inistrators of this .ffiliate .pplication' These for# the *indows

.d#inistrators gro%p for this .ffiliate .pplication' or e7a#ple("o#ainDM.d#inPro%p<

2' $ho %ill use this Affiliate Application= o% need to deter#ine who the

end %sers are for this .ffiliate .pplication' These %sers represent the *indows3sers gro%p for this .ffiliate .pplication 5for e7a#ple

"o#ainDMainfra#e<U3serPro%p6' This depends on which %sers )o% want to

allow %sing this application'=' $hat creentials oes the Affiliate Application use to authenticate its

users= "ifferent applications %se different credentials to a%thenticate %sers'or e7a#ple( so#e applications #a) %se %serids( passwords( pin n%#$ers( or

a co#$ination of these' o% #%st also deter#ine whether the s)ste# needsto #ask these credentials as the %ser provides the#' T)picall)( it is a %serid

and password' 5 #ote: The irst credential field #%st alwa)s $e %serid'64' $ill "ou use iniviual )appings or a group )apping for this Affiliate

Application= This will depend on whether each *indows %ser has an acco%nt

51




in the $ack-end s)ste# or if the $ack-end s)ste# has one acco%nt for all*indows %sers'

?' $ill this Affiliate Application be use for $ino%s initiate SS*8 HostInitiate SS*8 or both= B) defa%lt( the .pplication created is an Individ%al

t)pe *indows Initiated application' o% can have the sa#e application act asa *indows Initiated SSO application and a ost Initiated SSO application for

Individ%al t)pe applications' Pro%p t)pe applications can $e %sed either for*indows Initiated SSO or ost Initiated SSO 5that is( one or the other6'

.fter )o% create an .ffiliate .pplication( )o% cannot #odif) the following properties!

• a#e of the .ffiliate .pplication

• So#e para#eters associated with the .ffiliate .pplication 5see $elow6'

• .ffiliate .pplication t)pe 5Individ%al( Pro%p( ost Pro%p( or &onfig%ration Store6

• .d#inistration acco%nt sa#e as affiliate ad#inistrator gro%p ad#inistrators

gro%p' 5If )o% select this propert) then the .ffiliate .d#inistrators gro%p is

%sed as the .d#inistrator acco%nt for this .ffiliate .pplication'6

>'4 .ffiliate .pplication +ropertiesThe following ta$le lists the properties )o% need to define for each .ffiliate

.pplication )o% create'

Propert"

+eneral Infor)ation

Calue 1escription

.pplication na#e .ffiliate.pp< a#e of the .ffiliate .pplication'

o% cannot change this propert)after )o% create the .ffiliate

.pplication

"escription GSSO .pp for

Mainfra#eH

Brief description of the .ffiliate

.pplication

&ontact infor#ation so#eone#icrosoft'c

o#

The #ain contact for this .ffiliate

.pplication'

.pplication 3sers

.cco%nt

"o#ainDLaccount

name

The *indows gro%p that contains

the %ser acco%nts of end %sers whowill $e %sing this .ffiliate

.pplication

.ffiliate .d#inistrators

.cco%nt

"o#ainDLaccount

name

The *indows gro%p that contains

the .d#inistrator acco%nts that will#anage this .ffiliate .pplication'

#ote! o% do not need to

define this propert) if )o% setthe ad#in.cco%ntSa#e to es'

Application &lags

.pplication ena$led Ena$led;"isa$led The stat%s of this .ffiliate

.pplication'This is "isa$led $) defa%lt'

52




Pro%p .pplication es;o "eter#ines whether this application

%ses a gro%p #apping 59es6 orIndivid%al #appings' This is set to

#o $) defa%lt' or e7a#ple( $)defa%lt it is an Individ%al t)pe

application'

o% cannot change this propert)

after )o% create the application'

&onfig%ration Store

application

es;o "eter#ines whether this .ffiliate

.pplication is a &onfig%ration Storet)pe application 59es6 or an SSO

t)pe application'This is set to #o $) defa%lt'



ost Initiated SSO es;o Ena$le this if it is a ost Initiated

SSO t)pe application' This is set to#o $) defa%lt'

*indows Initiated SSO es;o Ena$le this if it is a *indows

Initiated SSO t)pe application'This is set to 9es $) defa%lt'

alidate +assword es;o This applies onl) to a ost InitiatedSSO t)pe application' *hen a ost

Initiated SSO t)pe application isspecified( this flag is set to 9es $)

defa%lt' This #eans( when anapplication tries to retrieve the

credentials( it sho%ld provide thepassword in the &redential

"ata$ase that is %sed for validation

$) SSO Services'

"isa$le &redential &achees;o *hen credentials are looked %p $)SSO Server( the) are stored in the

cache for perfor#ance reasons'These credentials are stored

encr)pted in #e#or)'

This is set to #o $) defa%lt'

Tickets allowed es;o "eter#ines whether the SSOS)ste# %ses tickets for this .ffiliate

.pplication' Iss%ing of tickets andrede#ption of tickets are possi$le

when this is ena$led 5this isreC%ired for BizTalk .dapter

scenarios6'

This is set to #o $) defa%lt'

Securit": o% #%st $e an SSO

.d#inistrator to set this flag'

53




alidate tickets es;o "eter#ines whether the SSO

s)ste# validates tickets when the%ser redee#s the#'

This applies onl) if tickets are

allowed' B) defa%lt( it is set to 9es'



"isa$le Ticket ti#eo%t es;o "eter#ines whether tickets have

an e7piration ti#e'

B) defa%lt( this is set to #o'

Securit": 3nless it is

a$sol%tel) reC%ired in )o%r end-to-end scenario( do not disa$le

ticket ti#eo%ts' This is set to

#o $) defa%lt'



.llow local acco%nts es;o "eter#ines whether )o% allow the

%se of local gro%ps and acco%nts inthe SSO s)ste#'

B) defa%lt( this is set to #o(

#ote!If )o% are specif)ing a do#ain-local

scope gro%p( )o% need to set this

flag'

.d#inistrator acco%nt

sa#e

es;o "eter#ines whether to %se the SSO

.ffiliate .d#inistrator acco%nt as

the SSO .pplication .d#inistratoracco%nt'



B) defa%lt( this is set to #o(


.d#inistrator or SSO .ffiliate


Application fiels

ield W0X Lcredential !

Masked;3n#asked

"eter#ines the t)pe of credential

5%serid( password6 that end %sers#%st provide to connect to the

54




.ffiliate .pplication and whether

this credentials are #asked 5thatis( whether the characters that the

%ser t)pes are displa)ed on thescreen6 or not'

The first field #%st $e the %serid'



ield W<X Lcredential !

Masked;3n#asked

"eter#ines the t)pe of credential

5%serid( password6 that end %sers#%st provide to connect to the

.ffiliate .pplication( and whetherthis credentials are #asked 5that

is( whether the characters that the

%ser t)pes are displa)ed on thescreen6 or not'

o% can enter as #an) fields asthere are credentials for the.ffiliate .pplication'

o% cannot change this propert)after )o% create the application'

55




A'0 &onfig%ring ost Initiated SSOost Initiated SSO is s%pported onl) in a native *indows 200= "o#ain environ#entwith *indows 200= servers' The +rotocol Transition feat%re is taken advantage of $)

SSO Services to #ake this possi$le' or #ore infor#ation on this( refer to

http!;;www'#icrosoft'co#;technet;prodtechnol;windowsserver200=;technologies;sec%rit);constdel'#sp7'

This allows SSO services to o$tain an i#personation level *indows %ser token $)

providing 8%st the /er$eros service principal 5%sing do#ainD%serid infor#ation fro#the SSO &redential "ata$ase6' This token is %sed $) applications integrated with

ost Initiated SSO f%nctionalit) to access *indows reso%rces that the *indows %serrepresented $) the token has access to'

To o$tain an i#personation level token %sing +rotocol Transition( the SSO Server#%st have the Act as part o the operating system privilege' Beca%se of this( it is

ver) i#portant that the SSO server that is perfor#ing the role of ost Initiated SSOis sec%rel) locked down' This incl%des ens%ring that the SSO service acco%nt for this

server is not %sed for an) other services' "o not %se this service acco%nt for the

other SSO Servers as well as %sing it for *indows Initiated SSO' ike the other SSOService acco%nts( this service acco%nt #%st $e a #e#$er of the SSO .d#inistratorsgro%p'

Active 1irector" !onfigurations<6 In )o%r .ctive "irector) "o#ains and Tr%sts MM& snap-in( right-click the root

node Acti%e :irectory :omains and *rusts and click 0aise Forest Functional e%el$This #%st $e done in *indows Server 200=' ,efer the .ctive "irector)doc%#entation $efore )o% #ake an) changes'

26 &reate a Service +rincipal a#e 5S+6 for the caller 5or e7a#ple the I+ Serviceacco%nt for Transaction Integrator co#ponent in ost Integration Server 20046' To

do this( )o% can %se the setspn %tilit)!http!;;www'#icrosoft'co#;windows2000;techinfo;reskit;tools;e7isting;setspn-o'asp

Ea)ple:

hipsvcco)puterna)e(o)ain(co): the na#e of the service that will perfor#the operation and the co#p%ter it is r%nning on'

o)ainhissvc: the service acco%nt that hipsvc is r%nning as'

setpsn: . hipsvcD&OM+3TE,.ME'"OM.I'&OM "OM.IDhissvc

o% can then config%re ,onstrained :elegation in .ctive "irector) for this service

acco%nt 5do#ainDhissvc6 to access the appropriate reso%rce in the network'

=6 Pive T&B 5Tr%sted &o#p%ting Base6 privilege for the SSO service acco%nt that is+erfor#ing +rotocol Transition operations' In )o%r "o#ain Sec%rit) +olic) - ocal

+olicies - 3ser ,ights .ssign#ent - add the SSO Service acco%nt to the G.ct aspart of Operating s)ste#H polic)'

or #ore infor#ation on /er$eros +rotocol Transition and &onstrained "elegation(

refer to

56



http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp



http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp




http!;;www'#icrosoft'co#;technet;prodtechnol;windowsserver200=;technologies;sec%rit);constdel'#sp7

Enable Host Initiate SS*

<' On the Start #en%( click Run'

2' In the ,%n dialog $o7( t)pe cmd and then click *<'

=' .t the co##and line( go to the Enterprise Single Sign-on installationdirector)' 5The defa%lt installation director) is <dri%e=">2rogramFiles>,ommon Files>Enterprise Single Sign-on$)

4' T)pe ssomanage -enable hisso'

!reate an Affiliate Application for Host Initiate SS*

<' On the Start #en%( click Run'

2' In the ,%n dialog $o7( t)pe cmd and then click *<'

=' .t the co##and line( go to the Enterprise Single Sign-on installation

director)'

4' T)pe ssomanage –createapps < I!!"#Individual#$ff$pp.xml> tocreate a ost Initiated SSO individ%al t)pe app'

Sa)ple HISS*DIniviualDAffApp()l

LJ7#l versionKR<'0RJ

LSSO

Lapplication na#eKRSSO.ppUost<R

Ldescription.n Individ%al T)pe .ffiliate .pplication for ost Initiated

SSOL;description

Lcontactso#eoneco#pan)na#e'co#L;contact

Lapp3ser.cco%nt"o#aina#eD.pp3serPro%pUISSOL;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD.pp.d#inPro%pUISSOL;app.d#in.cco%nt

Lfield ordinalKR0R la$elKR3ser I"R #askedKRnoR ;

Lfield ordinalKR<R la$elKR+asswordR #askedKR)esR ;

Lflags hostInitiatedSSOKR)esR validate+asswordKR)esRwindowsInitiatedSSOKRnoR ena$le.ppKR)esR ;

L;application

L;SSO

57








Sa)ple M@ file to create a Host Initiate SS* group t"pe

application

LJ7#l versionKR<'0RJ

LSSO

Lapplication na#eKRSSO.ppUostPro%p.pp<R

Ldescription. Pro%p T)pe .ffiliate .pplication for ost Initiated SSO

associating #%ltiple non-*indows %ser to a single *indows %ser

acco%nt5"o#aina#eD*indows3ser.cco%nt<6L;description


Lwindows.cco%nt"o#aina#eD*indows3ser.cco%nt<L;windows.cco%nt

Lapp.d#in.cco%nt"o#aina#eD.pp.d#inPro%pUISSOL;app.d#in.cco%nt



Lflags hostInitiatedSSOKR)esR validate+asswordKR)esR gro%p.ppKR)esR

ena$le.ppKR)esR ;

L;application

L;SSO

Sa)ple M@ &ile to create an Affiliate Application that supports

both $ino%s Initiate SS* an Host Initiate SS*

LJ7#l versionKR<'0R J

- LSSO

- Lapplication na#eKRSSO.pp<R

Ldescription.n Individ%al T)pe .ffiliate .pplication for $oth ost Initiated

SSO and *indows Initiated SSOL;description


Lapp3ser.cco%nt"o#aina#eD.pp3serPro%pL;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD.pp.d#inPro%pL;app.d#in.cco%nt


58





Lflags hostInitiatedSSOKR)esR validate+asswordKR)esR

windowsInitiatedSSOKR)esR ena$le.ppKR)esR ;

L;application

L;SSO

59




'0 &onfig%ring +assword S)nchronization

&ull S"nchroni'ation

$ino%s S"nchroni'ation: *hen a password change is #ade in a *indowss)ste# $) a *indows %ser( the new password is sent to the non-*indows s)ste# to

s)nchronize the %sers password in the non-*indows %ser director)' .fter this changeis s%ccessf%ll) #ade( the password is %pdated for the appropriate #apping in the

SSO &redential "ata$ase'

#on-$ino%s S"nchroni'ation: *hen a password is changed in a non-*indows

s)ste# then the change is capt%red and sent to the *indows environ#ent'Enterprise SSO service ena$led for +assword S)nchronization( %pdates the *indows

sec%rit) s)ste# 5.ctive "irector)6 and the SSO &redential "ata$ase for thecorresponding %ser'

Partial S"nchroni'ation

This applies to E7ternal S)nchronization onl)( s%ch as when the password change isinitiated fro# a non-*indows s)ste#' The .d#inistrator can config%re SSO s%ch thatpasswords can $e different $etween *indows and non-*indows s)ste#s' *hen a

password is changed in a non-*indows s)ste# then the change is capt%red and sent

to the *indows environ#ent' Enterprise SSO service ena$led for +asswordS)nchronization %pdates onl) the SSO &redential "ata$ase for the corresponding

%ser' The %sers password in *indows sec%rit) s)ste# 5.ctive "irector)6 is not%pdated'

#ote: *hen a *indows password change occ%rs( +artial S)nchronization is nots%pported' or e7a#ple( there is never a case where the password capt%red on

*indows is %pdated in the &redential "ata$ase onl)' In other words( *indows

password change capt%re is %sef%l onl) for the %ll S)nchronization case'

Ho% it %or.s

*hen a *indows %ser changes his or her password( the password change is %pdated

on a *indows 2000 "o#ain &ontroller $) a password change capt%re "' The+assword &hange otification Service 5+&S6 on the "o#ain &ontroller notifies the

SSO Server a$o%t this change' The SSO server then looks in the SSO &redential"ata$ase for an) non-*indows s)ste#s that need to receive an %pdate a$o%t this

password for the %ser' .fter the +assword change is #ade on the non-*indows %serdata$ases( then the #appings are %pdated in the SSO data$ase when notification is

received' This wa)( the passwords are never o%t of s)nc for e7a#ple( onl) if the

password change for 3ser. #ade it to the non-*indows s)ste# Mainfra#e<( thepassword in the #apping corresponding to Mainfra#e< is %pdated for 3ser.'

*hen a non-*indows %ser changes his or her password in a %ll S)nchronization

scenario( the password change is %pdated in the SSO &redential "ata$ase and also in*indows .ctive "irector) for that %ser' In this case if there is a fail%re in %pdating

the *indows %ser password with the new password( the change in the SSO&redential "ata$ase is still done' This is $eca%se the #ainfra#e %sers password has

60




alread) changed and the data$ase needs to $e %pdated for Single Sign-on scenariosto work'

+assword S)nchronization .dapters 5aka +S .dapters6 are reC%ired for password

s)nchronization to work' These adapters are integrated with +assword

S)nchronization Interface 5+SI6 of Enterprise SSO' *hen sending password changesfro# *indows to non-*indows s)ste#( Enterprise SSO C%e%es %p the password

changes for the +S .dapter to pick %p' Si#ilarl)( password changes received fro#

non-*indows s)ste#s thro%gh the +S .dapter are sent to Enterprise SSO to %pdatethe credentials in the SSO &redential "ata$ase and optionall) %pdate the %sers

.ctive "irector) password' Each +S .dapter has a ,eceive otification :%e%e and"a#ping :%e%e associated with it' These C%e%es are stored in the centralized

&redential "ata$ase'

1a)ping

One of the co##on pro$le#s with +assword S)nchronization is looping of password

changes' To prevent this pro$le#( Enterprise SSOs +assword S)nchronization feat%rehas a $%ilt-in #echanis# to prevent password loops' This prevents the sa#e passwordchange fro# $eing sent to an) s)ste# #ore than once' This is reC%ired to avoid looping

of passwords changes when f%ll s)nchronization of password is done'

Ea)ple! . *indows %ser 3ser. is config%red to have f%ll +assword S)nchronization

with 3serB on an IBM #ainfra#e s)ste# and to 3ser& on a 3I1 s)ste#' %ll +asswordS)nchronization is ena$led for $oth non-*indows s)ste#s'

There are three cases of da#pening password changes!

!ase 5( In the case of %ll S)nchronization( when receiving a password change fro#

3serB on a #ainfra#e( the credential #apping for 3serB is changed in the &redential

"ata$ase and then the change is propagated to the *indows side for the corresponding*indows %ser 53ser.6' *hen 3ser.s password is changed in .ctive "irector)( thispassword change is sent $ack to the Enterprise SSO Server as a *indows password

change that 8%st occ%rred' In this case( the password change is da#pened $) EnterpriseSSO for 3serB( $%t the password change is received $) the +assword S)nchronization

.dapter that corresponds to 3ser& for a 3I1 s)ste#'

!ase 2( M%ltiple SSO Servers can $e config%red as targets to receive password changes

fro# "o#ain &ontroller for relia$ilit) scenarios' In this case( the "o#ain &ontroller willp%sh changes to $oth Enterprise SSO Servers' In this case( onl) the first one that

receives the password change will go thro%gh and the other change is da#pened'

!ase ( *hen a *indows password change is capt%red 5for 3ser.6 and sent to the#ainfra#e 5for 3serB6( the password change is capt%red on the #ainfra#e and sent$ack to SSO' The Enterprise SSO' Server da#pens this change $eca%se this is a change

that it 8%st sent to the #ainfra#e'

61




'< &onfig%ring "o#ain &ontroller forcapt%ring *indows password change+assword &hange otification Service 5+&S6 needs to $e config%red on the "o#ain&ontroller' This co#ponent is availa$le in a package called +&S'#si and is located in

ost Integration Server 2004 &"' ook %nder L&",OOTD+latfor#D+&S

This +&S'#si package also incl%des the +assword &apt%re ilter co#ponent that needs

to $e installed on all the "o#ain &ontrollers to capt%re the password change' +&S itselfneeds to $e config%red onl) once'

Active 1irector" Sche)a Etension

If )o%r organization separates the Sche#a .d#inistrator role fro# the "o#ain.d#inistrator role( then the Sche#a .d#inistrator #a) need to e7tend the sche#a

separatel) fro# the installation of the Microsoft +assword &hange otification

Service' The +&S'MSI file ena$les a Sche#a .d#inistrator to e7tend the sche#a

onl)( with the following co##and!

%!I&'&(.&'& )i *(N!.%!I !(&%$"N+,R/&

The sche#a onl) needs to $e e7tended once per .ctive "irector) forest' The

replication process will replicate the sche#a #odifications to all "o#ain &ontrollers'

"%ring the installation of the Microsoft +assword &hange otification Service( there

are sche#a entries added to .ctive "irector) that appl) to the entire forest' Thesesche#a %pdates are reC%ired to define the config%ration for the Microsoft +assword

&hange otification Service' These attri$%tes are not config%red to $e stored in thePlo$al &atalog'

Sche)a *bFect !lasses Ae b" the Microsoft Pass%or !hange

#otification Service!

& Id Is Inde7ed In Plo$al &atalog

#S-MIIS-+&S-Target <'2'A40'<<=??@'<'?'24 alse alse

#S-MIIS-+&S-Service <'2'A40'<<=??@'<'?'2?0 alse alse

Sche)a Attributes Ae b" the Microsoft Pass%or !hange #otificationService!

& Id Is Inde7edIn Plo$al&atalog

62




#S-MIIS-+&S-TargetP3I" <'2'A40'<<=??@'<'4'<A? alse alse

#S-MIIS-+&S-TargetS+ <'2'A40'<<=??@'<'4'<A@ alse alse

#S-MIIS-+&S-TargetServer <'2'A40'<<=??@'<'4'<A> alse alse

#S-MIIS-+&S-

Target.%thenticationService

<'2'A40'<<=??@'<'4'<AA

alse alse

#S-MIIS-+&S-

Target3sera#eor#at

<'2'A40'<<=??@'<'4'<A

alse alse

#S-MIIS-+&S-

Target/eep.liveInterval

<'2'A40'<<=??@'<'4'<00

alse alse

#S-MIIS-+&S-

Target"isa$led

<'2'A40'<<=??@'<'4'<0<

alse alse

#S-MIIS-+&S-TargetEncr)ption/e)

<'2'A40'<<=??@'<'4'<02alse alse

#S-MIIS-+&S-

ServiceMa7:%e%eength

<'2'A40'<<=??@'<'4'<0=

alse alse

#S-MIIS-+&S-

ServiceMa7:%e%e.ge

<'2'A40'<<=??@'<'4'<04

alse alse

#S-MIIS-+&S-

ServiceMa7otification,etries

<'2'A40'<<=??@'<'4'<0?

alse alse

#S-MIIS-+&S-Service,etr)Interval

<'2'A40'<<=??@'<'4'<0@alse alse

#S-MIIS-+&S-

TargetE7cl%sionSI"

<'2'A40'<<=??@'<'4'<0A

alse alse

#S-MIIS-+&S-

TargetIncl%sionSI"

<'2'A40'<<=??@'<'4'<0

alse alse

#ote: .s is tr%e for ever) o$8ect in .ctive "irector)( sche#a o$8ects are protected

$) .ccess &ontrol ists 5.&s6' Therefore( onl) a%thorized %sers can alter thesche#a'

To add or #odif) a class definition or attri$%te definition( )o% add or #odif) the

corresponding classSche#a o$8ect or attri$%teSche#a o$8ect' This process is si#ilarto adding or #odif)ing an) o$8ect in .ctive "irector)( e7cept that additional checks

are perfor#ed to ens%re that changes do not ca%se inconsistencies or pro$le#s inthe sche#a'

63




or #ore details on the .ctive "irector) sche#a( please visit MS" at the following3,!

http!;;www'#icrosoft'co#;reso%rces;doc%#entation;windowsServ;200=;all;techref;en-%s;*2/=T,Usche#Uhow'aspJ,.MEKTr%eFw2k=trUsche#UhowUfhep

!onfiguring a target using P!#S+&S %ses the concept of GtargetsH to descri$e the s)ste#s that receive the

password notifications' *hen )o% install the service on the "o#ain &ontroller( thesche#a is e7tended to ena$le the definition of Gtargets(R $%t no targets are defined'

.fter the server restarts( the ad#inistrator #%st define one or #ore GtargetsH in

.ctive "irector) $efore password notifications will $e sent'

Each target has a separate Gincl%sion filterH and Ge7cl%sion filter'R These filters are%sed to restrict the flow of sensitive passwords off the do#ain' or instance( )o%

t)picall) do not want ad#inistrator and #achine passwords to $e sent o%t $) the

service' The filter #a) $e an) sec%rit) gro%p in the do#ain' To send passwords forall %sers( $%t not send ad#inistrative passwords( )o% #ight choose to %se G"o#ain

3sersH as the incl%sion filter( and G"o#ain .d#insH as the e7cl%sion filters'

I)portant: The incl%sion filter is reC%ired' The e7cl%sion filter is %sed to f%rther

restrict the incl%sion filter( and it is optional' If the filters are #issing or invalid( no

passwords will $e C%e%ed for that target'

&onfig%ring a target is a #%ltistep process'

<' Select the gro%ps to %se for the incl%sion and e7cl%sion filter' These #a) $e

e7isting sec%rit) gro%ps( or newl) create sec%rit) gro%ps' 5 #ote: Beca%se of sec%rit) caching( #e#$ership changes for these gro%ps #a) take %p to <0

#in%tes $efore the) are recognized $) the service'6

2' Set the Service +rincipal a#e 5S+6 on the target service acco%nt' The S+ isa propert) on the acco%nt o$8ect in .ctive "irector) that is %sed $) the

/er$eros protocol to #%t%all) a%thenticate the service and the target' The S+takes the for# of GETSSO;Lf%ll)-C%alified co#p%ter na#e'

Ea)ple: setspn Y. ETSSO;sso-server-<'fa$rika#'co# fa$rika#Dssosvcact

The S+ #%st $e set on the service acco%nt that is r%nning the Enterprise SSO

Service' The S+ #%st $e %niC%e and cannot appear on an) other acco%nt orthe /er$eros a%thentication will fail and passwords will not flow' .dditional

infor#ation on tro%$leshooting /er$eros can $e fo%nd athttp!;;www'#icrosoft'co#;technet;prodtechnol;windowsserver200=;technologi

es;sec%rit);tker$del'#sp7'

To set the S+( %se the SETS+'E1E %tilit) incl%ded in the *indows 2000S%pport Tools or *indows 200= S%pport Tools on the *indows Server &"'

=' 3se the +&S&P'E1E %tilit) 5installed in D+rogra# ilesDMicrosoft +assword&hange otification6 to add a target for the service' The target is defined on

one "o#ain &ontroller( and .ctive "irector) takes care of replicating thedefinition to all other "o#ain &ontrollers'

64

http://www.microsoft.com/resources/documentation/windowsServ/2003/all/techref/en-us/W2K3TR_schem_how.asp?FRAME=True#w2k3tr_schem_how_fhep


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx









+&S&P Lco##and Larg%#ents

&o##ands!

IST ists the c%rrent config%ration'

SE,I&E &onfig%res the service settings' ;!nn Ma7i#%# :%e%e ength'

0 K %nli#ited' ,ange 0 - 424@>2?' ;.! Ma7i#%# :%e%e .ge in seconds'

0 K %nli#ited' ,ange 0 - 424@>2?' ;,!nn Ma7i#%# otification ,etries'

0 K %nli#ited' ,ange 0 - <000' ;I!nn ,etr) Interval in seconds'

,ange <0 - =@00'

.""T.,PET .dds a new target'

MO"IT.,PET Modifies an e7isting target' ;!na#e 3niC%e na#e of the target'

;.!address :" or address of the target server' ;S!S+ Service +rincipal a#e of the target' ;+!+rotocol +rotocol to %se'

&%rrentl) onl) Q/er$erosQ is s%pported' ;I!gro%p ilter incl%sion gro%p na#e to per#it

passwords to $e forwarded' W;E!gro%p ilter e7cl%sion gro%p na#e to prevent

passwords fro# $eing forwarded' ;!nn 3ser na#e for#at delivered to the target'

< K 3SE,U.MEUT+EU<>> 2 K 3SE,U.MEUT+EU&.OI&.

= K 3SE,U.MEUT+EUT4

4 K 3SE,U.MEUT+EU"IS+. ? K 3SE,U.MEUT+EU"OM.IUSIM+E @ K 3SE,U.MEUT+EUETE,+,ISEUSIM+E

> K 3SE,U.MEUT+EUP3I" K 3SE,U.MEUT+EU3SE,U+,I&I+.U.ME

<0 K 3SE,U.MEUT+EU&.OI&.UE1 ;I!nn /eep-alive Interval in seconds'

0 K "isa$led' ,ange 0 - =@00' ;"!Tr%e;alse "isa$les the target'

SE&3,ET.,PET Sets the sec%rit) filters for the specified target'

;!na#e 3niC%e na#e of the target'

;I!gro%p ilter incl%sion gro%p na#e to per#it passwords to $e

forwarded' W;E!gro%pX ilter e7cl%sion gro%p na#e to prevent passwords

fro# $eing forwarded'

"EETET.,PET "eletes an e7isting target' E.BET.,PET Ena$les an e7isting target'

"IS.BET.,PET "isa$les an e7isting target' ;!na#e 3niC%e na#e of the target'

65




Ea)ple!+cnscfg addtarget ;n!sso-server-< ;a!sso-server-<'fa$rika#'co#

;s!ETSSO;sso-server-<'fa$rika#'co# ;p!/er$eros ;fi!H"o#ain 3sersH ;fe!H"o#ain .d#insH ;f!= ;i!0 ;d!false

#ote: Onl) %ser na#e for#at = 53SE,U.MEUT+EUT46 is s%pported $etween

+&S and Enterprise SSO'

4' Optionall) %se the +&S&P'E1E %tilit) to config%re the service level options'

The service config%ration contains ti#ing and size li#its for the entire service(instead of a specific target' These incl%de C%e%e length and age( #a7i#%#

n%#$er of retries( and the retr) interval' If the service config%ration is not

defined( then the Microsoft +assword &hange otification Service will %se thefollowing defa%lts!

Ma7i#%# :%e%e ength! 3nli#ited 5disk space li#itations appl)6Ma7i#%# :%e%e .ge! >2 ho%rs

Ma7i#%# otification ,etries! 3nli#ited,etr) Interval! @0 seconds

'2 Enterprise SSO +assword S)nchronization&onfig%rations

Enabling Pass%or S"nchroni'ation in the SS* s"ste)

<' On the Start #en%( click ;un'

2' In the ,%n dialog $o7( t)pe c)8 and then click *<'

=' .t the co##and line( go to the Enterprise Single Sign-on installation

director)' 5The defa%lt installation director) is Ldrive!D+rogra#

ilesD&o##on ilesDEnterprise Single Sign-on'6

4' +assword S)nchronization glo$al optionsNonl) the SSO ad#inistrator canperfor# these operations'

• ssomanage -enable 0ins1nc ( This ena$les *indows +assword

S)nchronization' +assword changes can $e received "o#ain

&ontrollers and forwarded to +assword S)nchronization .dapters to

#ake changes on the non-*indows s)ste#6• ssomanage –enable exts1nc full ( This ena$les %ll +assword

S)nchronization fro# non-*indows s)ste#s' +assword changes fro#

non-*indows s)ste#s can $e received thro%gh adapters and %sed to%pdate the SSO &redential "ata$ase and the password in .ctive

"irector)'

• ssomanage –enable exts1nc partial ( This ena$les +artial

+assword S)nchronization' +assword changes fro# non-*indows

66




s)ste#s can $e received thro%gh adapters and %sed to %pdate theSSO credential data$ase6

1isabling $ino%s Pass%or S"nchroni'ation in the SS* s"ste)

o% can %se ssomanage –disable to disa$le the appropriate +assword

S)nchronization options

!onfiguring ;epla" files

,epla) files are te#porar) files created on the Enterprise SSO Server acting as a

+assword S)nchronization Server that is receiving password changes fro# a non-*indows s)ste#' These files are created onl) if the server loses the connection to

the &redential "ata$ase 5re#ote S: Server6' *hen this happens( passwordchanges received fro# the non-*indows s)ste# are te#poraril) stored encr)pted in

a sec%re location' Once the connection to the &redential "ata$ase is $ack %p( thepassword changes in the ,epla) files are repla)ed $ack into the &redential "ata$ase

and the file is cleared o%t and deleted' *hen it repla)s the changes into the

&redential "ata$ase( the server co%ld again lose the connection in the #iddle of thechange' or this reason( a +rogress file is created to keep track of the progress

#ade'

This ,epla) file and +rogress file are config%red onl) on the server perfor#ing therole of +assword S)nchronization Server in the Enterprise SSO s)ste#' B) defa%lt(

,epla) files are disa$led' If the ad#inistrator has not config%red ,epla) files and theconnection to the &redential "ata$ase is lost( then password changes #ade $) non-

*indows %sers co%ld $e lost' This wo%ld res%lt in the non-*indows %ser having toreinitiate the password change once the s)ste# is f%nctioning nor#all)'

To set ,epla) files( r%n ssoconfig -repla12iles <repla1 files director1> 3-default.

"efa%lt is GZ3SE,+,OIEZD.pplication "ataDETSSOH 5for the ETSSO serviceacco%nt6'

Setting the ,epla) file as ssoconfig –repla1files –default will store the ,epla) and+rogress files %nder the Z3SE,+,OIEZD.pplication "ataDETSSO director) for

the Enterprise SSO service acco%nt

#ote: In addition( for repla) files to $e created( the +S .dapter has a flag that

#%st $e ena$led' This is the Store #otifications /%hen offline propert) that isdescri$ed in section '4'2

#ote: *hen receiving password changes fro# the "o#ain &ontroller( if the

Enterprise SSO Server loses connection to the &redential "ata$ase( then EnterpriseSSO lets +&S know a$o%t this and the password changes are C%e%ed %p on the

"o#ain &ontroller itself' Once the s)ste# is f%nctioning nor#all)( password changeswill contin%e to flow' If the sa#e %ser has #ade #ore than one change d%ring thisti#e( onl) the #ost recent one will go thro%gh'

Age pass%orsIf the password change in the ,epla) files( or the password change received fro# the"o#ain &ontroller( or the password change received fro# the non-*indows

environ#ent e7ceeds the +assword S)nchronization age li#it( the password is

67




discarded and will not $e s)nchronized' The +assword S)nchronization age can $econfig%red on the Enterprise SSO server perfor#ing the role of +assword

S)nchronization 5this can $e one or #ore servers6' B) defa%lt( the +asswordS)nchronization age is set to >2 hrs' To change this( r%n ssoconfig –s1ncage

<maximum pass0ord age – in hours>( and specif) the #a7i#%# password age'

#ote: The +&S co#ponent on the "o#ain &ontroller also has this setting and itdefa%lts to >2 hrs as well' If )o% decide to red%ce or increase this password age( it is

reco##ended that )o% #ake the sa#e change for Enterprise SSO and for +&Sconfig%rations' This can $e achieved $) %sing the pcnscfg'e7e %tilit) on the "o#ain

&ontroller and the ssoconfig'e7e %tilit) on the Enterprise SSO +asswordS)nchronization server'

'= +assword S)nchronization .daptersOnl) an SSO .d#inistrator can create +assword S)nchronization .dapters in the SSOs)ste#' Most of the ad#inistrative operations for +assword S)nchronization can $e

perfor#ed onl) $) SSO .d#inistrators' *hen an SSO .d#inistrator creates+assword S)nchronization .dapters( there are two sec%rit) acco%nts that the

ad#inistrator needs to specif)' These are do#ain gro%p acco%nts!

1. app,serAccount( The +assword S)nchronization .dapter r%nti#e acco%nt #%st

$elong to this gro%p to operate with SSO services to send and receive password

changes'

2. appA)inAccount( Me#$ers of this gro%p can ad#inister this +assword

S)nchronization .dapter' If the SSO .d#inistrator does not want to specif)

another gro%p( the) can specif) the SSO .d#inistrator gro%p acco%nt itself as theapp.d#in.cco%nt'

To create a Pass%or S"nchroni'ation Aapter

<' In the ,%n dialog $o7 t)pe cmd and then click *<'

2' .t the co##and line( go to the Enterprise Single Sign-on installation director)'5The defa%lt installation director) is Ldrive!D+rogra# ilesD&o##on

ilesDEnterprise Single Sign-on'6

=' T)pe ssops -create <adapter %ain '%+ file>'

To A an Affiliate Applications to a Pass%or S"nchroni'ation

Aapter

This will associate .ffiliate .pplications and their corresponding #appings to the+assword S)nchronization .dapter'

<' In the ,%n dialog $o7( t)pe cmd and then click *<'

2' .t the co##and line( go to the Enterprise Single Sign-on installationdirector)'

=' T)pe ssops -addapp <application name> <adapter name>

68




To Enable a Pass%or S"nchroni'ation Aapter


2' .t the co##and line( go to the Enterprise Single Sign-on installation

director)'

=' T)pe ssops -enable <adapter name=

To create a +roup Aapter for Pass%or S"nchroni'ation

Pro%p adapters are optional' This is onl) reC%ired when #ore than one +assword

S)nchronization .dapter needs to $e initialized at the sa#e ti#e' More details areavaila$le in section '='?


2' .t the co##and line( go to the Enterprise Single Sign-on installation

director)'

=' T)pe ssops -create <4roup adapter '%+ file> 5See a sa#ple for this

$elow'6

To a an iniviual Pass%or S"nchroni'ation Aapter to the +roup

Aapter

<' In the ,%n dialog $o7( t)pe and then click *<'

2' .t the co##and line( go to cmd the Enterprise Single Sign-on installation

director)'

=' T)pe ssops -addo4roup <adapter name> <group adapter name>

Su))ar" of All Pass%or S"nchroni'ation A)inistration *ptions -

ssops co))ans

+assword S)nchronization f%nctions!

-list ! list e7isting adapters

-displa) ! displa) adapter infor#ation

-create ! create new adapter5s6

-set+rops ! set properties for adapter

-%pdate ! %pdate e7isting adapter5s6-delete ! delete an e7isting adapter

-ena$le ! ena$le adapter

-disa$le ! disa$le adapter

-add.pp ! add application for adapter

-delete.pp ! delete application for adapter

69




-reset ! reset notification or da#ping C%e%es

-addToPro%p ! add adapter to adapter gro%p

-deletero#Pro%p ! delete adapter fro# adapter gro%p

Affiliate Applications an Pass%or S"nchroni'ation Aapters

.ffiliate .pplications and +assword S)nchronization .dapters 5+S .dapters6 need to$e associated for +assword S)nchronization to work' .ffiliate .pplications contain the

#appings for the end %sers for who# +assword S)nchronization is done'

,%les

<6 More than one .ffiliate .pplication can $e associated with the sa#e +asswordS)nchronization .dapter'

26 o% cannot associate the sa#e .ffiliate .pplication with #ore than one +assword

S)nchronization .dapter'

=6 Onl) +artial S)nchronization 5non-*indows to *indows6 can $e done for *indowsInitiated Pro%p t)pe .ffiliate .pplications'

46 Mapping !onflicts( Onl) one credential field in the .ffiliate .pplication can $e

s)nchronized' or e7a#ple( an application can contain %serid( password< andpassword2 as their three fields' If there are #ore than two fields( then the

ad#inistrator #%st specif) which one sho%ld $e s)nchronized when doing +asswordS)nchronization' If there are two fields( then %serid is alwa)s the first field( the

second field is password( and the ad#inistrator does not have to specif) a specialflag'

Sa)ple Affiliate Application M@ %ith s"nc flag enable for one fiel

<application name="wo!neSync" <descriptionapp with two #ields$ one with sync<%description<contactadmin&#a'ri(am.com<%contact<)ser*ro)p#a'ri(am+)ser,rp1<%)ser*ro)p<appdmin*ro)p#a'ri(am+admin,rp<%appdmin*ro)p<#ield ordinal="0" la'el="/ser Id" mas(ed="no"%<#ield ordinal="1" la'el="Password1" mas(ed="yes"%<#ield ordinal="" la'el="Password" mas(ed="yes" sync="yes"%<#la,s allowic(ets="yes" alidateic(ets="no"%

<%application

?6 B) defa%lt( +assword S)nchronization will not $e done if there is a #apping

conflict for %ser acco%nts across .ffiliate .pplications' This applies to $oth *indowsto non-*indows +assword S)nchronization and non-*indows to *indows %llS)nchronization' This does not appl) to non-*indows to *indows +artial

S)nchronization'

Ea)ple: .ss%#e that there is a +assword S)nchronization .dapter +S< that is

associated with two .ffiliate .pplications! ..++< and ..++2' These applications

contain the following #appings!

70




Mapping table

.B,I/.MDwin%ser< ..++< e7t%ser<.B,I/.MDwin%ser2 ..++2 e7t%ser<

*hen e7t%ser<s password is changed on the non-*indows s)ste#( it is capt%red

and sent to Enterprise SSO thro%gh +assword S)nchronization .dapter +S< tochange the *indows password for $oth .B,I/.MDwin%ser< and.B,I/.MDwin%ser2' B) defa%lt( +assword S)nchronization is not done in s%ch a

case for the *indows %sers' Onl) the password in the SSO &redential "ata$ase will$e %pdated' The sa#e applies in the other direction'

Mapping table

.B,I/.MDwin%ser< ..++< e7t%ser<.B,I/.MDwin%ser< ..++2 e7t%ser2

*hen *indows %ser .B,I/.MDwin%ser< changes the password( the password can$e changed for $oth e7t%ser< and e7t%ser2 thro%gh the +assword S)nchronization

.dapter +S<' B) defa%lt tho%gh( +assword S)nchronization is not done in s%ch a casefor the e7ternal %sers and the password change received is discarded'

owever( for $oth these cases( +assword S)nchronization will $e done( if the

G.llowMapping&onflictsH flag is set to 9es in the +assword S)nchronization .dapterproperties'

1efinition of properties an flags in a Pass%or S"nchroni'ation Aapter

na)e( a#e of the adapter recognized $) Enterprise SSO Services'

escription( "escription of the +assword S)nchronization .dapter'

co)puter( a#e of the co#p%ter that the adapter will $e installed on' This can also

$e a cl%ster na#e if the adapter is installed on a cl%stered SSO server' The +S.dapter will operate onl) on this co#p%ter'

app,serAccount( a#e of the do#ain gro%p that contains the service acco%nt of

the +assword S)nchronization .dapter'

appA)inAccount( a#e of the do#ain gro%p that can $e assigned to ad#inister

this adapter' If the SSO .d#inistrator does not want to delegate ad#inistration toother %sers( then specif) the SSO .d#inistrators gro%p acco%nt for this propert)'

properties file( a#e of the file that contains the propert) definitions for the+assword S)nchronization adapters' If a +S .dapter reC%ires Server a#e and +ort

%#$er as part of its config%ration( the properties file sho%ld contain thisinfor#ation' See the e7a#ples descri$ed %nder the vario%s t)pes of +S .dapters

sections for #ore infor#ation'

locali'e( So#e co##on adapter properties localized strings are availa$le as part of

Enterprise SSO' If this is set to es( then Enterprise SSO will displa) the localizedstrings when r%nning on a non-*indows platfor#' In the Enterprise SSO version that

is availa$le with ost Integration Server 2004 [apanese version( this is applica$leand it will displa) the localized strings' The na#es of properties for which

prelocalized strings are availa$le are!

RServer a#eR

71




R+ort %#$erR

R3 a#eR

RT+ a#eR

RMode a#eR

Rost a#eR

R+ort a#eR

R,etr) &o%ntR

R,etr) "ela)R

s"nc&ro)Aapter( Setting this flag to 9es( wo%ld ena$le non-*indows to *indows+assword S)nchronization for this adapter'

verif"*lPass%or( Setting this flag to 9es( will force Enterprise SSO to verif) theold password when it receives new password change fro# this +assword

S)nchronization .dapter' This wo%ld #ean that the +assword S)nchronization.dapter #%st provide the old and new password when sending the password change

to the SSO Server'change$ino%sPass%or( Setting this flag to 9es #eans f%ll s)nchronization is

ena$led when receiving password changes fro# a non-*indows s)ste# for this+assword S)nchronization .dapter' This wo%ld #ean that the #apping in the SSO

&redential "ata$ase is changed and the %sers *indows password in .ctive "irector)is changed as well'

s"ncToAapter( Setting this flag to 9es wo%ld ena$le *indows to non-*indows+assword S)nchronization for this adapter'

sen*lPass%or( Setting this flag to 9es wo%ld force Enterprise SSO to send theold password along with the new password for this +assword S)nchronization

.dapter to pick %p( which will then $e sent to the non-*indows s)ste#'

allo%Mapping!onflicts( "efa%lt setting for this flag is #o' In a case where #orethan < .ffiliate .pplication is associated with the sa#e +assword S)nchronization.dapter( there co%ld $e #apping conflicts that ca%se +assword S)nchronization not

to $e done for the %sers that have a #apping conflict' If this is set to 9es $) thead#inistrator( +assword S)nchronization will $e done'

The following sections contain sa#ple 1M files for +assword S)nchronization.dapters'

'='< Bi-"irectional +assword S)nchronization

.daptersMain M@ &ile

L\-- This file is %sed with the ssops -create co##and to create the protot)peadapter na#ed R+S.dapter0<'R

This adapter receives *indows password changes fro# SSO Services to sendthe# to a non-*indows s)ste#' SSO Services receives the password changes

fro# the "o#ain &ontroller when a *indows %ser changes their password'

72




This adapter also receives password changes fro# non-*indows s)ste#s andsends the# to SSO Services for s)nchronizing the SSO &redential "ata$ase

and so that SSO Services can %pdate the *indows %serQs password in .ctive"irector)' --

Lsso

Ladapter na#eKR+S.dapter0<R

Ldescription. Bi-"irectional +assword S)nc .dapter'L;description

Lco#p%ter&OM+3TE,.ME'"OM.I'&OML;co#p%ter

Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%pL;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%pL;app.d#in.cco%nt

Lproperties fileKR+ropertiesU+S.<'7#lR localizeKR)esR;

Lflags

s)ncro#.dapterKR)esR

verif)Old+asswordKRnoR

change*indows+asswordKR)esR

s)ncTo.dapterKR)esR

sendOld+asswordKRnoR

;

L;adapter

L;sso

Properties M@ &ile /PropertiesDPSA5()l

L\-- co##ent - for e7a#ple! +ropert) definitions for +S.dapter0< ersion <'0--

Lproperties

Lpropert) ordinalKR0R na#eKR+rop0R #askedKRnoR displa)KRServer

a#eR t)peKRTUBST,R defa%ltKRR;

73




Lpropert) ordinalKR<R na#eKR+rop<R #askedKRnoR displa)KRT&+;I+ +ortRt)peKRTU3I4R defa%ltKRR;

L;properties

'='2 *indows +assword S)nchronization Onl).dapters

Main M@ &ile

L\-- This file is %sed with the Rssops -createR co##and to create the

+rotot)pe .dapter na#ed R+S.dapter02'R This adapter receives passwordchanges fro# SSO Services and sends the password change to a non-

*indows s)ste#' SSO Services receives the *indows %ser password changefro# the "o#ain &ontroller' --

Lsso

Ladapter na#eKR+S.dapter02R

Ldescription. +assword S)nc .dapter to send the password change to anon-*indows s)ste#'L;description


Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%p2L;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%p2L;app.d#in.cco%nt

Lproperties fileKR+ropertiesU+S.2'7#lR localizeKR)esR;

Lflags

s)ncro#.dapterKRnoR


change*indows+asswordKRnoR

s)ncTo.dapterKR)esR


;

L;adapter

74




L;sso

'='= on-*indows +artial +assword

S)nchronization Onl) .dapters

Main M@ &ile

L\-- This file is %sed with the Rssops -createR co##and to create the

+rotot)pe .dapter na#ed R+S.dapter0='R This adapter sends the passwordchange fro# a non-*indows s)ste# to SSO Services to %pdate the SSO

#apping in the SSO &redential "ata$ase' --

Lsso

Ladapter na#eKR+S.dapter0=R

Ldescription. +artial S)nchronization+assword S)nc .dapter thatreceives password change fro# a non-*indows s)ste#'L;description


Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%p=L;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%p=L;app.d#in.cco%nt

Lproperties fileKR+ropertiesU+S.='7#lR localizeKR)esR;

Lflags



change*indows+asswordKRnoR

s)ncTo.dapterKRnoR


;

L;adapter

L;sso

75




'='4 on-*indows %ll +asswordS)nchronization Onl) .dapters

Main M@ &ile

L\-- This file is %sed with the Rssops -createR co##and to create the+rotot)pe .dapter na#ed R+S.dapter04'R This adapter sends the password

change fro# a non-*indows s)ste# to SSO Services to %pdate the SSO#apping in the SSO &redential "ata$ase' This password is also changed in

.ctive "irector) $) SSO Services for the corresponding *indows %ser' --

Lsso

Ladapter na#eKR+S.dapter04R

Ldescription. %ll S)nchronization +assword S)nc .dapter that receives

password changes fro# non-*indows s)ste#'L;description


Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%p4L;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%p4L;app.d#in.cco%n

t

Lproperties fileKR+ropertiesU+S.4'7#lR localizeKR)esR;

Lflags



change*indows+asswordKR)esR

s)ncTo.dapterKRnoR


;

L;adapter

L;sso

76




'='? Pro%p +assword S)nchronization.daptersPro%p +assword S)nchronization .dapters can $e created to associate #%ltiple+assword S)nchronization .dapters with the sa#e Pro%p adapter' This allows the

Pro%p adapter to interact with SSO to initialize all +assword S)nchronization.dapters that are related' or e7a#ple( a third part) #ight have one Pro%p adapter

and #%ltiple individ%al adapters' Pro%p adapters are %sed pri#aril) for r%nti#einitialization of individ%al +assword S)nchronization .dapters'

Sa#ple 1M to create a gro%p adapter!

L\-- This file is %sed with the ssops -create co##and to create the protot)pe gro%p

adapter na#ed R+SPro%p.dapter0<'RPro%p .dapters are %sed to allow initialization of #%ltiple +assword S)nchronization

.dapters at the sa#e ti#e' o% can associate individ%al +assword S)nchronization

.dapters with a Pro%p .dapter %sing ssops -addToPro%p co##and' --

Lsso

Ladapter na#eKR+SPro%p.dapter0<R

Ldescription. Pro%p +assword S)nchronization .dapter'L;description


Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%pL;app3ser.cco%nt

Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%pL;app.d#in.cco%nt

Lproperties fileKR+ropertiesUPro%p.dapter<'7#lR localizeKR)esR;

Lflagsgro%p.dapterKR)esR

;

L;adapter

L;sso

ike individ%al +assword S)nchronization .dapters( Pro%p .dapters can haveproperties associated with the# as well'

77




'4 +roginet +assword S)nchronization .dapter&onfig%ration

Once Enterprise SSO config%ration is co#pleted for +assword S)nchronization( the

act%al +assword S)nchronization .dapters need to $e installed and config%red'

These adapters can $e o$tained fro# http!;;eps'proginet'co#;' "etaileddoc%#entation is availa$le with the adapters that e7plains how to set%p the adapters

on the *indows and ost s)ste#s' .dapters are availa$le for IBM ,.&( &. .&;2(&. Top Secret( and IBM OS;400 Sec%rit) s)ste#'

This section gives an overview of the co#ponents and the config%ration of the

*indows co#ponent of the adapter'

These adapters have two co#ponents!<' $ino%s co)ponent( The co#ponent that is integrated with the Enterprise

SSO +assword S)nchronization Interface' This r%ns on the Enterprise SSO Serverperfor#ing the role of +assword S)nchronization Server' This co#ponent is

referred to as e+S controller' This is a *indows service registered in the Service&ontroller Manager and is responsi$le for!

a' ,eceiving password changes fro# the Enterprise SSO and sending it to itsco%nterpart co#ponent on the ost s)ste#'

$' Sending password change to the Enterprise SSO s)ste# that it receives fro#the +assword S)nchronization .dapter r%nning on the ost s)ste#'

2' Host !o)ponent( This is the co%nterpart co#ponent that needs to $e installedand config%red on the appropriate ost s)ste# 5IBM #ainfra#e or OS;4006' This

co#ponent is responsi$le for!a' &apt%ring password changes #ade on the ost s)ste# and sending it to its

co%nterpart *indows co#ponent'$' ,eceiving password changes fro# e+S controller on *indows and #aking the

password change in the sec%rit) data$ase on the ost s)ste#'

'4'<' Install and &onfig%ring the e+S&ontroller

a%nch the eps&ontroller'e7e set%p package to install the e+S &ontroller 5*indowsco#ponent of the +assword S)nchronization .dapter6 on the Enterprise SSO

+assword S)nchronization Server' .fter )o% accept the appropriate license agree#ent

and specif) the location where the adapter needs to $e installed( the followingconfig%ration needs to $e done'

<6 T&+;I+ or S. connectivit) to the ost S)ste#

In the case of T&+;I+( specif) the Port #u)ber 5defa%lt is 4>4>46 to $e %sed' IfS. connectivit) is %sed( then the e+S &ontroller %ses ost Integration Server to

connect to the ost s)ste#' In the case of S.( specif) the @, #a)e to $e %sed'

26 Specif) the adapter na#e

78

http://eps.proginet.com/





This is the na#e that this adapter will $e known as in the Enterprise SSO s)ste#'This na#e sho%ld $e listed when )o% r%n ssops –list ' This can $e a gro%p +assword

S)nchronization .dapter as well'

=6 Specif) the service acco%ntSpecif) the service acco%nt for the e+S &ontroller to r%n %nder' This is the acco%nt

that the adapter will %se to co##%nicate with ETSSO' This service acco%nt #%st$elong the app3ser.cco%nt specified for this +assword S)nchronization .dapter when

it was created in Enterprise SSO'

Ea)ple:

"escri$ed here is an e7a#ple to config%re +assword S)nchronization .dapter on sso-server<'fa$rika#'co# to an IBM #ainfra#e s)ste# 5ost<6 with IBM ,.& r%nning

on it

<6 On sso-server<( create the adapter %sing the following 1M files

Main M@ file /ProgDA1;A!&()l

Lsso

Ladapter na#eKR+rogU.",.&R

Ldescription. Bi-"irectional +assword S)nc .dapter' L;description

Lco#p%tersso-server<'fa$rika#'co#L;co#p%ter

Lapp3ser.cco%ntfa$rika#D+S.3SE,<L;app3ser.cco%nt

Lapp.d#in.cco%ntfa$rika#DSSO.d#inistratorsL;app.d#in.cco%nt

Lproperties fileKR+ropertiesU+S.<'7#lR localizeKR)esR;

Lflags

s)ncro#.dapterKRnoRverif)Old+asswordKRnoR

change*indows+asswordKR)esRs)ncTo.dapterKR)esR

sendOld+asswordKRnoR ;

L;adapter

L;sso

+roperties ile 5+ropertiesU+S.<'7#l6

Lproperties

Lpropert) ordinalKR0R na#eKRI+."",ESSR #askedKRnoR displa)KRServer a#eRt)peKRTUBST,R defa%ltKRost<R;

79




Lpropert) ordinalKR<R na#eKR+O,T3MBE,R #askedKRnoR displa)KRT&+;I+ +ortRt)peKRTUI4R defa%ltKR4>4>4R;

L;properties

To create the adapter( r%n ssops –create *rog#$5R$(2.xml

26 Ena$le the adapter' ,%n ssops –enable *rog#$5R$(2

=6 .dd .ffiliate .pplication to adapter' This is the .ffiliate .pplication 5for e7a#ple(.ff.ppforMainfra#e<6 $eing %sed for Single Sign-on scenarios that contain the

#appings for which +assword S)nchronization needs to $e done' ,%n ssops –addapp $ff$ppfor%ainframe6 *rog#$5R$(2

#ote! In addition to the +S .dapter( the .ffiliate .pplication #%st $e ena$led andthe #appings #%st then $e ena$led for +assword S)nchronization to take place'

46 Install the +roginet e+S &ontroller on sso-server<'fa$rika#'co# and specif) thefollowing!

a6 .dapter na#e as ProgDA1;A!&$6 Service acco%nt for e+S'e7e 5*indows service6 as fa$rika#DprogsvcNthis

acco%nt #%st $e a #e#$er of fa$rika#D+S.3ser<' This is reC%ired for theservice to co##%nicate with Enterprise SSO'

'4'2 Other +assword S)nchronization .dapter&onfig%ration +ropertiesTo change the server na#e or I+ address( or an) other properties of the adapteronce it is config%red( )o% can r%n ssops –setprops *rog#$5R$(2 *hen the adapter is created in the SSO s)ste#( the following properties are set $)

defa%lt!

] otification ,etr) &o%nt ! <

] otification ,etr) "ela) 5in #in%tes6 ! ?

] Ma7i#%# +ending otifications ! A] Store otifications 5when offline6 ! Tr%e

] indicates these are SSO S)ste# properties for the +assword S)nchronization.dapter and not properties that co#e fro# the +S .dapter itself

These can $e #odified %sing ssops –setprops <adapter name> as well' The retr)

co%nt and the retr) dela) val%es are reversed $) defa%lt 5which is a known iss%e6'

That can $e easil) changed $) r%nning ssops –setprops <adapter name> fro#the co##and line'

;etr" !ount for aapterIf the adapter fails to indicate to Enterprise SSO that it co#pleted processing the

password change( Enterprise SSO will retr) the password change at the config%red #otification ;etr" !ount and #otification ;etr" 1ela" /in )inutes for the

+assword S)nchronization .dapter'

80




Mai)u) Pening #otificationsEach adapter has a #a7i#%# pending notifications val%e( which is the #a7i#%#

n%#$er of o%tstanding confir#ations that are allowed in either direction 5Eithersending passwords to Enterprise SSO or receiving passwords fro# Enterprise SSO6'

Store #otifications /%hen offline

*hen the SSO s)ste# is offline( notifications will contin%e to $e stored for the+assword S)nchronization .dapter when this option is set to tr%e' This works with

repla) files config%ration' *hen the SSO s)ste# is offline 5s%ch as when aconnection to the data$ase is not availa$le6( password changes fro# the +assword

S)nchronization .dapters will $e stored in the ,epla) file specified' If the ,epla) fileis not config%red( the password change will $e discarded'

'? igh .vaila$ilit) for +asswordS)nchronization

In addition to cl%stering Master Secret Server and &redential "ata$ase 5in S:Server6 %sing MS&S 5Microsoft &l%stering Services6 in .ctive;+assive #ode( the+assword S)nchronization Server co##%nicating with "o#ain &ontrollers and

+assword S)nchronization .dapters can $e cl%stered %sing the sa#e process'"etails for cl%stering are e7plained in section ?'?

Optionall)( for *indows +assword S)nchronization( )o% can achieve high availa$ilit)

witho%t cl%stering Enterprise SSO server' To achieve this( two Enterprise SSO serversneed to $e registered as targets for +&S'

owever( this option cannot $e %sed for the Enterprise SSO +asswordS)nchronization Server that has the +assword S)nchronization .dapters installed' To

achieve high availa$ilit) along with +assword S)nchronization .dapters( it isreco##ended to cl%ster it %sing MS&S in .ctive;+assive #ode'

'@ Start%p of +assword S)nchronization#od%le in ETSSO Service

Tho%gh the +assword S)nchronization feat%re of Enterprise SSO is installed( theinterfaces will not start %p'

The ETSSO service will start operating for *indows initiated password changesfro# "o#ain &ontroller co#ponent 5+&S6( onl) if the following are tr%e!

• *inS)nc is ena$led'

• One +S .dapter for *indows to non-*indows password s)nchronization

e7ists'

• .ffiliate .pplications with #appings are associated with the +S .dapter'

81




If an) of the preceding conditions are not tr%e( when a password change is sent for+&S to ETSSO( the change is discarded'

Si#ilarl)( the ETSSO service will start operating for non-*indows Initiatedpassword changes fro# +S .dapters onl) if the following are tr%e!

• E7tS)nc is ena$led for +artial or %ll S)nchronization

• One +S .dapter for non-*indows to *indows +assword S)nchronization

e7ists'

• .ffiliate .pplications with #appings are associated with the +S .dapter'

If an) of the preceding conditions are not tr%e( when a password change is sent fro#+S .dapter to ETSSO( the change is discarded'

82




<0'0 Sec%rit)So#e of the feat%res of Enterprise SSO regarding sec%rit) and reco##endations toi#prove overall sec%rit) of Enterprise SSO deplo)#ent are descri$ed later'

!o))unication bet%een SS* Server an S?@ ServerIt is strongl) reco##ended that )o% ena$le SS for all co##%nication with the SSO

&redential "ata$ase on S: Server and all SSO Servers 5incl%ding the Master SecretServer6' To %se SS for sec%re co##%nication with S: Server( refer to

http!;;#sdn'#icrosoft'co#;li$rar);defa%lt'aspJ%rlK;li$rar);en-%s;dnnetsec;ht#l;SecetT<'asp'

.fter SS has $een set %p for S: Server( there are two options to ena$le SS fro#

the S: Server client co#p%ter 5in this case an SSO Server6

<' o% can ena$le this for all clients on that co#p%ter $) %sing the &lient etwork

3tilit) of S: Server' The advantages and disadvantages of doing this are disc%ssed

in the MS" article #entioned previo%sl)'

2' o% can ena$le this for SSO Server co##%nications $) setting the SS flag %singthe ssoconfig'e7e co##and line %tilit) of Enterprise Single Sign-on' ro# the

co##and line in the director) LdeviceD+rogra# ilesD&o##on ilesDEnterpriseSingle Sign-onD( r%n the co##and ssoconfig –set!!+ 1es to ena$le it' Setting this

flag will ena$le the Enterprise SSO service to %se SS in its connection to S:Server' ote that if SS is not config%red correctl) for S: Server all SSO operations

will fail'

@oc. o%n $ino%s Accounts use b" Enterprise SS*

3se do#ain gro%ps and do#ain acco%nts to i#prove the overall sec%rit) of )o%r

deplo)#ent'

Enterprise SSO sec%rit) is pri#aril) $ased on the vario%s roles in the SSO S)ste#'SSO .d#inistrator is the highest privilege role in the SSO S)ste#' This gro%p sho%ld

$e locked down' The Enterprise SSO service acco%nts need to $e a #e#$er of thisgro%p as well' Ens%re that no other services are %sing the sa#e service acco%nt'

.lso( Enterprise SSO service acco%nt sho%ld not $e ad#inistrator acco%nts' . do#ainservice acco%nt #%st $e created and %sed 8%st for Enterprise SSO service'

The SSO .d#inistrators role sho%ld $e assigned to onl) tr%sted individ%als in )o%r

enterprise'

Other roles( s%ch as SSO .ffiliate .d#inistrator( .pplication .d#inistrator( and

.pplication 3sers sho%ld $e locked down as well' These are highl) reco##ended to$e do#ain gro%p acco%nts' Ens%re that these gro%p acco%nts onl) contain the %seracco%nts that the) a$sol%tel) need to have' or e7a#ple( if an end %ser does not

reC%ire a #apping an) longer( then in addition to deleting the %ser #apping fro#Enterprise SSO for the .ffiliate .pplication( #ake s%re that the %ser is re#oved fro#

the .pplication 3sers gro%p acco%nt for that .ffiliate .pplication as well'

83

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT19.asp







!o))unication bet%een SS* Servers

.ll co##%nication $etween the SSO Servers and the Master Secret Server is thro%gh

encr)pted ,+&' .lso( the co##%nication $etween SSO ad#inistrative or clientco#ponent and the SSO Server is thro%gh encr)pted ,+&' It is reco##ended to %se

/er$eros $etween SSO ad#inistrative and client co#ponents and SSO Server' To do

so( )o% wo%ld need to register a Service +rincipal a#e 5S+6 for the SSO serviceacco%nt %sing the setspn %tilit)' o% can then specif) the S+ fro# the SSO.d#inistrative or client co#ponents when accessing the SSO Server'

Pass%or S"nchroni'ation

&o##%nication $etween +&S on "o#ain &ontrollers and SSO Servers assigned as atarget %se /er$eros' This ens%res that there is #%t%al a%thentication $etween the

two co#ponents' *hen receiving password changes fro# the "o#ain &ontroller( theSSO Server also checks if the password change is $eing sent to it fro# a "o#ain

&ontroller'

+assword S)nchronization .dapter service acco%nts sho%ld $e config%red to %se adifferent service acco%nt fro# the Enterprise SSO service acco%nt' .lso( the

+assword S)nchronization .dapters service acco%nt sho%ld not $e %sed $) an) otherservices'

Ens%re that the ad#inistrators gro%p acco%nt and the %ser gro%p acco%nt specified

for the +assword S)nchronization .dapter are locked down and onl) contain %seracco%nts that need to $e a #e#$er of these gro%ps' or e7a#ple( onl) the +assword

S)nchronization .dapter service acco%nt #%st a #e#$er of the %ser gro%p acco%ntassigned for the +assword S)nchronization .dapter'

!o)puter loc. o%n

.ll the co#p%ters r%nning Enterprise SSO #%st $e locked down' Onl) ad#inistratorsthat a$sol%tel) reC%ire access to these co#p%ters #%st have access' Ideall)( onl) the

SSO .d#inistrators sho%ld $e the local co#p%ter ad#inistrators of these co#p%tersas well' Especiall)( #ake s%re that the servers that contain the SSO &redential

"ata$ase( the Master Secret Server( and the Enterprise SSO +asswordS)nchronization Servers are locked down $) giving access onl) to the SSO

.d#inistrators gro%p acco%nt'

<0'< Sec%re "eplo)#entThis section provides an overview of a sa#ple sec%re deplo)#ent that can $e

achieved when %sing Enterprise SSO'o% co%ld place the SSO &redential "ata$ase in a different do#ain fro# the

processing SSO Servers' Then )o% co%ld have processing SSO Servers r%nning on

BizTalk Server and ost Integration Servers for look%p to $e perfor#ed' This set%p

has two do#ains( +,O&'co# and S:'&OM'

"o#ain +,O&'co#

+,O& "o#ain &ontroller

84




SSO0 Master Secret Server

SSO< *indows Initiated SSO Server

SSO2 ost Initiated SSO server

SSO= Master Secret Server

SSO4 .d#inistrator $o7

• SSO? +assword S)nchronization Server to receive *indows password

changes and also +assword S)nchronization .dapters to receive and

send changes fro#;to non-*indows s)ste#s'

"o#ain S:'co#

S: "o#ain &ontroller

S:< SSO data$ase

<' . two-wa) selective a%thentication tr%st $etween +,O&'&OM andS:'&OM #%st $e esta$lished' To do so( on the do#ain controller( r%n

Start .ll +rogra#s .d#inistrative Tools .ctive "irector) "o#ains

and Tr%sts and follow the instr%ctions to set%p Selective .%thentication 2-wa) with the other do#ain' This config%ration has to $e done on do#aincontroller in +,O&'&OM and S:'&OM do#ains'

2' The Allowed to Authenticate privilege needs to $e assigned to ETSSO

Service acco%nt 5+,O&'&OM do#ain %ser6 to S:< in do#ain S:'&OM'To do so( fro# the .ctive "irector) MM& snap-in for 3sers and &o#p%ters

5need to switch on avance vie% in ." MM& snap-in( right-click theacco%nt and then view the Properties for the acco%nt' &lick the Securit"ta$ and select the Allo% check $o7 for the .llowed to .%thenticate option'

=' . new login in S:< server 5in S:'&OM6 needs to $e created for the

ETSSO Service acco%nt 5+,O&'&OM do#ain %ser6'

This wa)( onl) the acco%nts and gro%ps that reC%ire access to the other do#ain is

given access' .ccess for all other +,O&'&OM acco%nts are denied in S:'&OMdo#ain' Onl) the ETSSO service acco%nt will have access to the data$ase la)er'

,efer the MS" article on Accessing ;esources across 1o)ains for additionalinfor#ation'

*hen %sing Enterprise SSO with BizTalk Server 2004( also refer to the Planning aSecure 1eplo")ent doc%#entation'

85

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/AccessingResources_Domains.asp

http://msdn.microsoft.com/library/en-us/deploying/htm/ebiz_depl_secure_zhag.asp


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/AccessingResources_Domains.asp






<<'0 Tro%$leshooting

<<'< Peneral ,eco##endations

<<'<'< .pplication Event og*hen a pro$le# is enco%ntered( the first place to check for f%rther infor#ation is the.pplication Event og' *hen it enco%nters an error Enterprise SSO will log either an

Error or *arning #essage with f%rther details a$o%t the pro$le#' Infor#ational#essages are also logged'

The a#o%nt of infor#ation logged to the event log is controlled $) a%dit levels'

There are two a%dit level settingsNthe GpositiveH a%dit level( which controls a%dits of

things that s%cceed( and the GnegativeH a%dit level( which controls a%dits of thingsthat fail'

or tro%$leshooting( it is $est to t%rn $oth a%dit levels to high %sing

ssoconfig –auditlevel 7 7

ssoconfig'e7e and the other co##and line tools are installed in the defa%lt installlocation!

D+rogra# ilesD&o##on ilesDEnterprise Single Sign-On

If )o%r pro$le# is reprod%ci$le( set $oth the a%dit levels to high( clear the event log(

wait for < #in%te or restart the Enterprise SSO service 5to #ake s%re the Enterprise

SSO service picks %p the new a%dit levels6( and tr) the scenario again' Take a look inthe event log after the scenario'

,estarting the ETSSO service is a good wa) to deter#ine whether the config%rationis correct!

1. ro# the co##and pro#pt( r%n net stop &N!!"

2. &lear the .pplication event log fro# the Event iewer snap-in' *hen )o%

clear( the log( it is reco##ended that )o% save the e7isting data in the

.pplication event log $eca%se it #ight contain other %sef%l infor#ation'3. ro# the co##and pro#pt( net start ETSSO

4. &heck the .pplication event log

ote that there #a) $e so#e dependent services that will also $e stopped when

Enterprise SSO is stopped'

<<'<'2 .ccess "enied response*hen Gaccess deniedH is ret%rned to a caller $) Enterprise SSO it will alwa)s log a#essage in the .pplication Event og' There are also so#e cases where Gaccess

deniedH #a) $e ret%rned to the caller $efore that call reaches Enterprise SSO( inwhich case there will not $e an event log #essage'

86




The event log #essage logged $) Enterprise SSO will give the .ffiliate .pplication

na#e if it is availa$le' That can $e %sed to check the SSO access acco%nt na#es forthe .ffiliate .pplication' To do so( r%n ssomanage –displa1app <application

name>

The SSO s)ste# access acco%nts can also $e viewed $) r%nning the co##and( ssomanage –displa1db

The SSO service #%st $e r%nning for these co##ands to s%cceed'

B) defa%lt( the SSO &onfig%ration *izard creates the following local gro%p acco%nts!

SSO .d#inistrator K GSSO .d#inistratorsH

SSO .ffiliate .d#inistrator K GSSO .ffiliate .d#inistratorsH

It is reco##ended that )o% change these gro%ps to do#ain gro%ps' This can $e

achieved $) perfor#ing ssomanage –updatedb <globalinfo.xml> and passing inthe right gro%p na#es

In BizTalk Server 2004( SSO &onfig Store applications are %sed to sec%rel) storeproperties for send and receive handlers' These SSO &onfig Store applications are

created $) the ost &onfig%ration *izard' or these SSO &onfig Store applications(the SSO acco%nts are set as follows!

.pplication .d#inistrators K GBizTalk Server .d#inistratorsH

.pplication 3sers K GBizTalk .pplication 3sersH or GBizTalk Isolated ost 3sersH

o% can list all the SSO applications( incl%ding SSO &onfig Store applications' To doso( r%n ssomanage –listapps all

!hec. the follo%ing

i'Tal. Server Aapter ;eee) Tic.et( The service acco%nt of the BizTalk Server.dapter that redee#s the ticket #%st $elong to the .pplication .d#inistrators gro%p

for the .ffiliate .pplication at a #ini#%#'

;eee) Tic.et Caliation( There #%st $e a tr%sted s%$s)ste# in the end-to-endprocess when %sing BizTalk .dapters with Enterprise SSO' Onl) tr%sted osts sho%ld

$e %sed in BizTalk Server when working with Enterprise SSO'*hen creating a new #essage in Orchestration( ens%re that the SS*Tic.et and

*riginatorSI1 conte7t properties are copied over( so that the Send .dapter canredee# the Ticket'

IssueTic.et in i'Tal. Aapter( *hen an SSO Ticket is $eing iss%ed( ens%re thatthe BizTalk Server *e$ Service .dapter or TT+ .dapter is config%red onl) to %se*indows Integrated Sec%rit)( and has the privilege to i#personate the end %ser

while #aking the reC%est to ETSSO'

Host Integration Server( Ens%re that the ost Integration Server co#ponent thatis calling Enterprise SSO to o$tain the ost credentials is config%red to %se *indows

Integrated Sec%rit) and has i#personation privileges' or e7a#ple( the Transaction

87




Integrator 'et .pplication on a *e$ server sho%ld $e config%red to %se *indowsIntegrated Sec%rit)' .non)#o%s access #%st $e disa$led'

Pass%or S"nchroni'ation Aapter Service Account( &heck if the service

acco%nt for the +S .dapter $elongs to the app3ser.cco%nt specified for the +S.dapter when creating it in ETSSO'

<<'<'= Ena$le MS"T&Enterprise SSO %ses MS"T& for distri$%ted transactions' Ens%re that MS"T& isena$led for #%lti$o7 config%rations on the SSO Servers( Master Secret Server( and

the S: Server co#p%ter 5that contains the SSO &redential "ata$ase6' To do so(refer the proced%re at http!;;#sdn'#icrosoft'co#;li$rar);defa%lt'aspJ

%rlK;li$rar);en-%s;tro%$leshooting;ht#;e$izUopsU$asUad#inUkhfe'asp'

<<'<'4 Sa#ple 1M referencesIn ost Integration Server 2004( Enterprise SSO has vario%s sa#ple 1M files

located %nder D+rogra# ilesD&o##on ilesDEnterprise Single Sign-OnDS"/DSa#plesDManageD' 3se these as references to create .ffiliate .pplications( 3ser

Mappings( and +assword S)nchronization .dapters for different t)pes of .ffiliate.pplications'

In BizTalk Server 2004 installation( a s%$set of these sa#ples are located in the

BizTalk Server S"/ install director) 5Lroot installDS"/Dsa#plesDSSOD#anage6

+lobal ,pates in SS* S"ste)Plo$alInfo'7#l' Sa#ple to #ake glo$al %pdates in Enterprise SSO %sing ssomanage–updatedb <globalinfo.xml>

#ote! If )o% change the SSO .d#inistrator acco%nt( )o% #%st disa$le the SSO

S)ste# $efore perfor#ing this operation' Once the change is perfor#ed( )o% canena$le the SSO S)ste#'

Single Sign-*n Affiliate Applications$ISS*DIniviualDAffApp()l( *indows Initiated SSO for creating a one-one

#apping' This is t)picall) %sed in with ost Integration Server scenarios

$ISS*DIniviualDAffAppD$ithTic.ets()l( *indows Initiated SSO for creatinga one-one #apping with ticketing ena$led' This is t)picall) %sed in with BizTalk

Server scenarios

$ISS*D+roupDAffApp()l( *indows Initiated SSO for creating a #an)-one#apping' This is t)picall) %sed in ost Integration Server scenarios'

$ISS*D+roupDAffAppD$ithTic.ets()l( *indows Initiated SSO for cresting a

#an)-one #apping with ticketing ena$led' This is t)picall) %sed in BizTalk Server

scenarios'

88

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/troubleshooting/htm/ebiz_ops_bas_admin_khfe.asp







HISS*DIniviualDAffApp()l( ost Initiated SSO for creating a one-one#apping creation' This is t)picall) %sed t)picall) in ost Integration Server

Transaction Integrator I+ scenarios'

HISS*DHost+roupDAffApp()l( ost Initiated SSO for creating a #an)-one#apping' This is t)picall) %sed with ost Integration Servers Transaction Integrator

I+ scenarios'

$ISS*DHISS*DIniviualDAffApp()l( *indows Initiated and ost InitiatedSSO for creating a one-one #apping' This is t)picall) %sed in ost Integration Server

when $oth scenarios are reC%ired in the sa#e .ffiliate .pplication'

Single Sign-*n ,ser Mappings,serMapping()l( To create #%ltiple #appings for one or #ore .ffiliate.pplications for *indows Initiated or ost Initiated scenarios'

,serMappingDHost+roup()l( To create #an)-< #apping for ost Initiated SSO'

!onfig Store Affiliate Application!onfigStoreDAffApp()l( To create a &onfig%ration Store t)pe .ffiliate .pplicationto store and retrieve BizTalk config%ration data'

Sa)ple M@ for Pass%or S"nchroni'ation AaptersP%S"ncPSA5DMainDi1irectional()l( To create a +S .dapter that s%pports*indows to non-*indows and non-*indows to *indows +assword S)nchronization'

It %ses the propert) file located at +wdS)ncD+ropertiesU+S.<'7#l

P%S"ncPSA2DMainD$ino%sto#on$ino%sD&ullS"nc()l( To create a +S.dapter that s%pports *indows to non-*indows +assword S)nchronization' It %ses

the propert) file located at +wdS)ncD+ropertiesU+S.2'7#l

P%S"ncPSADMainD#on$ino%sPartialS"nc()l( To create a +S .dapterthat s%pports non-*indows to *indows partial +assword S)nchronization' It %ses the

propert) file located at +wdS)ncD+ropertiesU+S.='7#l

P%S"ncPSA4DMainD#on$ino%s&ullS"nc()l( To create a +S .dapter thats%pports non-*indows to *indows f%ll +assword S)nchronization' It %ses the

propert) file located at +wdS)ncD+ropertiesU+S.4'7#l

P%S"ncPS+roupAapter5()l( To create a +S .dapter that s%pports non-

*indows to *indows f%ll +assword S)nchronization' It %ses the propert) file locatedat +wdS)ncD+ropertiesU+S.4'7#l

P%S"ncPropertiesD+roupAapter5()l( To create a gro%p +S .dapter thatcan $e associated with #%ltiple +assword S)nchronization adapters'

The follo%ing S1 files are also available to valiate M@ files:.ffiliate.pplication'7sd3serMapping'7sd

Plo$alInfo'7sd+wds)ncD +S.dapterU.ll'7sd

89




<<'<'= Penerate trace infor#ationIn addition( trace infor#ation can $e generated and sent to Microsoft +rod%ctS%pport Services' To do so( %se the trace'c#d %tilit) availa$le in the BizTalk Server

2004 installation' or Enterprise SSO availa$le with ost Integration Server 2004(trace'c#d is availa$le in the installation director) 5D+rogra# ilesD&o##on

ilesDEnterprise Single Sign-OnD6

3sing the trace'c#d reC%ires *indows Event Tracing tools 5tracelog'e7e6' o% can

o$tain these fro# +latfor# S"/'

Steps3sing the co##and pro#pt( go to the D+rogra# ilesD&o##on ilesDEnterprise

Single Sign-On director) and perfor# the following steps 5Ens%re that tracelog'e7e isin )o%r path6!

<' trace –start –high2' ,epro the fail%re scenario

=' trace –stop

4' Send the ESSO'$in generated in the sa#e director) to Microsoft +rod%ct S%pportServices'

To obtain tracelog(ee8 follo% these steps:

<' To download the Tracelog'e7e file( visit the Microsoft +latfor# S"/ download *e$site at http!;;www'#icrosoft'co#;#sdownload;platfor#sdk;sdk%pdate;'

2' On the "ownloads #en% of the *e$ site( click Install'

=' On the S"/ 3pdate &atalog page( select onl) the uil environ)ent s%$ feat%re%nder &ore S"/'

4' Scroll to the top of the page( and then click Start Installation'

?' &lick !ontinue and the +latfor# S"/ Installation *izard N *e$ +age "ialog page

will appear'

@' On the +latfor# S"/ Installation *izard *e$ +age "ialog page( click Accept toaccept the Microsoft End 3ser icense .gree#ent'

>' On the &onfir# Installation Selections page( click !ontinue twice' The Installation

Stat%s page will appear'

A' &lick Install #o%( and then click *< to co#plete the installation'

' ocate the "rive!D+latfor# S"/ Installation olderD$in folder and then cop) the

Tracelog'e7e file to the Enterprise SSO install location where trace'c#d is located' Inthe case of BizTalk Server 2004( this is in the root director) of BizTalk Server install

location'

90

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/




<<'2 /nown Iss%es

<<'2'< 1+ Service +ack 2 iss%es

*hen 1+ S+2 was introd%ced( it tightened %p the defa%lt ,+& sec%rit) on the s)ste#(which ca%ses Enterprise SSO to fail' . registr) ke) needs to $e set to allow ,+&

connections thro%gh T&+;I+ connections to co#plete' ,efer tohttp!;;s%pport'#icrosoft'co#;defa%lt'asp7JscidKk$en-%sA4<A= for details'

<<'2'2 &l%stering iss%es

Incorrect !luster #a)e

One co##on cl%stering iss%e is that the correct &l%ster etwork a#e is not $eing

%sed for the Master Secret Serve na#e' . cl%ster #a) in fact have #ore than one&l%stered etwork a#e' &heck that )o% have the cl%stered Enterprise SSO Service

associated with the correct &l%ster etwork a#e and that this &l%stered etworka#e is the Master Secret Server na#e that is %sed in the SSO &redential "ata$ase'

MS1T! error uring clustering

"%ring cl%stering of the Enterprise SSO service( if r%nti#e errors appear related to

the "istri$%ted Transaction &oordinator 5"T&6( check if "T& has $een cl%stered' If"T& is alread) availa$le as a &l%ster ,eso%rce( then the "T& is 8%st detecting an

internal inconsistenc) $eca%se it was not config%red to r%n on a cl%ster' Therefore itis %na$le to start' To resolve this error condition config%re the "T& to r%n on a

cl%ster with comclust -a on $oth #achines and then restart the "T&'

;eferenceshttp:GG%%%()icrosoft(co)Gbi'tal.http:GG%%%()icrosoft(co)Gi)

http:GG%%%()icrosoft(co)Ghiserver

http:GG%%%()icrosoft(co)GsharepointGProginet Pass%or S"nchroni'ation Aapters

T i l ft f HIS 2004

http://support.microsoft.com/default.aspx?scid=kb;en-us;841893

http://www.microsoft.com/biztalk

http://www.microsoft.com/idm/

http://www.microsoft.com/hiserver

http://www.microsoft.com/sharepoint/


http://support.microsoft.com/default.aspx?scid=kb;en-us;841893

http://www.microsoft.com/biztalk

http://www.microsoft.com/idm/

http://www.microsoft.com/hiserver

http://www.microsoft.com/sharepoint/


Documents

Enterprise SSO Whitepaper