Upload
satish-r-chilkury
View
230
Download
0
Embed Size (px)
Citation preview
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 1/91
Single Sign-on Services for MicrosoftEnterprise Application IntegrationSolutions:Enterprise Single Sign-On Integrated with Microsoft BizTalk
Server 2004 and Microsoft ost Integration Server 2004Microsoft Host Integration Server 2004 Technical Article
Publishe! "ece#$er 2004
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 2/91
!op"right
The infor#ation contained in this doc%#ent represents the c%rrent view of Microsoft&orporation on the iss%es disc%ssed as of the date of p%$lication' Beca%se Microsoft#%st respond to changing #arket conditions( it sho%ld not $e interpreted to $e aco##it#ent on the part of Microsoft( and Microsoft cannot g%arantee the acc%rac) of
an) infor#ation presented after the date of p%$lication'This *hite +aper is for infor#ational p%rposes onl)' MI&,OSOT M./ES O*.,,.TIES( E1+,ESS( IM+IE"( O, ST.T3TO,( .S TO TE IO,M.TIO ITIS "O&3MET'
&o#pl)ing with all applica$le cop)right laws is the responsi$ilit) of the %ser' *itho%tli#iting the rights %nder cop)right( no part of this doc%#ent #a) $e reprod%ced(stored in or introd%ced into a retrieval s)ste#( or trans#itted in an) for# or $) an)#eans 5electronic( #echanical( photocop)ing( recording( or otherwise6( or for an)p%rpose( witho%t the e7press written per#ission of Microsoft &orporation'
Microsoft #a) have patents( patent applications( trade#arks( cop)rights( or otherintellect%al propert) rights covering s%$8ect #atter in this doc%#ent' E7cept as
e7pressl) provided in an) written license agree#ent fro# Microsoft( the f%rnishing of this doc%#ent does not give )o% an) license to these patents( trade#arks(cop)rights( or other intellect%al propert)'
9 2004 Microsoft &orporation' .ll rights reserved'
Microsoft( .ctive "irector)( BizTalk( Share+oint( S: Server( and *indows are eitherregistered trade#arks or trade#arks of Microsoft &orporation in the 3nited Statesand;or other co%ntries'
The na#es of act%al co#panies and prod%cts #entioned herein #a) $e thetrade#arks of their respective owners'
2
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 3/91
&ontents
<'0 Introd%ction to Enterprise Single Sign-on'''''''''''''''''''''''''''''''''''''''''''''''''''''''4
2'0 SSO &o#ponents and Services'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''<=
='0 SSO ,oles and .cco%nts''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''<>4'0 I#ple#entation Scenarios''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''22
?'0 SSO Installation and &onfig%ration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''40
@'0 SSO &lient 3tilit) and .d#inistration tools'''''''''''''''''''''''''''''''''''''''''''''''''''4A
>'0 SSO Mappings and .ffiliate .pplication T)pes'''''''''''''''''''''''''''''''''''''''''''''''4
A'0 &onfig%ring ost Initiated SSO'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''?>
'0 &onfig%ring +assword S)nchronization'''''''''''''''''''''''''''''''''''''''''''''''''''''''''@<
<0'0 Sec%rit)'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''A4
<0'< Sec%re "eplo)#ent'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''A?
<<'0 Tro%$leshooting''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''A>
,eferences'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''2
3
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 4/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<'0 Introd%ction to Enterprise Single Sign-onIn an enterprise-wide co#p%ting environ#ent( %sers are likel) to access differentapplications as the) go a$o%t their da)-to-da) ro%tines' . %ser #a) $egin his or her
da) $) t%rning on a Microsoft *indows 1+ workstation( logging on to a *indows
network( and then accessing applications on a #ainfra#e s)ste# or an S.+application r%nning on an .S;400' Each s)ste# with which the %ser co#es into
contact enforces its own sec%rit) reC%ire#ents and logon proced%res' or e7a#ple( a*indows do#ain acco%nt #a) reC%ire a si7-character %ser na#e and an eight-
character( #i7ed-case password( whereas a #ainfra#e environ#ent #a) reC%ire a
seven-character %ser na#e and seven-character alphan%#eric password' reC%entl)(%sers have to re#e#$er several different co#$inations of %ser na#es and
passwords to gain access to vario%s reso%rces on the network' In addition( s)ste#ad#inistrators have to #anage #%ltiple acco%nts for a single %ser'
. ke) pro$le# within #an) enterprise organizations is cross-platfor# sec%rit)(
s)ste# integration( and #anage#ent' or e7a#ple( when ine-of-B%siness 5OB6applications and other s)ste#s reC%ire separate logons %sers #%st keep track of(
and %se( #%ltiple credentials' or #an) IT s%pport tea#s the #ost co##on s%pportincidents are password resets' This sit%ation red%ces end-%ser prod%ctivit) while
significantl) increasing help desk e7penses' If a %ser co##%nit) #ishandles IBM#ainfra#e or .S;400 #idrange logon credentials this can represent an increased
sec%rit) risk and co#pro#ise access to vital enterprise co#p%ting reso%rces'
In this doc%#ent( we refer to #ainfra#es and .S;400s as Host systems and to S.+(+eopleSoft( and Sie$el applications as OB applications' The) are also referred to
elsewhere in this white paper as $ack-end s)ste#s or $ack-end applications' One ofthe pro$le#s with #i7ing *indows 2000 and *indows 200= s)ste#s with ost
s)ste#s is that each t)pe of platfor# has its own wa) of dealing with sec%rit)' It isnot %nco##on to have one %ser acco%nt and password to access a local *indows
2000 or *indows 200= do#ain while also having another %ser acco%nt and passwordto access the #ainfra#e and;or .S;400' In addition( #ainfra#e and;or .S;400
applications #a) also have their own %ser acco%nts and passwords' .fter a while
%sers $egin to forget these #%ltiple passwords and $egin to write the# down andkeep the# in an insec%re location' This defeats the p%rpose of having passwords in
the first place'
The ind%str)-proposed sol%tion for sec%rit) in heterogeneo%s s)ste#s is for IT to
p%rs%e an Identity Management 5IdM6 strateg)' One co#ponent of s%ch a strateg) is Account Mapping for the p%rpose of providing end %sers and application developers
with a Single Sign-On 5SSO6 capa$ilit) across their entire enterprise'
ost Integration Server and BizTalk Server $oth s%pport an e7tension of *indows
Enterprise Sec%rit) integration called Enterprise Single Sign-On (SSO)' EnterpriseSSO is provided $) a set of processes that r%n on network servers to provide thefollowing services for heterogeneo%s s)ste#s!
• 3ser acco%nt and password #apping and caching
• Single Sign-on to #%ltiple *indows do#ains and ost sec%rit) s)ste#s
• +assword S)nchronization to si#plif) ad#inistration
Enterprise SSO offers ad#inistrators a #eans to efficientl) #ap acco%nts across*indows .ctive "irector) and ost s)ste#s or OB applications' This incl%des
4
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 5/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
s%pporting <!< and gro%p!< associations' These #appings are stored sec%rel) in acentralized &redential "ata$ase %sing S: Server' Based on a sec%re end-to-end
architect%re( ost Integration Server and BizTalk Server can call into SSO to o$tainforeign credentials and access reso%rces on these ost s)ste#s or OB applications
with the appropriate credentials'
.nother co#ponent of a pr%dent IdM is password #anage#ent' SSO provides the$ase infrastr%ct%re that( along with third-part) software prod%cts( provides a sec%re
password #anage#ent sol%tion' This incl%des $oth *indows Initiated and ostInitiated +assword S)nchronization' &o#$ined with SSO( +assword S)nchronization
can help enterprise IT #ove toward Identit) Manage#ent $) f%rthering the goal ofaccessing all s)ste#s with a single set of credentials'
<'< Enterprise .%thentication ScenariosThere are several t)pes of SSO scenarios' To $etter %nderstand the specific SSOpro$le# space $eing addressed $) Enterprise SSO( the different t)pes of SSO
reC%ire#ents are divided into three categories!• &o##on *indows .%thentication
• Internet;*e$ .%thentication
• eterogeneo%s .pplication .%thentication
<'<'< &o##on *indows .%thentication&o##on *indows .%thentication scenarios allow )o% to connect to #%ltipleapplications within )o%r network that are %sing a co##on a%thentication
#echanis#' o%r credentials are reC%ested and verified once when )o% log onto thedo#ain( and then these credentials are %sed to deter#ine the actions that )o% can
perfor# $ased on )o%r per#issions' or e7a#ple( if )o%r applications are integratedwith /er$eros( after )o%r %ser credentials are a%thenticated )o% can access an)
other reso%rce that is integrated with /er$eros in )o%r network'
.nother e7a#ple is when dealing Microsoft *indows S: Server' *hen S: Server is
config%red to %se *indows Integrated Sec%rit)( an a%thenticated *indows %ser doesnot have to provide additional credentials to access a S: Server data$ase' This
co##on sec%rit) can appl) to non-*indows applications as well( if the) areintegrated with a co##on a%thentication sche#e'
<'<'2 Internet;*e$ .%thenticationIn this for# of a%thentication( )o% are a$le to access reso%rces thro%gh the Internet
$) %sing a single set of %ser credentials to log onto different *e$ sites that $elong to
different organizations' .n e7a#ple of this t)pe of Single Sign-on is when #%ltiple*e$ sites %se Microsoft 'ET +assport a%thentication' .n) application that is
integrated with +assport can %se this #echanis#'
5
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 6/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<'<'= eterogeneo%s .pplication Integration.lso called Enterprise .pplication Integration 5E.I6( this for# of a%thenticationena$les )o% to integrate heterogeneo%s applications and s)ste#s within the
enterprise environ#ent' These applications and s)ste#s #a) in fact not $e %sing aco##on a%thentication #echanis#' Each application #a) have its own %ser
director) store and sec%rit) s)ste#' or e7a#ple( in a given organization( *indows.ctive "irector) #a) $e %sed $) *indows to a%thenticate a %ser while the ,.&
sec%rit) s)ste# #a) $e %sed $) a #ainfra#e to a%thenticate the sa#e %ser for a
different application' *ithin the enterprise( front-end and $ack-end applications #a)$e integrated $) %sing #iddleware applications' These applications #a) not have
$een designed to #ake the #ost of a co##on a%thentication #echanis#'
In environ#ents s%ch as these( Enterprise Single Sign-on 5SSO6 provides services to
ena$le Single Sign-on' SSO is ena$led for %sers in the enterprise when front-endapplications( *e$ portals and #iddleware applications are all integrated with SSO'
This white paper foc%ses on the eterogeneo%s .pplication Integration scenario' It
provides )o% with an overview of Enterprise SSO and disc%sses the integration ofSSO Services with Microsoft BizTalk Server 2004 and Microsoft ost Integration
Server 2004' It also e7plains how to ena$le end-to-end +assword S)nchronizationscenarios for SSO' It covers $oth *indows Initiated SSO and ost Initiated SSO as
%sed with the Transaction Integrator co#ponent of ost Integration Server 2004' Italso disc%sses SSO Services when integrated and %sed with BizTalk Server 2004 and
Share+oint +ortal Server 200='
6
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 7/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<'2 Enterprise SSO Overview and &oncepts
<'2'< .n Integrated Sol%tion with SSOEnterprise .pplication Integration is s%pported in a heterogeneo%s platfor# and
application environ#ent $) the Microsoft Enterprise Single Sign-On 5SSO6 s)ste#'This s)ste# consists of co#ponents and services together with e7ternal %sers thatset %p and %se these co#ponents and services' ig%re < gives an overview of this
sol%tion'
Figure 1 Integrated solution with Enterprise SSO
7
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 8/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<'2'2 "istri$%ted .rchitect%reSSO is $ased on a distri$%ted architect%re' It consists of services r%nning on one or#ore co#p%ters working with a centralized S: Server data$ase' .ll changes and
%pdates are #ade in the centralized data$ase $) ad#inistration co#ponents of SSO'
.ll SSO Servers receive these changes fro# the centralized data$ase' These SSOservers can $e distri$%ted as long as the) are within tr%sted do#ains' or instance(
one SSO Server co%ld $e located in Tok)o while another one co%ld $e located in&hicago' .lso( $eca%se S: Server is $eing %sed( it is possi$le to take advantage of
the relia$ilit) and scala$ilit) feat%res of S: Server( s%ch as failover cl%stering and
data$ase replication'
<'2'= .ffiliate .pplications.n Ailiate Application is a logical entit) in Enterprise Single Sign-on 5SSO6' It isdefined $) the .d#inistrator and represents a s)ste# or s%$s)ste# s%ch as a ost(
$ack-end s)ste#( or line-of-$%siness application to which the %ser can connect' It is
specified in SSO $) a set of definitions that an ad#inistrator creates' .n .ffiliate.pplication can represent a non-*indows s)ste# s%ch as a #ainfra#e or .S;400
co#p%ter' It can also represent an application s%ch as S.+ or a s%$division of anapplication s%ch as the S.+ .cco%nts +a)a$le transaction posting progra#'
<'2'4 *indows .ccess .cco%nts 5,oles6These acco%nts are the individ%als in the *indows gro%p that f%lfill a certain rolehaving specific responsi$ilities and privileges' The) are represented $) the individ%al
%ser acco%nts and gro%p acco%nts in the SSO s)ste#' There are fo%r ke) accessacco%nts in the SSO s)ste#' These acco%nts are listed in hierarchal order( starting
with the #ost powerf%l ad#inistrator role'• SSO .d#inistrators
• SSO .ffiliate .d#inistrators
• .pplication .d#inistrators
• .pplication 3sers
<'2'? *indows Initiated Single Sign-onThe #ost co##onl) %sed scenario is *indows Initiated Single Sign-On' *hen the%ser signs on fro# the *indows side and then accesses non-*indows reso%rces( this
is called !indows Initiated Sign-on' This reC%ires the end %ser to $e an
a%thenticated *indows do#ain %ser' The end %ser initiates the reC%est fro# the*indows s)ste#' In BizTalk Server 2004 and ost Integration Server 2004(Enterprise SSO ena$les *indows Initiated Single Sign-on'
<'2'@ ost Initiated Single Sign-onIn ost Integration Server 2004( Enterprise SSO has $een e7tended to s%pport ostInitiated SSO in addition *indows Initiated SSO' This #eans that the end %ser
8
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 9/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
initiates the reC%est fro# a non-*indows s)ste# 5for e7a#ple( a &I&S application ona #ainfra#e6 which is integrated with ost Integration Server 5IS6 co#ponents and
%sed to access a *indows reso%rce 5for e7a#ple( a S: Server data$ase6' This*indows reso%rce allows access to *indows a%thenticated %sers onl)( which #ean
the non-*indows %ser who initiates the reC%est on the non-*indows s)ste# needsto access this *indows reso%rce with their corresponding .ctive "irector) acco%nt'
ost Initiated SSO is s%pported onl) in a native *indows 200= .ctive "irector)
do#ain environ#ent with *indows 200= servers' The *indows 200= +rotocolTransition feat%re is #ade the #ost of $) SSO Services to #ake this possi$le' 5or
#ore infor#ation on this feat%re( refer to
http"##www$microsot$com#technet#prodtechnol#windowsser%er&''#technologies#se
curity#constdel$msp '6
This +rotocol Transition feat%re allows SSO Services to o$tain an i#personation-level*indows %ser token $) providing the do#ainD%serid infor#ation fro# the SSO
&redential "ata$ase' This token is %sed $) applications integrated with SSO to
access *indows reso%rces that the *indows %ser represented $) the token isallowed to access'
#ote: To o$tain a windows token %sing +rotocol Transition the SSO Server #%sthave Act as part o the operating system privilege for its service acco%nt' Beca%se of
this( it is ver) i#portant that an SSO server s%pporting ost Initiated SSO $esec%rel) locked down' This incl%des ens%ring that the SSO Service acco%nt for this
server is not %sed for an) other p%rpose' ike other SSO Service acco%nts( thisservice acco%nt #%st $e a #e#$er of the SSO Administrators acco%nt'
<'2'> SSO TicketsSSO Services provide an SSO ticketing #echanis# to ena$le E.I prod%cts to deal
with the pro$le# of #aintaining a %ser token across #%ltiple co#p%ters andprocesses when working with Enterprise Single Sign-On' This lets the %ser achieve aSingle Sign-on in a sec%re #anner %sing Enterprise Single Sign-on' o% sho%ld $e
aware that this ticket is not a /er$eros ticket' It is referred to as an SSO *ic+et andis for %se onl) within the SSO s)ste#' This is $ased on iss%ing a ticket on one
co#p%ter 5or $) a certain process6 and redee#ing the ticket on a different co#p%ter5or a different process6' Iss%ing a ticket #eans that a co#ponent calls into SSO
Service to o$tain an SSO ticket that represents the *indows %ser' ,edee#ing theticket #eans that a co#ponent provides the ticket to SSO Service to o$tain the ost
credentials corresponding to the *indows %ser who initiated the original reC%est'
.n SSO ticket is iss%ed onl) to an a%thenticated %ser for #aking a reC%est on his orher own $ehalf' In other words( 3ser . can onl) o$tain a ticket for 3ser .' Even an
SSO ad#inistrator cannot reC%est a ticket for another %ser' The %ser #aking thereC%est to o$tain a ticket #%st $e a valid a%thenticated do#ain %ser' This #eans
that if the %ser is .non)#o%s or not a valid do#ain acco%nt then access will $edenied when a reC%est to o$tain the ticket is #ade'
The ticket generated $) SSO Services pri#aril) contains the %ser logon identit)
5do#ainD%serid6 and a ti#e sta#p indicating when the ticket was iss%ed' This ticket
is also encr)pted $) SSO Services' There is also a ticket ti#eo%t val%e config%red at
9
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 10/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
the SSO s)ste# level that deter#ines when the ticket will e7pire' The ticket can $eredee#ed $) a service acco%nt that is a #e#$er of the .pplication .d#inistrators
acco%nt for an .ffiliate .pplication'
<'2'A +assword S)nchronization+assword S)nchronization is %sed to si#plif) the #anage#ent of passwords stored in
the Enterprise SSO &redential "ata$ase 5disc%ssed later6' *hen a %ser changes theirpassword on a non-*indows s)ste#( the password in the &redential "ata$ase is
%pdated with that password %sing +assword S)nchronization' The IT ad#inistratorscan also set a r%le that password changes sho%ld alwa)s $e done fro# their *indows
environ#ent'
Beca%se of this( Enterprise SSO s%pports <-wa) and 2-wa) +asswordS)nchronization' The SSO &redential "ata$ase contains %ser #appings that #ap
*indows %serids to non-*indows %serids and non-*indows passwords'
+assword S)nchronization can also keep the non-*indows password in the &redential"ata$ase s)nchronized with the %sers *indows password when a %ser or
ad#inistrator changes their password' .n ad#inistrator has three options toconfig%re +assword S)nchronization!
1) #on-$ino%s to $ino%s &ull Pass%or S"nchroni'ation( This %ses
the sa#e %ser password for *indows access and for access to non-*indows
s)ste#s' *hen a password change is received fro# the non-*indows s)ste#(the password is changed in the SSO &redential "ata$ase and in the .ctive
"irector)'
2) #on-$ino%s to $ino%s Partial Pass%or S"nchroni'ation( In this
case( a different password e7ists for the %ser in the *indows and non-*indows s)ste#s and the password is changed onl) in the SSO &redential
data$ase
3) $ino%s to non-$ino%s Pass%or S"nchroni'ation( In this case( the
sa#e password is %sed for %sers in the *indows and non-*indows s)ste#s'The difference $etween this and option F< is that the password change occ%rs
on the *indows side' The change is sent to the non-*indows s)ste# and thepassword is then changed in the SSO &redential "ata$ase'
Enterprise SSO also provides +assword S)nchronization .+Is to allow +assword
S)nchronization .dapter vendors to develop +assword S)nchronization .dapters thatcan $e integrated with SSO Services' These +assword S)nchronization .dapters can
capt%re %ser password changes on non-*indows s)ste#s and pass the# on to SSOfor %pdating in the SSO &redential "ata$ase and for optionall) %pdating in .ctive
"irector)' Or the) can receive password changes fro# SSO Services and pass the#
on to a non-*indows s)ste# to #ake an appropriate password change in the %serdirector) on that s)ste#' The) can also $e written to work in $oth directions'
10
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 11/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<'2' Sec%re &onfig%ration StoreEnterprise SSO is e7tended to act as a Sec%re &onfig%ration store as well' The&redential "ata$ase and SSO Services can $e %sed to store and access config%ration
properties sec%rel)' This is %sed $) BizTalk Server 2004 to store c%sto# config%rationinfor#ation for BizTalk Server .dapters' +assword S)nchronization .dapter
config%ration data is also stored in the centralized &redential "ata$ase %sing this#echanis#' The sec%re config%ration store is pri#aril) designed to allow #%ltiplead#inistrators to #anage the sa#e config%ration data and it allows #%ltiple service
acco%nts to access the sa#e config%ration data d%ring r%nti#e operations in asec%re #anner' The config%ration data is stored encr)pted( 8%st like the credentials
for Single Sign-on scenarios' This %ses the sa#e concept of .ffiliate .pplications to
define the entit) for which the config%ration data is stored' The .ffiliate .pplication isdefined as a G&onfig StoreH t)pe application and the .pplication .d#inistrators and
.pplication 3sers acco%nts are defined for this application as well' .d#inistratorshave read;write access and %sers 5service acco%nts6 have read access to the
config%ration data that is stored for a G&onfig StoreH t)pe .ffiliate .pplication'
<'2'<0 Ease of InstallationEnterprise SSO provides a wizard driven fle7i$le installation progra# that allows the
SSO co#ponents to $e installed with either ost Integration Server or BizTalk Server'*e disc%ss this in greater detail in the Installation and &onfig%ration section of this
doc%#ent'
<'2'<< le7i$le .d#inistration ModelThe SSO ad#inistration #odel relies on *indows gro%p acco%nts' The pri#ar)
o$8ective of SSO .d#inistration is to #anage the SSO s)ste# that consists of the
Master Secret Server( &redential "ata$ase and #%ltiple SSO servers' &redential"ata$ase #anage#ent incl%des #anaging the .ffiliate .pplications and #appings'One or #ore .d#inistrators can $e given access to #anage one .ffiliate .pplication
alone witho%t having access to an) other applications' The) can also $e given accessto #anage #%ltiple applications' Each .ffiliate .pplication can have #%ltiple %ser
#appings' or e7a#ple( a %ser in .ctive "irector) can $e #apped to theircorresponding ,.& #ainfra#e credentials' .lso availa$le are capa$ilities s%ch as
ena$ling and disa$ling the entire SSO S)ste#( an .ffiliate .pplication( or even anindivid%al %ser acco%nt #apping' SSO .d#inistrators can also delegate
ad#inistration to other %sers for certain operations' or e7a#ple( .ffiliate .pplicationcreation and #anage#ent can $e assigned to a different gro%p of ad#inistrators'
<'2'<2 Sec%rit)SSO provides a sec%re set of services to store and pass encr)pted %ser credentialsacross local and wide area network $o%ndaries' These credentials are alwa)s stored
encr)pted in a protected &redential "ata$ase' Beca%se SSO provides a genericsol%tion #iddleware applications and c%sto# adapters do not have to invent their
own #echanis#s to store credentials sec%rel)( nor do end %sers have to re#e#$er#%ltiple set of credentials' Instead( the) can %se a single acco%nt to log on to
11
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 12/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
*indows and $ack-end s)ste#s' Middleware applications can now also connect to a$ack-end application with the credentials of the %ser that initiated the original
reC%est' .ll access to the &redential "ata$ase thro%gh SSO Services reC%ires theappropriate a%thorit) as defined in the SSO s)ste#'
.%diting is critical in a sec%re environ#ent' .ll operations perfor#ed on the
&redential "ata$ase are a%dited $) SSO Services' This is acco#plished $) %singevent logs and $) creating a%dit logs in the &redential "ata$ase itself' .d#inistrators
can set the positive and negative a%dit levels that s%it their corporate policies'
<'2'<= E7tensi$ilit)SSO Services also provide an e7tensi$le o$8ect #odel' This o$8ect #odel ena$les the
integration of BizTalk Server .dapters with SSO' It allows BizTalk Server ISs tointegrate their adapters with SSO Services there$) e7tending the sol%tion to
h%ndreds of $ack-end applications' %rther#ore( c%sto# applications can $eintegrated with these SSO Services to achieve #ore advanced for#s of Single Sign-
on'
12
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 13/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
2'0 SSO &o#ponents and ServicesThe Enterprise Single Sign-on 5SSO6 s)ste# consists of a set of co#ponents( serversand services that work together to provide Single Sign-on across #%ltiple platfor#s
and applications' These co#ponents and services consist of!
•
SSO &lients and .d#inistrators• SSO Servers
• SSO &redential "ata$ase
• SSO Master Secret Server
• "o#ain &ontrollers
Figure & ,omponents and Ser%ices
SSO Services are i#ple#ented on one or #ore *indows Server co#p%ter s)ste#s'
The pri#ar) co#ponents are a &redential "ata$ase 5&red"B6( a Master Secret
Server 5MSS6( and one or #ore Single Sign-on 5SSO6 Servers' The ad#inistrationco#ponents can $e %sed $) ad#inistrators fro# a re#ote co#p%ter' The client
co#ponents are for end %sers to #anage their own #appings'
13
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 14/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
2'< Master Secret ServerThe Master Secret Server contains the secret ke) that is %sed for encr)ption anddecr)ption of credentials in the SSO &redential "ata$ase' This is the onl) server in
the SSO s)ste# that contains a persisted cop) of the ke)' This secret ke) can $eregenerated $) the SSO .d#inistrator %sing the ssoconfig'e7e co##and line %tilit)'
*hen a new ke) is generated( the Master Secret Server will perfor# a rollingdecr)ption with the old ke) and re-encr)ption with the new ke) for all the encr)pted
data in the &redential "ata$ase'
#ote: o% cannot generate a second secret %ntil this re-encr)ption process is
co#pleted' The ti#e it takes to co#plete this operation is $ased on the n%#$er of
credentials stored in the &redential "ata$ase'
In an Enterprise SSO s)ste# there can $e onl) one &redential "ata$ase 5in S:Server6 and one Master Secret Server'
I)portant: It is strongl) reco##ended that the co#p%ter 5Master Secret Server6
that contains the ke) for encr)pting and decr)pting the credentials $e stored on adifferent co#p%ter fro# the one that contains the encr)pted data 5S: Server with
&redential "ata$ase6'
2'2 &redential "ata$ase.ll SSO Servers co##%nicate with the centralized SSO &redential "ata$ase
5&red"B6 and centralized Master Secret Server 5MSS6' This is where glo$alinfor#ation s%ch as SSO .d#inistrators acco%nt( affiliate applications( and #appings
are stored' Both the &red"B and the MSS can $e cl%stered %sing MS&S.ctive;+assive cl%stering' 5See the &l%stering sections of this doc%#ent6'
I)portant: It is strongl) reco##ended that )o% $ack %p the &redential "ata$ase
on a reg%lar $asis' ollow the S: Server g%idelines for $ack%p and restore ofdata$ase' If )o% lose the data in credential data$ase and do not have a $ack%p( all
the config%rations #%st $e redone'
2'= SSO ServersThese servers can!
• .ct as a ,%nti#e Server for *indows Initiated SSO scenarios'
• .ct as a +assword S)nchronization Server to receive password changes fro#
*indows "o#ain &ontrollers'• .ct as a +assword S)nchronization Server to receive password changes fro#
third-part) adapters'
• .ct as a ,%nti#e Server for ost Initiated SSO scenarios
• .ct as an .d#inistration Server that can $e %sed $) re#ote ad#inistration
co#ponents'
In ig%re 2 5preceding6 three SSO Servers contact the Master Secret Server %sing
encr)pted ,+& to o$tain the secret' This secret is then stored encr)pted in #e#or)
14
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 15/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
within each SSO Server' The SSO Server contin%es to poll the data$ase ever) =0seconds to o$tain glo$al infor#ation and other data' Most SSO config%ration is done
at the data$ase level thro%gh one of the SSO servers' This ena$les all SSO servers ina distri$%ted environ#ent to access the sa#e centralized data'
&ailure !onitions
.fter the SSO Server has o$tained a cop) of the secret( all r%nti#e operations willcontin%e to work even if the Master Secret Server is not reacha$le' In the event of a
fail%re( however( an) ad#inistrative operation that involves encr)pting data will fail'*hen the Master Secret Server is reacha$le again( all operations will contin%e to
work witho%t an) ad#inistrative intervention'
#ote: If the Master Secret Server goes down and then an SSO Server is restarted(it will not $e a$le to perfor# an) r%nti#e operations an) #ore $eca%se it does not
have the secret in #e#or)' It is reco##ended to cl%ster the Master Secret Server%sing MS&S .ctive;+assive &l%stering'
If the connection to the SSO &redential "ata$ase is lost then all SSO Servers will gooffline te#poraril)' This #eans that an) cons%#er of SSO Services will receive
.ccess "enied #essages' *hen the SSO &redential "ata$ase is %p and r%nningagain all the SSO Servers will co#e $ack on line and operations will contin%e to workwitho%t an) ad#inistrative intervention'
I)portant: Beca%se of the possi$ilit) of fail%re conditions occ%rring( it is strongl)
reco##ended that )o% cl%ster the SSO &redential "ata$ase %sing MS&S
.ctive;+assive cl%stering'
or #ore infor#ation on cl%stering!
S: &l%stering! http!;;s%pport'#icrosoft'co#;Jk$idKA42<2
MS"T& &l%stering! http!;;s%pport'#icrosoft'co#;defa%lt'asp7Jk$idK24=204
,efer to the cl%stering section in this doc%#ent for cl%stering the Master Secret
Server
2'4 "o#ain &ontroller &o#ponents"o#ain &ontrollers receive password change reC%ests directl) fro# *indows %sers'
In ost Integration Server 2004( Enterprise SSO incl%des co#ponents that reside on"o#ain &ontrollers to intercept these change reC%ests so that SSO can s)nchronize
passwords $etween *indows and non-*indows s)ste#s'
The +assword S)nchronization co#ponent that is installed on the "o#ain &ontrollers
is called +assword &hange otification Service 5+&S6' This is part of the +&S
install package and is located on the ost Integration Server &" atL&",OOTD+latfor#D+&S' This package contains a co##and line %tilit)
5pcnscfg'e7e6 that is %sed for config%ring +&S co#ponent'
2'? .d#inistration &o#ponents.d#inistration co#ponents of SSO can $e %sed to config%re and #anage the SSO&redential "ata$ase' There are co##and line %tilities provided to allow this
15
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 16/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
ad#inistration' ,e#ote ad#inistration is also s%pported for #ost ad#inistrativeoperations' In the release with BizTalk Server 2004( Enterprise Single Sign-on has
two co##and-line %tilities availa$le for the ad#inistrator( ssoconfig'e7e( andsso#anage'e7e'
Ssoconfig'e7e is %sed for server level config%ration( incl%ding the #anage#ent of the
Master Secret Server'
Sso#anage'e7e is %sed for ad#inistration of the centralized infor#ation stored in the&red"BNthis incl%des glo$al settings for the SSO s)ste#( .ffiliate .pplications( and
#appings' In ost Integration Server 2004( Enterprise SSO incl%des anotherad#inistration %tilit) 5ssops'e7e6 %sed for +assword S)nchronization ad#inistration'
.n o$8ect #odel is also availa$le that allows ad#inistrators to develop scripts to
perfor# ad#inistrative operations'
2'@ &lient &o#ponentsSSO also provides a co##and line %tilit)( ssoclient'e7e( to allow end %sers to
#anage their own %ser #appings in the SSO &redential "ata$ase'
.n o$8ect #odel is also availa$le here as well' It can also $e %sed to $%ild c%sto#%ser interfaces to #anage these credentials thro%gh scripts and;or progra#s'
16
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 17/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
='0 SSO ,oles and .cco%ntsTo config%re and #anage the SSO s)ste# there are fo%r t)pes of roles with specificlevels of privilege' These roles are i#ple#ented thro%gh the assign#ent of %sers to
gro%p acco%nts or( in li#ited cases( to individ%al %ser acco%nts' This section
descri$es each of those acco%nts and contains reco##endations for config%ringthe#'
These roles are
• SSO .d#inistrator
• SSO .ffiliate .d#inistrator
• .pplication .d#inistrator
• .pplication 3ser
='< SSO .d#inistrator .cco%nt
Single Sign-on .d#inistrators have the #ost privileges in the Single SSO s)ste#'The) can!
• &reate and #anage the &redential "ata$ase'
• &reate and #anage the Master Secret on the Master Secret Server'
• Ena$le and disa$le the SSO S)ste#'
• &reate and #anage +assword S)nchronization .dapters'
• Ena$le and disa$le +assword S)nchronization in the SSO S)ste#'
• Ena$le and disa$le ost Initiated SSO'
• &onfig%re a%dit levels'
• +erfor# all the ad#inistration tasks that the Single Sign-on .ffiliate
.d#inistrators( Single Sign-on .pplication .d#inistrators( and Single Sign-on
.pplication 3sers can perfor#'
It is highl) reco##ended that SSO .d#inistrators $e assigned as #e#$ers of a
do#ain gro%p 5especiall) in a distri$%ted environ#ent6' If )o% %se an individ%alacco%nt( )o% will not $e a$le to change this acco%nt to assign it to another individ%al
acco%nt' Therefore( we do not reco##end %sing an individ%al acco%nt' o% canchange the SSO .d#inistrator acco%nt to a gro%p acco%nt as long as the original
acco%nt is a #e#$er of the new gro%p' *e do not reco##end that )o% specif) anindivid%al do#ain acco%nt as the SSO .d#inistrator $eca%se )o% cannot change this
acco%nt fro# one individ%al acco%nt to another individ%al acco%nt later on'
I)portant: The service acco%nt r%nning the Enterprise Single Sign-on service#%st $e a #e#$er of this gro%p' o% #%st ens%re that no other services 5orapplications6 in )o%r enterprise are %sing this SSO Service acco%nt to sec%re )o%r
deplo)#ent' I)portant: It is strongl) reco##ended that )o% %se do#ain gro%ps when
config%ring SS0'
#ote: B%ilt-in acco%nts are not allowed.
17
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 18/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
='2 SSO .ffiliate .d#inistrator .cco%ntsThese ad#inistrators define the .ffiliate .pplications that the SSO s)ste# contains'.ffiliate .pplications are logical entities that represent a s)ste# or s%$s)ste# s%ch
as a ost( $ack-end s)ste#( or line-of-$%siness application to which )o% areconnecting %sing Single Sign-on' The) can!
&reate and #anage .ffiliate .pplications'
Specif) the .pplication .d#inistrator and .pplication 3ser acco%nts for each
.ffiliate .pplication'
+erfor# all the ad#inistration tasks that the .pplication .d#inistrators and
.pplication 3sers can perfor#'
#ote: In BizTalk Server &onfig%ration Store scenarios( G&onfig StoreH t)pe .ffiliate
.pplications are created in SSO &redential "ata$ase' In s%ch a case( when a BizTalk
Server adapter is created( .ffiliate .pplications that represent ,eceive andlers(
Send andlers( Send +orts( and ,eceive ocations are created for each adapter inthe SSO &redential "ata$ase' This is $eca%se BizTalk Server %ses SSO to storeBizTalk Server .dapters c%sto# config%ration infor#ation' Beca%se of this( when a
BizTalk Server .dapter is $eing created( the BizTalk Server .d#inistrator perfor#ingthis operation #%st $elong to the SSO .ffiliate .d#inistrators acco%nt'
='= .pplication .d#inistrator .cco%ntsThere is one .pplication .d#inistrators gro%p per .ffiliate .pplication' The) can!
• &hange the Single Sign-on .pplication 3sers gro%p acco%nt'
• &reate( delete( and #anage credential #appings for all %sers of the specific
.ffiliate .pplication'
• Set credentials for an) %ser in that specific .ffiliate .pplication 3sers gro%p
acco%nt'
• +erfor# all the ad#inistration tasks that the .pplication 3sers can perfor#'
='4 .pplication 3ser .cco%ntsThere is one Single Sign-on .pplication 3ser acco%nt for each .ffiliate .pplication'
These %sers can!
ook %p their credentials in the .ffiliate .pplication'
Manage their credential #appings in the .ffiliate .pplication'
18
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 19/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
='? SSO .cco%nt and 3sage ScenariosThe following ta$le co#pares the rights associated with each of the fo%r SSO acco%ntgro%ps $) %sage scenario'
SS* +roup
Accounts
Single-Sign *n anPass%orS"nchroni'ation
Scenarios !onfiguration Store Scenarios
SSO .d#inistrators Manage the SSO s)ste#'
&reate and config%re SSOcredential data$ase'
Ena$le;disa$le *indowsInitiated SSO( ost Initiated
SSO( or +assword
S)nchronization in the SSOs)ste#'
&onfig%re and #anage
+assword S)nchronization.dapters'
&onfig%re and #anage SSO
tickets'
Manage all operationsrelated to the Master Secret
Server'
#ote: .ll SSO Services
need to r%n as %nder theSSO .d#inistrator acco%nt'
SSO s)ste# level ad#inistrator
operations'
SSO .ffiliate
.d#inistrators
&reate .ffiliate .pplications'
Specif) the .pplication.d#inistrator acco%nt and
.pplication 3ser acco%nt forthe .ffiliate .pplication'
&reates .ffiliate .pplications for
adapters'The BizTalk Server .d#inistrator
perfor#ing this operation needs to$e a #e#$er of the SSO .ffiliate
.d#inistrator acco%nt' Thead#inistrator also specifies the
.pplication .d#inistrator acco%ntand .pplication 3ser acco%nt for the
.ffiliate .pplication' #ote: *hen a BizTalk .dapter is
created( .ffiliate .pplications are
also created'Si#ilarl)( to create a +assword
S)nchronization .dapter a&onfig%ration Store t)pe .ffiliate
.pplication is created.
19
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 20/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
.pplication
.d#inistratorsManage the specific .ffiliate.pplication'
&reate( delete( and #anage#appings'
Set credentials' Thecredentials are stored
encr)pted' 3sers in thisgro%p can redee# the ticket
for an .ffiliate .pplication'
&an add config%ration data for an.ffiliate .pplication as a #apping'
This acco%nt specifies BizTalk Server.d#inistrators $) defa%lt'
&an read and write config%rationdata' *hen )o% create a Send +ort
or ,eceive ocation( )o% also createa corresponding #apping in the
data$ase to represent this data'This config%ration data is stored
encr)pted'
.pplication 3sers Me#$ers of this acco%nt are
end %sers that can accessthe $ack-end application
with the appropriate $ack-end acco%nts' o% create
SSO credential #appings for#e#$ers of this gro%p for a
specific .ffiliate .pplication'
&an read config%ration data' B)
defa%lt( )o% specif) the ost.pplication 3ser acco%nt as the
.pplication 3ser acco%nt for aspecific handler 5.ffiliate
.pplication6' The BizTalk Server,%nti#e Service acco%nt needs to
$e a #e#$er of the appropriate.pplication 3ser acco%nt to retrieve
this config%ration data'
='@ *orking in a onactive "irector)Environ#ent
SSO is designed to work in con8%nction with *indows .ctive "irector)' In an
environ#ent where )o% do not have .ctive "irector) installed onl) the BizTalk.dapter &onfig%ration Store scenarios are s%pported' In this case( )o% are working
with local acco%nts' This is onl) s%pported in a single $o7 scenario' Single Sign-Onscenarios are not s%pported for e7a#ple( a local acco%nt cannot $e #apped to a
non-*indows acco%nt' Single Sign-On is %sed to e7tend the reach of .ctive "irector)acco%nts to non-." acco%nts'
='> *orking with ocal Pro%ps*hen working with local gro%ps that incl%de do#ain acco%nts and individ%alacco%nts there are the following considerations' ocal gro%p acco%nts are s%pported
and need to e7ist on S: Server and the individ%al SSO Server co#p%ters' It isstrongl) reco##end that )o% %se do#ain gro%p acco%nts' In a test or develop#ent
environ#ent( however( it co%ld $e diffic%lt to create do#ain gro%ps' In this case( )o%can %se local gro%ps for SSO .d#inistrators( SSO .ffiliate .d#inistrators( .pplication
.d#inistrators( and .pplication 3sers' This sho%ld not $e %sed for prod%ction(however'
The SSO .d#inistrators acco%nt( SSO .ffiliate .d#inistrators acco%nts( and.pplication .d#inistrator acco%nts can $e individ%al acco%nts as well' This is
s%pported onl) in a de#o;eval%ation scenario $eca%se it is not sec%re and does not
20
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 21/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
work well in a distri$%ted environ#ent' "o#ain gro%ps are reco##ended for allacco%nts in SSO'
#ote: The .pplication 3sers acco%nt in SSO does not s%pport individ%alacco%nts'
21
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 22/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
4'0 I#ple#entation ScenariosBeca%se there are so #an) different sit%ations in which SSO can $e %sed this sectionof the paper contains a set of scenarios descri$ing the %se of SSO with co#$inations
of other Microsoft prod%cts'
ost Integration Server( BizTalk Server( and BizTalk Server .dapters together provide
an E.I sol%tion to integrate front-end *e$ portals with $ack-end applications ands)ste#s'
ost Integration Server 5IS6 sea#lessl) integrates *indows applications with IBM
#ainfra#e and #idrange 5.S;4006 s)ste#s and applications' IS co#ponentsintegrate with SSO Services to provide end %sers with a Single Sign-on e7perience
when accessing non-*indows applications on #ainfra#es and .S;400 s)ste#s'Si#ilarl)( BizTalk Server $ack-end .dapters s%ch as S.+( +eopleSoft( Sie$el and other
.dapters are integrated with these SSO Services to provide end %sers with an SSO
e7perience' ront-end BizTalk .dapters s%ch as the TT+ and SO.+ 5*e$ Services6.dapters integrate with SSO to #ake this possi$le' Single Sign-on thro%gh SSO is
f%rther availa$le for end %sers accessing *e$ +arts in Share+oint +ortal Server forscenarios where it is integrated with BizTalk Server 2004 thro%gh the *e$ Services.dapter' This allows +ortal %sers to access non-*indows applications witho%t $eing
pro#pted to provide non-*indows credentials' This provides an end-to-end E.Isol%tion to the end %ser with Single Sign-on' .fter the end %ser is a%thenticated in
the *indows do#ain( he or she does not have to provide f%rther credentials toaccess disparate $ack-end applications'
The following sections ass%#e that )o% have an %nderstanding of BizTalk Server(
ost Integration Server( BizTalk Server .dapters( and Share+oint +ortal Server' So#eof the concepts and ter#inolog) %sed is applica$le onl) to those prod%cts' To learn
#ore a$o%t these prod%cts( refer the appropriate prod%ct doc%#entation'
4'< BizTalk Server &onfig%ration Store Scenario
This specific scenario is not a$o%t achieving Single Sign-on for end %sers( $%t a$o%t%sing SSO Services and the &redential "ata$ase to sec%rel) store and retrieve
BizTalk config%ration data'
SSO is tightl) integrated with BizTalk Server' Enterprise Single Sign-on can $e takenadvantage of to store config%ration infor#ation that #%st $e treated in a sec%re
#anner while #aking it readil) availa$le in a distri$%ted s)ste#' or e7a#ple(
BizTalk Server 2004 %ses Enterprise Single Sign-on Services to sec%rel) store c%sto#
config%ration infor#ation a$o%t BizTalk Server .dapters'
In &onfig%ration Store scenarios for BizTalk Server( the G&onfig StoreH t)pe .ffiliate.pplication is associated with an adapterQs ,eceive andler or Send andler' or
ever) adapter that is created( there are fo%r G&onfig StoreH t)pe .ffiliate .pplicationscreated in SSO &redential "ata$aseNone for the Send andler( one for the ,eceive
andler( one to represent the Send +orts and another to represent the ,eceiveocations'
22
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 23/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
#ote: Beca%se creating a BizTalk Server .dapter corresponds to creating an.ffiliate .pplication( the BizTalk .d#inistrator that is perfor#ing this operation #%st
$e a #e#$er of the SSO .ffiliate .d#inistrators gro%p acco%nt'
*hen these applications are created( the corresponding BizTalk ost 3sers gro%p isspecified as the .pplication 3sers gro%p acco%nt for the .ffiliate .pplication' 3sers
that $elong to this gro%p will have read-onl) privileges to the config%ration data forthat specific handler corresponding to the .ffiliate .pplication' The BizTalk Server
.d#inistrators gro%p acco%nt is specified as the .pplication .d#inistrators gro%pacco%nt for that .ffiliate .pplications' .d#inistrators have read;write privileges for
the config%ration data'
*hen a Send +ort or ,eceive ocation is created in BizTalk Server( a corresponding#apping is created in the SSO &redential "ata$ase to store that config%ration
infor#ation' or e7a#ple( if a Send +ort is created for an TT+ .dapter( then a#apping is created %nder the .ffiliate .pplication that corresponds to the TT+ Send
+ort'
4'2 BizTalk Server End-to-End Scenarios for*indows Initiated SSOront-end BizTalk .dapters s%ch as TT+ ,eceive .dapters and *e$ Services 5SO.+6
,eceive .dapters are integrated with the Iss%e Ticket f%nction of SSO' *hen areC%est is #ade $) the end %ser the TT+ and SO.+ co#ponents i#personate the
end %ser and call SSO to o$tain a ticket' . ticket is iss%ed onl) for the caller $) SSOand this ticket is encr)pted' The caller #%st $e an a%thenticated *indows do#ain
acco%nt' The ticket contains the do#ain and %serid of the %ser and a ti#eo%t val%e'The ticket ti#eo%t is config%red at the glo$al SSO s)ste# level' These front-end
adapters also set the OriginatorSI" propert) in the BizTalk #essage conte7t to the
identit) of the end %ser who #ade the reC%est' The) also set the SSOTicket propert)with the encr)pted ticket'
I)portant! *indows Integrated a%thentication needs to $e set %p for an IIS
virt%al director) $eca%se a ticket is iss%ed onl) for an a%thenticated *indows %ser' #ote: .t this stage the BizTalk Server adapter does not know which $ack-end the
#essage is destined for' Beca%se of this( there is no association of the adapter withan .ffiliate .pplication' .lso( SSO does not contact the centralized SSO &redential
"ata$ase to iss%e a ticket' . ticket is iss%ed for an) caller as long as it is a valid*indows do#ain acco%nt'
If )o% have Orchestration Services in )o%r end-to-end scenario( it is i#portant that)o% cop) the OriginatorSI" and SSOTicket conte7t properties when creating a new
#essage' This wa) these properties are #aintained in the #essage'
#ote: Onl) a tr%sted BizTalk Server ost Instance can perfor# this operation
$eca%se the OriginatorSI" can $e set to an) val%e as long as a tr%sted ost
s%$#itting the #essage to the Message Bo7 of BizTalk Server' If an %ntr%sted osttries to perfor# this operation( the Message Bo7 sec%rit) will override the
OriginatorSI" propert) to the service acco%nt of the %ntr%sted ost that iss%$#itting the #essage'
23
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 24/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
The *e$ Services Send .dapter( TT+ Send .dapter( S.+ Send .dapter( or an) othersend-side adapters that are integrated with SSO call into SSO to redee# the ticket
and o$tain the appropriate $ack-end credentials' The onl) config%ration that theBizTalk .d#inistrator needs to do here with respect to the Send +ort is to specif) the
.ffiliate .pplication na#e' The adapter calls SSO to redee# the ticket and passes the
.ffiliate .pplication na#e that is config%red and the #essage that contains the ticket
itself' irst( the SSO Service validates the caller and then the ticket is validated $)checking if the OriginatorSI" and the SSOTicket #atch' If this s%cceeds then the
SSO Service will redee# the ticket and ret%rn the non-*indows credentials to theadapter' The adapter can then %se these credentials when accessing the $ack-end
s)ste# to get a%thenticated'
#ote: The service acco%nt of the adapter redee#ing the ticket( which is t)picall)
the BizTalk Server ost service acco%nt( #%st $elong to the .pplication
.d#inistrators gro%p acco%nt for the .ffiliate .pplication it is config%red to redee#the ticket for' If there are #%ltiple adapters hosted within the sa#e BizTalk ost
service acco%nt and the) are config%red for different .ffiliate .pplications( then theservice acco%nt sho%ld $e added to the .pplication .d#inistrators gro%p acco%nt for
all those .ffiliate .pplications' ig%re = shows this scenario'
Figure $ i.*al+ Ser%er end-to-end with Enterprise SSO
4'= Share+oint +ortal Server Integrated withBizTalk Server and Enterprise SSO
24
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 25/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Share+oint +ortal Server 5S+S6 also works with SSO to provide Single Sign-on 5SSO6services to %sers and there are also scenarios where it can $e %sed with BizTalk
Server 5BTS6' This section serves to clarif) how to %se SSO when working with S+S200= and BTS 2004'
This scenario is concept%all) ver) si#ilar to the BizTalk scenario disc%ssed previo%sl)altho%gh the %nderl)ing code is so#ewhat different' The) $oth share a ver) si#ilarticketing and sec%re credential store i#ple#entation'
BizTalk Server 2004 s%pports S+S;SSO %sing the SO.+ ,eceive .dapter' There arethree $asic S+S;SSONBTS;SSO integration options!
<' 3se onl) Enterprise SSO Services in BizTalk Server
• Manage one &redential "ata$ase
• S+S *e$ +arts and SO.+ ,eceive .dapters are on the sa#e co#p%ter'
2' 3se onl) Enterprise SSO Services in BizTalk Server when the SO.+ ,eceive
.dapter and S+S are on different co#p%ters
• Manage one &redential "ata$ase• S+S *e$ +arts and SO.+ ,eceive .dapter are on the different co#p%ters'
• &onfig%re &onstrained "elegation in a *indows 200= do#ain environ#ent
=' 3se Enterprise SSO fro# BizTalk and S+S;SSO Services
• Manage two &redential "ata$ases 5one for Share+oint +ortal Server and one
for BizTalk Server6'
• S+S *e$ +arts and SO.+ ,eceive .dapter can $e on the sa#e or different
co#p%ters'
In the first two scenarios #entioned previo%sl)( the ke) is that when the *e$
Services .dapter receives the reC%est fro# the *e$ +art it #%st receive an
i#personation level token for the end %ser' The *e$ +art then %ses this token too$tain an SSO ticket fro# SSO Service'
"isc%ssed ne7t are f%rther details on these deplo)#ent options availa$le for
achieving Single Sign-on when %sing S+S and BTS in )o%r Enterprise with Enterprise
Single Sign-On'
,se onl" Enterprise SS* Services in i'Tal. Server %hen the i'Tal. $ebServices /S*AP Aapter an $eb Parts are on the sa)e co)puter or
ifferent co)puters(
In this scenario( S+S *e$ +arts wo%ld depend on an Enterprise SSO i#ple#entation'The *e$ +art wo%ld send a SO.+ reC%est to a local BizTalk *e$ Service .dapter' To
ena$le SSO on the *e$ Service .dapter )o% #%st check the Enable SS* check $o7on the ,eceive ocation properties for the Soap .dapter d%ring config%ration' The
*e$ Services .dapter wo%ld then reC%est a ticket $ased on the originala%thenticated %ser placing it in the SSOTicket conte7t propert) of the #essage' To
o$tain a ticket the *e$ Services .dapter i#personates the caller $efore calling SSOServices to get a ticket iss%ed for the end %ser' The *e$ Services .dapter also sets
the OriginatorSI" conte7t propert) as the original a%thenticated %ser'
25
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 26/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
In order for this scenario to work )o% #%st either install the *e$ Service .dapterand BizTalk ,%nti#e on the sa#e server as the S+S *e$ +art or ena$le delegation'
BizTalk .dapters cannot $e installed on a co#p%ter witho%t the BizTalk ,%nti#e'Beca%se the Soap .dapter is an o%t-of-process adapter r%nning in the conte7t of an
IIS process )o% do not need BizTalk Orchestration r%nning on the S+S co#p%ter' o% 8%st need the BizTalk ,%nti#e co#ponents installed to ena$le the ro%ting of
#essages to the Message Bo7'
"elegation on the other hand does not reC%ire the installation of the BizTalk ,%nti#eor SO.+ .dapter on the S+S Server' It will pass the original a%thenticated %sers
credentials to the *e$ Service' *hen the *e$ +art calls the *e$ Service .dapter(the *e$ Service .dapter will receive an i#personation level token for the *indows
%ser that originated the reC%est on the S+S server' The *e$ Service .dapter theni#personates the end %ser and calls the BTS;SSO Service to iss%e the ticket for the
originall) a%thenticated %ser' To iss%e a ticket the SSO Service onl) checks if the %seris an a%thenticated *indows %ser' . ticket is iss%ed for onl) the caller' If the %ser is
not a do#ain acco%nt( a ticket is not iss%ed'
*hen a Send .dapter config%red to %se SSO receives a reC%est( it will call the
/alidateAnd0edeem*ic+et SSO .+I #ethod to redee# the ticket and o$tain the%sers e7ternal credentials fro# the BTS;SSO &redential "ata$ase' &redentials areretrieved fro# the SSO &redential "ata$ase if the validation s%cceeds' alidation is
done $) co#paring the OriginatorSI" and the %sers SI" in the encr)pted SSO ticket'This validation is to ens%re that a tr%sted s%$s)ste# 5s%ch as onl) tr%sted BizTalk
hosts6 can $e %sed for these end-to-end SSO scenarios' In this scenario( )o% need to#anage onl) the BTS;SSO Service and SSO &redential "ata$ase' . diagra# of this
scenario %sing delegation is shown in ig%re 4' . diagra# of this scenario with theBizTalk ,%nti#e installed on the S+S server is shown in ig%re ?'
26
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 27/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure $ S2S Integration with *S and Enterprise SSO 0untime on the same 3o
Figure 4$ S2S Integration without the *S 0untime on the S2S computer$
BizTalk Orchestration and SSO
In orchestration( two &onte7t +roperties need to $e copied over when creating a new#essage that wo%ld $e cons%#ed $) the Send .dapter' These two properties are the
SS*Tic.et and the *riginatorSI1' BizTalk Orchestration also needs to r%n within aTruste Host in BizTalk Server' Onl) Tr%sted osts have per#ission to s%$#it a
#essage to the Message Bo7 with an) OriginatorSI"'
4'4 ost Integration Server *indows Initiated
SSO for E#%latorsThe S. Server co#ponent of ost Integration Server is the gatewa) that is %sed for
integration with $ack-end s)ste#s %sing S. protocols' This is a core feat%re of ostIntegration Server' It has server-side and client-side co#ponents' These client
applications and e#%lators are provided $) Microsoft and $) third parties' This isrepresented in ig%re @'
27
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 28/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure 5$ !indows Initiated SSO or &6' or 4&4' *erminal Emulators
1etaile en-to-en processStep <' *hen an end %ser esta$lishes a session with the server( the %ser connects tothe Server %sing their *indows logon access token' The) are then a%thenticated $)
the *indows integrated sec%rit) #echanis# %sing their logged on *indowscredentials'
Step 2' "MO" Server calls S.SII as soon a new session reC%est is #ade'
Step 2a' S.SII caches the *indows logon access token' The token is kept in the
cache %ntil the %ser disconnects the session'
Step =' If SSO is config%red to $e %sed $) the ode then the ode calls S.SII to
get the $ack-end credentials' The ode passes the na#e of the .ffiliate .pplicationalong with the *indows do#ain na#e and %serid to do this'
Step 4' S.SII %ses the access token that corresponds to the *indows %seridspecified and i#personates the *indows %ser to call Pet &redentials
5ISSOook%p<'Pet&redentials6 as that *indows %ser' This ret%rns the ost %seridand password fro# the SSO &redential "ata$ase' S.SII calls are then #ade to the
ETSSO service of S. Server' This #eans that all look%ps are local to thatco#p%ter' The SSO Service gets the ost credentials fro# the data$ase encr)pted' It
then decr)pts the password and ret%rns it to the caller 5in this case( to S.SII6' Theode receives these credentials fro# S.SII and %ses the# to log on to the $ack-
end s)ste#' The $ack-end s)ste# then %ses the ost credentials to a%thenticate the%ser'
28
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 29/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
#ote: The session $etween the client and server co%ld $e left active for a few#in%tes( a few ho%rs( or a few da)s' The %ser co%ld $e perfor#ing #%ltiple
operations on a $ack-end s)ste# after the session has $een esta$lished' Onl) whenthe session is initiall) esta$lished and the %ser logs on to the server are the)
a%thenticated and their infor#ation cached' or s%$seC%ent operations on the $ack-end s)ste#( the %ser does not have to log on to the server again' owever( for each
reC%est #ade $) the %ser on the $ack-end s)ste# the %ser #ight have to providetheir ost credentials to $e a%thenticated again'
*hen the %ser disconnects his or her session( the %ser is no longer logged on theserver' To esta$lish a new connection to the server the %ser has to log on to the
server again' In other words( the %ser has to provide their *indows logon credentials
to $e a%thenticated $) the server' *hen the session is disconnected( the accesstoken is also cleared fro# the cache'
Sa)ple logon script for 230 Ter)inal E)ulator
SETTIMEO3T =0(E1IT
*.ITSESSIO SS&+
*ait for $anner' *ait Ldela) can $e replaced with *aitString RLstringR*.IT =SE" lE
*.ITSESSIO 33 *ait for screen after BI"' *ait Ldela) can $e replaced with *aitString
RLstringR*.IT =
SE" MSS.ME3SE" MSS.ME+
E1IT!
20 Ter)inal E)ulator
In the case of ?2?0 Ter#inal E#%lator( pass MSS.ME and MSS.ME as the %seridand password' These are the strings in the data strea# that are replaced $) IS with
the appropriate ost credentials retrieved fro# SSO that correspond to the *indows
do#ain %ser %sing SSO
4'? Transaction Integrator %sing *indowsInitiated SSOThis scenario descri$es how SSO works when %sed with ost Integration Server
5IS6 Transaction Integrator 5TI6 for *indows Initiated Transactions' TransactionIntegrator is %sed for integration with &I&S( IMS applications on IBM #ainfra#es(
and ,+P applications on OS;400' "escri$ed here is an end-to-end process when TI is%sed with Enterprise SSO' This is shown in ig%re >'
29
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 30/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure 6$ *I with Enterprise SSO
1etaile en-to-en processIn this scenario( Transaction Integrator calls directl) into the ETSSO service to
perfor# look%ps and o$tain the ost credentials'
Step 5( The TI &lient #akes a reC%est to the server co#ponent' This %ses *indows
integrated a%thentication and the identit) of the %ser logged on to the *indows
do#ain' The server then a%thenticates the client'
I)portant: *hen %sing *e$ service( ens%re that the *e$ service on the server
has i#personation ena$led' This will allow the *e$ service to i#personate the end%ser while #aking the reC%est to TI( which in t%rn #akes the reC%est to SSO'
I)portant: 3se *indows Integrated Sec%rit) onl) for the server co#ponent' Thissetting is for the virt%al director) on *e$ server( or for &OM-$ased or 'et-$ased
server applications' "o not ena$le .non)#o%s access'
Step 2( TI calls the ETSSO service to get the *indows %sers ost credentials5ISSOook%p<'Pet&redentials6' TI specifies the na#e of the .ffiliate .pplication as
an inp%t para#eter'
Step ( ETSSO service gets the credentials fro# the &redential "ata$ase for the
*indows %ser and ret%rns these credentials to the caller 5in this case TI Server6'
Step 4( If S. protocols are $eing %sed TI will %se the IS node as a gatewa) toaccess the $ack-end s)ste#' If the T&+;I+ protocol is $eing %sed then TI will directl)
connect to the $ack-end s)ste#' The ost credentials retrieved fro# SSO ares%pplied as part of this connection'
30
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 31/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Sa)ple %eb(config for Transaction Integrator (#et application
Lconfig%ration Ls)ste#'we$
Lientit" i)personate67true7 ;
Lauthentication )oe67$ino%s7 ;
Ltr%st levelKR%llR origin3rlKRR ; L;s)ste#'we$
Ls)ste#'r%nti#e're#oting LchannelSink+roviders
Lserver+roviders Lprovider idKRinterceptorR
t)peKRMicrosoft'ostIntegration'TI',e#otingInterceptor'InterceptorServer&hannelSink+rovider( Microsoft'ostIntegration'TI',e#otingInterceptorR ;
L;server+roviders L;channelSink+roviders
Lapplication Lservice
Lwellknownt)peKRT&+UinkT,MUET'&edarBank(&I&SUinkT,MU&edarBankUETR
o$8ect3riKR&I&SUinkT,MU&edarBankUET're#R #odeKRSingle&allR ; Lwellknown t)peKR&I&SUI/UET'&edarBank(&I&SUinkU&edarBankUETR
o$8ect3riKR&I&SUinkU&edarBankUET're#R #odeKRSingle&allR ; L;service
Lchannels Lchannel refKRhttpR
Lserver+roviders Lprovider refKRwsdlR ;
Lfor#atter refKRsoapR t)peilterevelKR%llR ; Lfor#atter refKR$inar)R t)peilterevelKR%llR ;
Lprovider refKRinterceptorR ;
L;server+roviders L;channel
L;channels L;application
L;s)ste#'r%nti#e're#oting
L;config%ration
4'@ Transaction Integrator and ost InitiatedTransactions
This scenario descri$es how SSO works when %sed with ost Integration Server
5IS6 Transaction Integrator 5TI6 and ost Initiated Transactions' These are ostInitiated +rocessing scenarios' The following is a walkthro%gh of this end-to-end
process'
31
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 32/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure 7$ *ransaction Integrator using Host Initiated SSO
1etaile en-to-en process
Step 5( . Mainfra#e %ser logs on to a &I&S region %sing #ainfra#e 5,.&6
credentials and invokes a &I&S application' &I&S takes care of inserting theappropriate ,.& credentials into the data strea#' or T&+;I+ scenarios( the &I&S
application is responsi$le for inserting the ,.& credentials in the data strea#'
Step 2( or S. scenarios the reC%est is #ade to the ode;"MO" which in-t%rn
calls the I+ TI co#ponent' In T&+;I+ scenarios( this reC%est is #ade directl) to theI+ TI Server co#ponent'
Step ( If the TI I+ 5ost Initiated +rocessing6 co#ponent is config%red for SSO( it
calls SSO Services to o$tain the *indows access token that correspond to the ost%ser' 5ISSOook%p2!ogonE7ternal3ser6' The .ffiliate .pplication na#e and the ost
%serid are passed as inp%t para#eters' If the .ffiliate .pplication na#e is #arked todo validation then the ost %serid and the ost %ser password are passed in as inp%t
para#eters along with the na#e of the .ffiliate .pplication' The caller #aking this
reC%est #%st $elong to the .pplication .d#inistrator gro%p acco%nt or a$ove for that.ffiliate .pplication in #ost scenarios'
In addition( the caller co%ld also $e 8%st the *indows %ser itself' This is to ena$le thescenario where Pro%p #appings are %sed' In this case( an .ffiliate .pplication can $e
config%red to perfor# validation' If that s%cceeds( then f%rther operations can $eperfor#ed as that *indows %ser $) %sing the access token 5which it alread) has6' In
this wa)( the service calling SSO can r%n %nder a lower privileged acco%nt' This %sersho%ld $elong to the .pplication 3sers gro%p for that specific .ffiliate .pplication'
32
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 33/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Step 4( SSO Services ne7t a%thenticates the caller and retrieves the *indows access
token for the appropriate ost %ser' SSO Services %ses the credential #apping in the&redential "ata$ase and +rotocol Transition to co#plete this operation'
saogon3ser with the /E,BUS43UOPO option is %sed in SSO Services to ena$lethis'
Step ( The I+ TI Server co#ponent i#personates the %ser %sing the *indows
access token and invokes a &OMV application 5or *e$ application6 as that *indows%ser' The &OMV application can f%rther i#personate and access a local or re#ote
*indows reso%rce'
Note: *he ,OM8 application itsel must 3e local to the *I Ser%er . I)portant! *hen %sing a *e$ service( ens%re that the *e$ service on the server
has I#personation ena$led' This will allow the *e$ service to i#personate the end
%ser while #aking the reC%est to TI( which in t%rn #akes the reC%est to SSO'
I)portant: 3se *indows Integrated Sec%rit) onl) for the server co#ponent' This
setting is for the virt%al director) on the *e$ server( or for &OM-$ased or 'et-$asedserver applications'
If S. protocols are $eing %sed TI will %se the IS node as a gatewa) to access the
$ack-end s)ste#' If the T&+;I+ protocol is $eing %sed then TI will directl) connect tothe $ack-end s)ste#' The ost credentials retrieved fro# SSO are s%pplied as part
of this connection'
4'> Server Side "ata +roviderN&onnectingover S. or T&+;I+This scenario covers Server Side "ata +rovider integration with a $ack-end ost
s)ste#' "ata providers in IS 2004 are %sed for integration with IBM "B2( S.M( orOS;400 ile S)ste#s' "escri$ed ne7t is an end-to-end process when a "ata provider
is %sed with Enterprise SSO'
33
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 34/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure 9$ Ser%er Side :ata 2ro%ider using !indows Initiated SSO
1etaile en-to-en process
In this scenario( a "ata +rovider calls directl) into the ETSSO service to perfor# the
look%ps and o$tain ost credentials' This applies to $oth T&+ and S. and is si#ilarto the previo%s TI scenario'
Step 5( "ata +rovider i#personates the end %ser that initiates the reC%est and callsthe ETSSO service to get the %sers credentials 5ISSOook%p<'Pet&redentials6' The
data provider specifies the .ffiliate .pplication as an inp%t para#eter when it callsSSO'
Step 2( The ETSSO Service gets the %sers *indows credentials fro# the SSO&redential "ata$ase and ret%rns the# to the caller 5in this case( the "ata +rovider6'
Step ( If S. is %sed then the "ata +rovider %ses the IS ode as a gatewa) toaccess the $ack-end s)ste#' If T&+;I+ is %sed then the "ata +rovider will directl)
connect to the $ack-end s)ste#' The ost credentials are s%pplied as part of thisconnection'
#ote: 12 !onnection Pooling an Enterprise SS*
. co##on approach to i#prove the perfor#ance of data integration sol%tions is to
%se Rconnection pooling'R Ind%str)-standard O"B& and &OM-$ased OE "B 5and."O6 offer connection pooling and reso%rce pooling as service co#ponents within thedata access co#ponents' These connection pooling #echanis#s do not work
efficientl) with Enterprise SSO'
In IS 2004( a new Microsoft "B2 data provider-specific connection pooling option isavaila$le' This #ethod works with Enterprise Single Sign-On when deplo)ing the
data providers on a *indows server co#p%ter' To %se this pooling( select the
34
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 35/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
&onnection +ooling check $o7 in the "ata So%rce *izard of the "ata .ccess Tool( orspecif) R&onnection +oolingKT,3ER in )o%r progra#Qs connection string'
4'A &lient Side "ata +roviderN&onnecting over
S.In this scenario( a "ata +rovider can also $e installed as a client co#ponent on anend %sers co#p%ter and the) can connect thro%gh ost Integration Server to the
ost s)ste#' This scenario does not s%pport connectivit) to the ost %sing T&+;I+'This is shown in ig%re <0'
Figure 1'$ ,lient Side :ata 2ro%ider using !indows Initiated SSO
1etaile en-to-en process
Step <' *hen end %ser esta$lishes a session with the server( the %ser connects to
the Server %sing their *indows logon access token' The) are then a%thenticated $)the *indows integrated sec%rit) #echanis# %sing their logged on *indows
credentials' The "ata +rovider will specif) MSS.ME( MSS.ME in the data strea#as replace#ent strings to $e replaced $) the %sers %serid and password'
Step 2' "MO" Server calls S.SII to cache the access token as soon a new sessionreC%est is #ade $) the client'
Step 2a' S.SII caches the *indows logon access token' The token is kept in the
cache %ntil the %ser disconnects the session'
35
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 36/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Step =' The ode calls S.SII to get the %sers ost credentials' The ode passes inthe na#e of the .ffiliate .pplication along with the *indows do#ain na#e and
%serid'
Step 4' S.SII %ses the access token that corresponds to the *indows %serid
specified to i#personate the *indows %ser' It calls Pet&redentials5ISSOook%p<'Pet&redentials6 as that *indows %ser' This ret%rns the ost %serid
and password fro# the SSO &redential "ata$ase' S.SII calls are #ade to theETSSO service' This #eans that all look%ps are local to that co#p%ter' The SSO
Service gets the ost credentials fro# the data$ase encr)pted' It then decr)pts thepassword and ret%rns it to the caller 5in this case( to S.SII6' The ode receives
these credentials fro# S.SII and replaces the replace#ent strings in the data
strea# which are %sed to logon to the $ack-end s)ste#' The $ack-end s)ste# then%ses these ost credentials to a%thenticate the %ser'
Step ?' *hen the %ser disconnects the session 5for e7a#ple( the session esta$lished
$etween "MO" &lient and Server is disconnected6 the %ser is no longer logged onthe server' To esta$lish a new connection to the server the %ser has to log on to the
server again' In other words( the %ser has to provide their *indows logon credentialsto $e a%thenticated $) the server'
Step @' *hen the session is disconnected then "MO" calls S.SII to clear theaccess token for that %ser fro# the cache'
4' *indows Initiated +asswordS)nchronizationIn this scenario( a *indows %ser changes their password and a *indows "o#ain&ontroller receives the password change' In *indows 2000 and *indows 200=( a
password change can $e #ade at an) "o#ain &ontroller' *hen a %ser changes their
password it is capt%red $) a +assword &apt%re ilter on the "o#ain &ontroller andthe change is then passed on to the +assword &hange otification Service 5+&S6 onthe "o#ain &ontroller' The "o#ain &ontroller then p%shes the password change o%t
to a cons%#er' This change is then propagated fro# the "o#ain &ontroller to theSSO Service config%red as a +assword S)nchronization Server' Based on
config%ration infor#ation the password co%ld $e changed in the SSO &redential"ata$ase or it co%ld si#pl) $e discarded' If the %ser is config%red for +assword
S)nchronization( then the password change is sent to the non-*indows s)ste# andthe password is then %pdated in the SSO &redential "ata$ase' ote that this
reC%ires the %se of third-part) co#ponents to co##%nicate the changes fro# the*indows to the non-*indows s)ste#'
. password change is capt%red onl) for %sers that are specified in an incl%sion gro%p'
The +assword S)nchronization #od%le of Enterprise SSO decides whether to send thepassword change to the $ack-end s)ste# $ased on the config%ration infor#ation in
the SSO &redential "ata$ase' *indows Initiated +assword S)nchronization isill%strated in ig%re <<'
36
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 37/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure 11$ !indows Initiated 2assword Synchroni.ation
4.10 Non-Windows Initiated Password Synchronization
In this scenario a non-*indows %ser %pdates the password on a ost s)ste#' .
password capt%re co#ponent r%ns on the non-*indows s)ste#' This co#ponentcapt%res the change on the non-*indows s)ste# and notifies a corresponding*indows co#ponent' This then propagates the change to the +assword
S)nchronization co#ponent of Enterprise SSO Server( which then takes care of%pdating the SSO &redential "ata$ase' ote that this reC%ires the %se of third-part)
co#ponents to co##%nicate the password change fro# the non-*indows s)ste# to*indows' The ad#inistrator can config%re Enterprise SSO to 8%st %pdate the
&redential "ata$ase( or to %pdate the &redential "ata$ase and %pdate the %serspassword in .ctive "irector)' The for#er is referred to as +artial S)nchronization and
the latter as %ll S)nchronization' +artial S)nchronization is done t)picall) if thepasswords in .ctive "irector) and the ost s)ste# %ser data$ase 5,.&6 are
different( $%t it is still i#portant to %pdate the &redential "ata$ase for Single Sign-on to contin%e to work when the %sers ,.& password is changed' ig%re <2
ill%strates this scenario'
37
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 38/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Figure 1&$ ;on-!indows Initiated 2assword Synchroni.ation
38
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 39/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
?'0 SSO Installation and &onfig%rationow )o% install SSO depends on whether )o% will $e installing it with either ostIntegration Server or BizTalk Server'
?'< Installing and &onfig%ring SSO with BizTalkServerBizTalk Server 2004 #akes the #ost of Enterprise Single Sign-on 5SSO6 capa$ilitiesfor sec%rel) storing critical infor#ation s%ch as sec%re config%ration properties 5for
e7a#ple the +ro7) 3ser I" and +ro7) +assword for TT+ .dapters6' Therefore(BizTalk Server reC%ires SSO( and as a res%lt( BizTalk Server a%to#aticall) installs
SSO on ever) co#p%ter where )o% install the BizTalk Server ,%nti#e'
Install options through custo) install of i'Tal. Server 2004
If )o% select onl) the Enterprise SS* ,%nti#e option then onl) Enterprise SSO willinstall'
If )o% select onl) the BizTalk Engine $oth the Engine and Enterprise SSO co#ponentswill install 5regardless of whether )o% select the SSO option6'
If )o% select $oth then $oth the Engine and Enterprise SSO co#ponents will install'%rther#ore( )o% have the option of selecting the SSO .d#inistration feat%re for
re#ote ad#inistration scenarios'
If )o% select onl) Enterprise SS* A)inistration8 onl) the SSO ad#inistrativeco#ponents will install'
If )o% select either the .d#inistration or "evelop#ent tools of BizTalk thenEnterprise SSO .d#inistration will install'
#ote 5: If )o% have the BizTalk Server ,%nti#e( "evelop#ent( or .d#inistration
feat%res installed )o% #%st first re#ove those feat%res $efore )o% will $e a$le to%ninstall the SSO ,%nti#e or .d#inistration co#ponents'
#ote 2: $) installing the server Enterprise Single Sign-on option( )o% will $e
installing the SSO .d#inistration co#ponents as well'
#ote : The SSO .d#inistration Install of Enterprise SSO incl%des a self-
e7tracting e7ec%ta$le called SSO&lientInstall'e7e that contains the client %tilit)
5ssoclient'e7e6 for end %sers' .d#inistrators can distri$%te this to end %sers to#anage their #appings in Enterprise SSO'
39
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 40/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
?'2 Installing the Master Secret Server and&onfig%ring the &redential "ata$aseThe first operation that needs to $e done $efore %sing the Enterprise SSO feat%re isto install the Master Secret Server and create the SSO &redential "ata$ase' The
Master Secret Server holds the ke) that is %sed for encr)ption and decr)ption'If )o% have s%fficient privileges( the config%ration wizard will tr) to create do#ain
gro%ps of glo$al scope a%to#aticall) when )o% specif) a do#ain gro%p for the SSO.d#inistrators acco%nt and SSO .ffiliate .d#inistrators acco%nt' If )o% do not have
s%fficient privileges )o% #%st ens%re that these gro%ps alread) e7ist and )o% canspecif) these gro%ps in the &onfig%ration *izard when creating the Master Secret
Server' o% can also %se gro%ps of "o#ain ocal or 3niversal scope as well'
To configure the Master Secret Server as a stan-alone server<' +erfor# a &%sto# installation of BizTalk Server or ost Integration Server'
Select onl) Enterprise Single Sign-on fro# the &%sto# tree'
2' *hen the installation is co#pleted( select the Start !onfiguration $i'ar
check $o7( and then click &inish' The config%ration wizard appears ne7t'=' In the &onfig%ration *izard on the !onfiguration *ptions page in the Isthis the master secret server drop-down list( select 9es and then click
#et'
This will #ake this co#p%ter the Master Secret Server and also create the Single
Sign-on &redential "ata$ase'4' &reate the SSO .d#inistrators acco%nt and the SSO .ffiliate .d#inistrators
acco%nt'?' Specif) the service acco%nt credentials for the SSO Service' This #%st $e a
#e#$er of the SSO .d#inistrators gro%p acco%nt'@' Specif) the location of the S: Server $ased SSO &redential "ata$ase
5SSO"B6'
>' ollow the rest of the step-$)-step proced%res reC%ired to co#plete the&onfig%ration *izard'
A' Back %p the Master Secret after co#pleting config%ration'
To bac. up the Master Secret<' On the Start #en%( click ;un'
2' In the ;un dialog $o7 t)pe c) and then click *<'=' .t the co##and line( go to the Enterprise Single Sign-on installation
director)' The defa%lt installation director) is <dri%e=!D+rogra#
ilesD&o##on ilesDEnterprise Single Sign-on'4' T)pe ssoconfig -backupsecret <backup file> where <3ac+up ile= is the
path and na#e of the file where the Master Secret will $e $acked %p' 5or
e7a#ple( .!Dsso$ack%p'$ak'6 o% can specif) either an TS location or adirector) on re#ova$le #edia'
?' +rovide a password to protect this file' o% will $e pro#pted to confir# the
password and to provide a password hint to help )o% re#e#$er thispassword'
I)portant! o% #%st save and store the $ack%p file in a sec%re location'
40
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 41/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
.s part of data recover) proced%res )o% #a) need to restore the Master Secret to $ea$le to re%se e7isting data'
To restore the Master Secret
1. .t the co##and line( go to the Enterprise Single Sign-on installation
director)'
2. T)pe ssoconfig -restoresecret <restore file> where Lrestore ile is thepath and na#e of the file where the Master Secret is stored'
To configure an aitional SS* Server in the SS* s"ste)
Install Enterprise Single Sign-on fro# &%sto# Install' On the &onfig%ration options
page )o% will $e pro#pted with the C%estion $ill this Single Sign-on server
/SS* hol the )aster secret .e"= Select #o fro# the drop-down list'
?'= Installing and &onfig%ring SSO with ost
Integration Server 2004Enterprise SSO is not a%to#aticall) installed with ost Integration Server $) defa%lt'
To install Enterprise SSO( d%ring set%p fro# the !usto) install of Server option)o% can elect to install Enterprise SSO $) clicking Securit" Integration and then on
Enterprise Single Sign-on' o% can optionall) elect to install Pass%or
S"nchroni'ation as well $) selecting this option' This option is a subfeature of the
Enterprise Single Sign-on option'
"%ring set%p fro# the !usto) install of client option( )o% can install the
.d#inistration and &lient %tilities' &lick Securit" Integration and then on
Enterprise Single Sign-on A)inistration to install the ad#inistrativeco#ponents' o% can also select the Enterprise Single Sign-on !lient ,tilit"option to install 8%st the client co#ponents of SSO on an end %sers co#p%ter' o%
can also optionall) elect to install Pass%or S"nchroni'ation as well $) selectingthis option' This option is a s%$feat%re of the Enterprise Single Sign-on option'
#ote! The ad#inistrative install of Enterprise SSO incl%des a self-e7tractinge7ec%ta$le 5SSO&lientInstall'e7e6 which contains the client %tilit) for end %sers as
well' .d#inistrators can then distri$%te this %tilit) to end %sers'
It is strongl) reco##ended that )o% install the Master Secret Server as a stand-
alone server in )o%r network and that it onl) $e responsi$le for $eing the MasterSecret Server'
.fter Enterprise SS* is installed( then the &onfig%ration *izard will la%nch and the
following C%estions will $e asked $) the wizard!
1o "ou %ant to create a ne% SS* S"ste) or >oin an eisting SS* S"ste)=!reating a ne% SS* s"ste) %ill create the creential atabase an )a.e
this co)puter the )aster secret server(
o% sho%ld select !reate fro# the drop-down list if this is the first SSO server )o%
are config%ring in )o%r SSO s)ste#' This will also create and config%re the SSO&redential "ata$ase' o% sho%ld $ack %p the secret on this secret server after
config%ration is co#pleted' o% can $ack%p the secret %sing the SSO co##and line
41
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 42/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
%tilit) SSOconfig'e7e located at D+rogra# ilesD&o##on ilesDEnterprise Single Sign-onD'
e7t follow the rest of the steps reC%ired to specif) the SSO .d#inistrators gro%p(SSO .ffiliate .d#inistrators gro%p( specif)ing the SSO data$ase )o% want to create(
and the SSO Service acco%nt config%ration' The steps to do this are si#ilar to those#entioned previo%sl) for BizTalk Server
To configure an aitional SS* Server in the SS* s"ste)
Select >oin fro# the drop-down list for s%$seC%ent SSO Servers in the SSO s)ste#'
These servers will $e the processing servers and ad#inistration servers'
ollow the rest of the steps of config%ring the SSO Service acco%nt and pointing it to
the SSO data$ase'
To reuse an eisting !onfiguration for SS*
o% will $e pro#pted! 1o "ou %ant to reuse the eisting configuration= If not8o "ou %ant to create a ne% SS* S"ste) or >oin an eisting SS* S"ste)=
!reating a ne% SS* s"ste) %ill create the creential atabase an )a.ethis co)puter the )aster secret server(
Select ;euse if )o% need to re%se an e7isting SSO &redential "ata$ase' This can $edone on a Master Secret Server or on a +rocessing SSO Server' or %pgrade
proced%res( refer section ?'@'
?'4 &l%stering the Master Secret Server
efore 9ou egin
Before )o% start config%ring SSO in a cl%ster environ#ent( it is reco##ended that
)o% %nderstand how cl%stering works' or #ore infor#ation( see the Microsoft&l%ster Server 5MS&S6 g%idelines on how to set %p an .ctive;+assive &l%ster'
#ote! o% #%st $e an SSO .d#inistrator to perfor# this proced%re'
Ens%re that )o% are %sing do#ain acco%nts and do#ain gro%ps for the SSO
.d#inistrators gro%p( SSO .ffiliate .d#inistrators gro%p and for the SSO Serviceacco%nts'
The following steps ass%#e that )o% have the two odes for the cl%ster and MS"T&alread) cl%stered for failover'
+uielines for Setting up 9our !luster
<' +erfor# a &%sto# Installation to install the Master Secret Server on the first5.ctive6 node of the cl%ster' or e7a#ple( )o% co%ld install it on a co#p%ter
whose na#e is &l%sterode<'
In the &onfig%ration *izard( on the !onfiguration ?uestions page( in the Is
this the )aster secret server drop-down list( select 9es and then click #et'
Specif) the Service .cco%nt credentials for the SSO Service' This #%st $e a
#e#$er of the SSO .d#inistrators gro%p acco%nt'Specif) the location of the SSO &redential "ata$ase'
Back %p the Master Secret on the .ctive ode'
42
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 43/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
+erfor# a &%sto# Install to install the Master Secret Server on the second5+assive6 node of the cl%ster 5for instance( on &l%sterode26' &onfig%re
Enterprise SSO Server on the +assive ode of the cl%ster %sing the&onfig%ration *izard' Beca%se this is not the initial installation of the Master
Secret Server in the &onfig%ration *izard on the &onfig%ration :%estionspage in the Is this the )aster secret server drop-down list( )o% sho%ld
select #o and then click e7t'
ro# the co##and line( t)pe the co##and net stop entsso to stop the SSO
Service'
.fter )o% have installed and config%red SSO on $oth the .ctive and +assive
cl%ster nodes and stopped the SSO Service change the Master Secret Serverna#e in the SSO &redential "ata$ase to the &l%ster a#e' 5or e7a#ple( )o%
wo%ld change the na#e fro# &l%sterode< to MSSU&3STE,'6
#ote! The &l%ster a#e is also the etwork a#e of the reso%rce that )o%
have created in the &l%ster Pro%p that contains the cl%stered EnterpriseSingle Sign On service
Open the te7t editor of )o%r choice' &%t and paste the following code intoan '7#l file 5for e7a#ple( MSS &3STE,'7#l6 and save the file!
Lsso
Lglo$alInfo
LsecretServerMSSU&3STE,L;secretServer
L;glo$alInfo
L;sso
.t the co##and line( navigate to the Enterprise Single Sign-on installation
director)' T)pe ssomanage -updatedb <name of the .xml file in the stepabove> to %pdate the Master Secret Server na#e in the data$ase'
&onfig%re the service and reso%rce para#eters for the cl%ster'
• &reate an E#TSS* service reso%rce and #ake it a generic service'
Make each node of the cl%ster a possi$le owner in the !lusterProperties dialog $o7'
• &heck the Securit" ta$ to ens%re that the %ser %nder which the
application is r%nning has s%fficient per#issions to access the cl%ster
5for e7a#ple( the) are not a local ad#inistrator6' Then add %sers asappropriate'
• In the +eneric Service Para)eters dialog $o7( check the option to
,se #et%or. #a)e for co)puter na)e'
• o registr) replication infor#ation is reC%ired 5See the following ote on
,egistr) ,eplication' If )o% have ,oa#ing +rofiles set %p for the SSO
service acco%nt then )o% can config%re ,egistr) ,eplication6'
Move the &l%ster Pro%p fro# the first to the second node %sing the &l%ster
.d#inistrator'
43
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 44/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
,estore the secret ke) on the second node' .t the co##and line( navigate to theEnterprise Single Sign-on installation director)' T)pe ssoconfig
-restoresecret <restore filename> where Lrestore ilename is the pathand na#e of the $ack %p file which contains the Master Secret'
#ote! .lternativel)( )o% can ena$le ,egistr) ,eplication in the &l%ster,eso%rce if the service acco%nt has a ,oa#ing +rofile set%p' This wa) )o% do
not have to restore the secret on the secondar) node each ti#e the secret isgenerated on the pri#ar) node' It is i#portant that )o% have a ,oa#ing
+rofile set%p( tho%gh( $eca%se the entr) in the registr) is encr)pted'
To set%p ,egistr) ,eplication in the cl%ster reso%rce( specif) the root registr) ke)
SOF*!A0E>Microsot>E;*SSO for registr) replication'
I)portant! o% #%st refer to .ctive "irector) doc%#entation on how to set
%p a ,oa#ing +rofile $efore )o% do this'
#ote! .lso refer to MS"T& &l%stering $eca%se ETSSO has a dependenc) on
MS"T&' *hen cl%stering Master Secret Server( MS"T& #%st also $e cl%stered on that
co#p%ter' ,efer to http!;;s%pport'#icrosoft'co#;defa%lt'asp7Jk$idK24=204 forMS"T& cl%stering'
?'? &l%stering SSO Servers
efore 9ou egin
These steps ass%#e that the Master Secret Server and SSO &redential "ata$ase
have $een set %p and config%red'
Before )o% start config%ring SSO in a cl%ster environ#ent for the SSO Server thatacts as a +assword S)nchronization Server it is reco##ended that )o% %nderstand
how cl%stering works' or #ore infor#ation( see the Microsoft &l%ster Server 5MS&S6g%idelines on how to set %p an .ctive;+assive &l%ster'
o% #%st $e an SSO .d#inistrator to perfor# this proced%re'
#ote! ost Initiated SSO is part of the Enterprise Single Sign-on Server feat%re'+assword S)nchronization is a s%$feat%re of Enterprise Single Sign-on that is not
selected for install $) defa%lt' o% can %se the following process to cl%ster an SSOServer with or witho%t the +assword S)nchronization feat%re ena$led'
+uielines for Setting up the !luster
<' +erfor# a &%sto# installation to install the SSO Server on the first 5.ctive6
node of the cl%ster' In !usto) Installation( select the Pass%orS"nchroni'ation feat%re listed %nder Enterprise Single Sign-on to ens%rethat )o% are installing +assword S)nchronization' Then co#plete the
config%ration' or e7a#ple( )o% co%ld install it on a co#p%ter na#ed&l%sterode<'
• In the &onfig%ration *izard on the !onfiguration ?uestions
page in the 1o "ou %ant to create a ne% SS* S"ste) or >oin
an eisting SS* S"ste)= !reating a ne% SS* s"ste) %ill
44
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 45/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
create the creential atabase an )a.e this co)puter the)aster secret server drop-down list( select >oin and then click
#et'
Specif) the service account creentials for SSO service' This #%st
$e a #e#$er of the SSO .d#inistrators gro%p acco%nt'
Specif) the location of the S?@ Server an SS* !reential
atabase /SS*1 and co#plete the config%ration'
=' ollow the sa#e steps on &l%sterode2 to config%re the ETSSO service with
the +assword S)nchronization feat%re' It is i#portant that )o% specif) thesa#e service acco%nt credentials for the ETSSO service'
4' &onfig%re the service and reso%rce para#eters for the cl%ster'
• &reate an E#TSS* service reso%rce and #ake it a generic service'
Make each node of the cl%ster a possi$le owner in the !lusterProperties dialog $o7'
• &heck the Securit" ta$ to ens%re that the %ser %nder which the
application is r%nning has s%fficient per#issions to access the cl%ster
5for e7a#ple( the) are not a local ad#inistrator6' .dd %sers asappropriate'
• In the +eneric Service Para)eters dialog $o7( check the option to
,se #et%or. #a)e for co)puter na)e'
• or ,egistr) ,eplication specif) the root registr) ke)
S*&T$A;EMicrosoftE#TSS*'
?' Move the cl%ster gro%p fro# the first to the second node %sing the &l%ster.d#inistrator to verif) that the ETSSO service starts %p and works as
e7pected'
?'@ 3pgrading an E7isting SSO &onfig%rationIf )o% are %pgrading SSO in an e7isting BizTalk server deplo)#ent( )o% #%st
%pgrade the Master Secret Server and the SSO &redential "ata$ase' These steps#%st $e followed when installing ost Integration Server on an e7isting installation
of BizTalk Server 2004'
If )o% are installing BizTalk Server 2004 on an e7isting deplo)#ent of Enterprise SSO
availa$le with ost Integration Server 2004( then BizTalk Server will $e a$le to workwith the newer version'
I)portant! Before )o% $egin the %pgrade process( it is i#portant that )o% have$acked %p the SSO "ata$ase and the Master Secret on the Master Secret Server'
I)portant! .s part of the %pgrade process( )o% #%st %pgrade the Master Secret
Server first'
45
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 46/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
On the Master Secret Server install( select Enterprise Single Sign-on fro# the&%sto# Install of ost Integration Server 2004' *hen the &onfig%ration *izard is
la%nched( )o% will $e pro#pted with the following C%estion!
1o "ou %ant to reuse the eisting configuration= If not8 o "ou %ant tocreate a ne% SS* S"ste) or >oin an eisting SS* S"ste)= !reating a ne%
SS* s"ste) %ill create the creential atabase an )a.e this co)puter the)aster secret server(
o% sho%ld select ;euse to perfor# the %pgrade on the Master Secret Server andthe SSO &redential "ata$ase' This will %pgrade the SSO &redential "ata$ase to
#ake the data$ase co#pati$le with the new feat%res of SSO in ost Integration
Server 2004'
#ote! Other SSO Servers installed with BizTalk Server 2004 need not $e %pgraded%nless )o% want to %se the new feat%res of SSO on those co#p%ters' SSO Servers
installed with BizTalk Servers or the newer version of SSO Servers installed with IS
are co#pati$le with the Master Secret Server and the SSO &redential "ata$asecreated as a part of Enterprise SSO installed with ost Integration Server 2004'
46
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 47/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
@'0 SSO &lient 3tilit) and .d#inistration toolsThe SSO &lient %tilit) 5ssoclient'e7e6 is %sed $) end %sers to #anage their owncredentials' The SSO .d#inistration %tilit) is %sed $) ad#inistrators to #anage
.ffiliate .pplications( #appings and glo$al infor#ation in the SSO &redential
"ata$ase
SSO client and ad#inistrator %tilities 5ssoconfig'e7e and sso#anage'e7e6 as well asother ad#inistration co#ponents can access an SSO Server re#otel) to perfor#
ad#inistrative operations' Sso#anage'e7e is %sed $) ad#inistrators to create(delete( and #anage .ffiliate .pplications and #appings' It is also %sed to config%re
data$ase level settings( s%ch as ticketing config%rations' Ssoconfig'e7e e7e is %sed$) ad#inistrators for per server config%ration s%ch as setting the a%dit levels for the
SSO Server' It is also %sed to #anage the Master Secret Server'
.d#inistrators can %se ssoclient'e7e and sso#anage'e7e fro# a re#ote co#p%ter'
The first step is to specif) the server that the) sho%ld %se for co##%nicating withthe SSO &redential "ata$ase'
E7a#ple!ssomanage ?ser%er ssoser%er1
ssoclient ?ser%er ssoser%er1
or +assword S)nchronization ad#inistration( there is another co##and line %tilit)(ssops'e7e' ,e#ote ad#inistration is possi$le for #ost of the ad#inistrative
operations for +assword S)nchronization( $%t so#e operations perfor#ed $)ad#inistrator %sing ssops'e7e #%st $e on the SSO Server itself' This is t)picall) done
on the server that is assigned as the +assword S)nchronization Server'
47
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 48/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
>'0 SSO Mappings and .ffiliate .pplicationT)pes*hen an Enterprise Single Sign-on 5SSO6 .d#inistrator or an SSO .ffiliate.d#inistrator defines an .ffiliate .pplication( he or she can define it as either an
application with Individ%al #appings or as an application with a Pro%p t)pe #apping'
>'< Individ%al T)pe .ffiliate .pplicationMappingsSSO Individ%al t)pe #appings ena$le ad#inistrators and %sers to create a one-to-
one #apping $etween *indows %sers and their corresponding non-*indowscredentials' *hen %sing Individ%al t)pe #appings %sers can #anage their own
#appings' The SSO s)ste# #aintains the one-to-one relation $etween the %serQs*indows acco%nt and the %serQs non-*indows acco%nt'
Figure 1 Indi%idual Mapping
.n SSO .pplication .d#inistrator 5or a$ove6 can create the co#plete #apping
incl%ding the e7ternal %sers password( or 8%st part of the #apping of a *indows%ser #apped to an e7ternal %serid witho%t specif)ing their e7ternal password'
$ino%s Initiate
. t)pical co#pleted #apping in this case contains!
G*indows "o#ainD*indows 3serI"H #apped to GE7ternal 3ser I"H and GE7ternal3ser +asswordH
Host Initiate
ost Initiated SSO validation of passwords co%ld $e #arked as reC%ired or not
reC%ired for the .ffiliate .pplication' In the case where validation of passwords isreC%ired( a t)pical co#pleted #apping is as follows!
G*indows "o#ainD*indows 3serI"H #apped to GE7ternal 3ser I"H and GE7ternal3ser +asswordH
48
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 49/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
In the case where validation of passwords is not reC%ired( a co#pleted #apping is asfollows!
G*indows "o#ainD*indows 3serI"H #apped to GE7ternal 3ser I"H
#ote 5: *indows end %sers can create and #anage their own #appings forindivid%al applications'
#ote 2: The sa#e .ffiliate .pplication can act as $oth a *indows Initiated SSOt)pe application and a ost Initiated SSO t)pe application' The difference in the
#apping is that a *indows Initiated Individ%al t)pe is co#plete onl) if the *indowsdo#ainD%serid( E7ternal %serid( and password are provided while a ost Initiated
Individ%al t)pe can $e co#plete with 8%st the *indows do#ainD%serid and e7ternal%serid when alidate +assword is not ena$led' *hen alidate +assword is ena$led for
ost Initiated SSO then there is no difference in the #apping itself $etween a*indows Initiated Individ%al t)pe #apping and a ost Initiated Individ%al T)pe
#apping'
>'2 Pro%p T)pe .ffiliate .pplication MappingsOnl) an .pplication .d#inistrator( SSO .ffiliate .d#inistrator( or SSO .d#inistrator
can create and #anage #apping for Pro%p t)pe .ffiliate .pplication'
$ino%s InitiateB+roup T"pe Affiliate Application
SSO Pro%p t)pe #appings consist of #apping a *indows gro%p that contains#%ltiple *indows %sers to a single e7ternal acco%nt in the .ffiliate .pplication' The
app3ser.cco%nt propert) is %sed in the .ffiliate .pplication to specif) the *indows
gro%p application'
. t)pical co#pleted #apping in this case contains!
G*indows "o#ainD*indows Pro%p acco%ntH #apped to GE7ternal 3ser I"H and GE7ternal 3ser +asswordH
Figure 1 @roup Mapping
49
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 50/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Host InitiateBHost +roup T"pe Affiliate Application
This allows #%ltiple e7ternal %sers to $e #apped to a single *indows %ser acco%nt'
*hen the .ffiliate .pplication is created the .pplication %ser acco%nt5app3ser.cco%nt6 or *indows acco%nt 5windows.cco%nt6 needs to $e an individ%al
do#ain acco%nt' This is the acco%nt to which the e7ternal %serids will $e #apped'
In the case where validation of passwords is reC%ired( a t)pical co#pleted #apping isas follows!
GE7ternal 3ser I"H and GE7ternal 3ser +asswordH needs to $e specified'
In the case where validation of passwords is not reC%ired( a co#pleted #apping is asfollows!
GE7ternal 3ser I"H
Figure 14 Host @roup Mapping
#ote 5: *hen )o% %se Pro%p #appings in the case of *indows Initiated SSO onl)
the #e#$ers of the gro%p can o$tain the credentials infor#ation
#ote 2: o% cannot specif) the sa#e gro%p application for *indows Initiated SSO
and ost Initiated SSO
>'= &onfig%ring .ffiliate .pplicationsThe SSO &redential "ata$ase pri#aril) consists of %ser #appings' In a Mapping( a
*indows acco%nt is #apped to non-*indows credentials'
50
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 51/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
.n .ffiliate .pplication in SSO can represent an)thing that the .d#inistrator wants itto represent' This is a ke) decision that the .d#inistrator needs to #ake $efore
creating an .ffiliate .pplication' The .d#inistrator can create different t)pes of.ffiliate .pplication definitions incl%ding!
<6 *indows Initiated Individ%al t)pe
26 ost Initiated Individ%al t)pe
=6 *indows and ost Initiated Individ%al t)pe
46 *indows Initiated Pro%p t)pe
?6 ost Initiated Pro%p t)pe
@6 &onfig%ration t)pe 5BizTalk Server 2004 creates &oniguration Store t)pe.ffiliate .pplications to store config%ration data for adapters sec%rel)' It
creates one .ffiliate .pplication each for Send andler( ,eceive andler( Send
ocation( and ,eceive ocation' The +assword S)nchronization .dapterconfig%ration is stored here as well'6
*hen the SSO .d#inistrator or the SSO .ffiliate .d#inistrator defines an .ffiliate
.pplication the) #%st also deter#ine who will ad#inister the .ffiliate .pplication5the .pplication .d#inistrator6( who the %sers of the .ffiliate .pplication are 5the.pplication 3sers6( and what para#eters are reC%ired to a%thenticate the %sers of
this .ffiliate .pplication 5their %serid( passwords( pin n%#$ers( and so on6 in thee7ternal s)ste#' The .pplication 3sers gro%p #%st contain the do#ain %sers for
who# the #appings need to $e created 5for e7a#ple( the end %sers who will $e%sing the Single Sign-on f%nctionalit)6'
Before creating an .ffiliate .pplication( the SSO .ffiliate .d#inistrator or the SSO
.d#inistrator has to #ake the following decisions!
<' $hat %ill this Affiliate Application represent= o% need to know the non-*indows application that the .ffiliate .pplication will represent in the SSO
s)ste#' or e7a#ple(
.pplication na#e! Mainfra#e<
"escription! Mainfra#e application for SSO&ontact! ad#inistratorco#pan)na#e'co#
<' $ho %ill a)inister this Affiliate Application= o% need to deter#ine the.d#inistrators of this .ffiliate .pplication' These for# the *indows
.d#inistrators gro%p for this .ffiliate .pplication' or e7a#ple("o#ainDM.d#inPro%p<
2' $ho %ill use this Affiliate Application= o% need to deter#ine who the
end %sers are for this .ffiliate .pplication' These %sers represent the *indows3sers gro%p for this .ffiliate .pplication 5for e7a#ple
"o#ainDMainfra#e<U3serPro%p6' This depends on which %sers )o% want to
allow %sing this application'=' $hat creentials oes the Affiliate Application use to authenticate its
users= "ifferent applications %se different credentials to a%thenticate %sers'or e7a#ple( so#e applications #a) %se %serids( passwords( pin n%#$ers( or
a co#$ination of these' o% #%st also deter#ine whether the s)ste# needsto #ask these credentials as the %ser provides the#' T)picall)( it is a %serid
and password' 5 #ote: The irst credential field #%st alwa)s $e %serid'64' $ill "ou use iniviual )appings or a group )apping for this Affiliate
Application= This will depend on whether each *indows %ser has an acco%nt
51
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 52/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
in the $ack-end s)ste# or if the $ack-end s)ste# has one acco%nt for all*indows %sers'
?' $ill this Affiliate Application be use for $ino%s initiate SS*8 HostInitiate SS*8 or both= B) defa%lt( the .pplication created is an Individ%al
t)pe *indows Initiated application' o% can have the sa#e application act asa *indows Initiated SSO application and a ost Initiated SSO application for
Individ%al t)pe applications' Pro%p t)pe applications can $e %sed either for*indows Initiated SSO or ost Initiated SSO 5that is( one or the other6'
.fter )o% create an .ffiliate .pplication( )o% cannot #odif) the following properties!
• a#e of the .ffiliate .pplication
• So#e para#eters associated with the .ffiliate .pplication 5see $elow6'
• .ffiliate .pplication t)pe 5Individ%al( Pro%p( ost Pro%p( or &onfig%ration Store6
• .d#inistration acco%nt sa#e as affiliate ad#inistrator gro%p ad#inistrators
gro%p' 5If )o% select this propert) then the .ffiliate .d#inistrators gro%p is
%sed as the .d#inistrator acco%nt for this .ffiliate .pplication'6
>'4 .ffiliate .pplication +ropertiesThe following ta$le lists the properties )o% need to define for each .ffiliate
.pplication )o% create'
Propert"
+eneral Infor)ation
Calue 1escription
.pplication na#e .ffiliate.pp< a#e of the .ffiliate .pplication'
o% cannot change this propert)after )o% create the .ffiliate
.pplication
"escription GSSO .pp for
Mainfra#eH
Brief description of the .ffiliate
.pplication
&ontact infor#ation so#eone#icrosoft'c
o#
The #ain contact for this .ffiliate
.pplication'
.pplication 3sers
.cco%nt
"o#ainDLaccount
name
The *indows gro%p that contains
the %ser acco%nts of end %sers whowill $e %sing this .ffiliate
.pplication
.ffiliate .d#inistrators
.cco%nt
"o#ainDLaccount
name
The *indows gro%p that contains
the .d#inistrator acco%nts that will#anage this .ffiliate .pplication'
#ote! o% do not need to
define this propert) if )o% setthe ad#in.cco%ntSa#e to es'
Application &lags
.pplication ena$led Ena$led;"isa$led The stat%s of this .ffiliate
.pplication'This is "isa$led $) defa%lt'
52
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 53/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Pro%p .pplication es;o "eter#ines whether this application
%ses a gro%p #apping 59es6 orIndivid%al #appings' This is set to
#o $) defa%lt' or e7a#ple( $)defa%lt it is an Individ%al t)pe
application'
o% cannot change this propert)
after )o% create the application'
&onfig%ration Store
application
es;o "eter#ines whether this .ffiliate
.pplication is a &onfig%ration Storet)pe application 59es6 or an SSO
t)pe application'This is set to #o $) defa%lt'
o% cannot change this propert)
after )o% create the application'
ost Initiated SSO es;o Ena$le this if it is a ost Initiated
SSO t)pe application' This is set to#o $) defa%lt'
*indows Initiated SSO es;o Ena$le this if it is a *indows
Initiated SSO t)pe application'This is set to 9es $) defa%lt'
alidate +assword es;o This applies onl) to a ost InitiatedSSO t)pe application' *hen a ost
Initiated SSO t)pe application isspecified( this flag is set to 9es $)
defa%lt' This #eans( when anapplication tries to retrieve the
credentials( it sho%ld provide thepassword in the &redential
"ata$ase that is %sed for validation
$) SSO Services'
"isa$le &redential &achees;o *hen credentials are looked %p $)SSO Server( the) are stored in the
cache for perfor#ance reasons'These credentials are stored
encr)pted in #e#or)'
This is set to #o $) defa%lt'
Tickets allowed es;o "eter#ines whether the SSOS)ste# %ses tickets for this .ffiliate
.pplication' Iss%ing of tickets andrede#ption of tickets are possi$le
when this is ena$led 5this isreC%ired for BizTalk .dapter
scenarios6'
This is set to #o $) defa%lt'
Securit": o% #%st $e an SSO
.d#inistrator to set this flag'
53
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 54/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
alidate tickets es;o "eter#ines whether the SSO
s)ste# validates tickets when the%ser redee#s the#'
This applies onl) if tickets are
allowed' B) defa%lt( it is set to 9es'
Securit": o% #%st $e an SSO
.d#inistrator to set this flag'
"isa$le Ticket ti#eo%t es;o "eter#ines whether tickets have
an e7piration ti#e'
B) defa%lt( this is set to #o'
Securit": 3nless it is
a$sol%tel) reC%ired in )o%r end-to-end scenario( do not disa$le
ticket ti#eo%ts' This is set to
#o $) defa%lt'
Securit": o% #%st $e an SSO
.d#inistrator to set this flag'
.llow local acco%nts es;o "eter#ines whether )o% allow the
%se of local gro%ps and acco%nts inthe SSO s)ste#'
B) defa%lt( this is set to #o(
#ote!If )o% are specif)ing a do#ain-local
scope gro%p( )o% need to set this
flag'
.d#inistrator acco%nt
sa#e
es;o "eter#ines whether to %se the SSO
.ffiliate .d#inistrator acco%nt as
the SSO .pplication .d#inistratoracco%nt'
o% cannot change this propert)
after )o% create the application'
B) defa%lt( this is set to #o(
Securit": o% #%st $e an SSO
.d#inistrator or SSO .ffiliate
.d#inistrator to set this flag'
Application fiels
ield W0X Lcredential !
Masked;3n#asked
"eter#ines the t)pe of credential
5%serid( password6 that end %sers#%st provide to connect to the
54
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 55/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
.ffiliate .pplication and whether
this credentials are #asked 5thatis( whether the characters that the
%ser t)pes are displa)ed on thescreen6 or not'
The first field #%st $e the %serid'
o% cannot change this propert)
after )o% create the application'
ield W<X Lcredential !
Masked;3n#asked
"eter#ines the t)pe of credential
5%serid( password6 that end %sers#%st provide to connect to the
.ffiliate .pplication( and whetherthis credentials are #asked 5that
is( whether the characters that the
%ser t)pes are displa)ed on thescreen6 or not'
o% can enter as #an) fields asthere are credentials for the.ffiliate .pplication'
o% cannot change this propert)after )o% create the application'
55
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 56/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
A'0 &onfig%ring ost Initiated SSOost Initiated SSO is s%pported onl) in a native *indows 200= "o#ain environ#entwith *indows 200= servers' The +rotocol Transition feat%re is taken advantage of $)
SSO Services to #ake this possi$le' or #ore infor#ation on this( refer to
http!;;www'#icrosoft'co#;technet;prodtechnol;windowsserver200=;technologies;sec%rit);constdel'#sp7'
This allows SSO services to o$tain an i#personation level *indows %ser token $)
providing 8%st the /er$eros service principal 5%sing do#ainD%serid infor#ation fro#the SSO &redential "ata$ase6' This token is %sed $) applications integrated with
ost Initiated SSO f%nctionalit) to access *indows reso%rces that the *indows %serrepresented $) the token has access to'
To o$tain an i#personation level token %sing +rotocol Transition( the SSO Server#%st have the Act as part o the operating system privilege' Beca%se of this( it is
ver) i#portant that the SSO server that is perfor#ing the role of ost Initiated SSOis sec%rel) locked down' This incl%des ens%ring that the SSO service acco%nt for this
server is not %sed for an) other services' "o not %se this service acco%nt for the
other SSO Servers as well as %sing it for *indows Initiated SSO' ike the other SSOService acco%nts( this service acco%nt #%st $e a #e#$er of the SSO .d#inistratorsgro%p'
Active 1irector" !onfigurations<6 In )o%r .ctive "irector) "o#ains and Tr%sts MM& snap-in( right-click the root
node Acti%e :irectory :omains and *rusts and click 0aise Forest Functional e%el$This #%st $e done in *indows Server 200=' ,efer the .ctive "irector)doc%#entation $efore )o% #ake an) changes'
26 &reate a Service +rincipal a#e 5S+6 for the caller 5or e7a#ple the I+ Serviceacco%nt for Transaction Integrator co#ponent in ost Integration Server 20046' To
do this( )o% can %se the setspn %tilit)!http!;;www'#icrosoft'co#;windows2000;techinfo;reskit;tools;e7isting;setspn-o'asp
Ea)ple:
hipsvcco)puterna)e(o)ain(co): the na#e of the service that will perfor#the operation and the co#p%ter it is r%nning on'
o)ainhissvc: the service acco%nt that hipsvc is r%nning as'
setpsn: . hipsvcD&OM+3TE,.ME'"OM.I'&OM "OM.IDhissvc
o% can then config%re ,onstrained :elegation in .ctive "irector) for this service
acco%nt 5do#ainDhissvc6 to access the appropriate reso%rce in the network'
=6 Pive T&B 5Tr%sted &o#p%ting Base6 privilege for the SSO service acco%nt that is+erfor#ing +rotocol Transition operations' In )o%r "o#ain Sec%rit) +olic) - ocal
+olicies - 3ser ,ights .ssign#ent - add the SSO Service acco%nt to the G.ct aspart of Operating s)ste#H polic)'
or #ore infor#ation on /er$eros +rotocol Transition and &onstrained "elegation(
refer to
56
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 57/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
http!;;www'#icrosoft'co#;technet;prodtechnol;windowsserver200=;technologies;sec%rit);constdel'#sp7
Enable Host Initiate SS*
<' On the Start #en%( click Run'
2' In the ,%n dialog $o7( t)pe cmd and then click *<'
=' .t the co##and line( go to the Enterprise Single Sign-on installationdirector)' 5The defa%lt installation director) is <dri%e=">2rogramFiles>,ommon Files>Enterprise Single Sign-on$)
4' T)pe ssomanage -enable hisso'
!reate an Affiliate Application for Host Initiate SS*
<' On the Start #en%( click Run'
2' In the ,%n dialog $o7( t)pe cmd and then click *<'
=' .t the co##and line( go to the Enterprise Single Sign-on installation
director)'
4' T)pe ssomanage –createapps < I!!"#Individual#$ff$pp.xml> tocreate a ost Initiated SSO individ%al t)pe app'
Sa)ple HISS*DIniviualDAffApp()l
LJ7#l versionKR<'0RJ
LSSO
Lapplication na#eKRSSO.ppUost<R
Ldescription.n Individ%al T)pe .ffiliate .pplication for ost Initiated
SSOL;description
Lcontactso#eoneco#pan)na#e'co#L;contact
Lapp3ser.cco%nt"o#aina#eD.pp3serPro%pUISSOL;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD.pp.d#inPro%pUISSOL;app.d#in.cco%nt
Lfield ordinalKR0R la$elKR3ser I"R #askedKRnoR ;
Lfield ordinalKR<R la$elKR+asswordR #askedKR)esR ;
Lflags hostInitiatedSSOKR)esR validate+asswordKR)esRwindowsInitiatedSSOKRnoR ena$le.ppKR)esR ;
L;application
L;SSO
57
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 58/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Sa)ple M@ file to create a Host Initiate SS* group t"pe
application
LJ7#l versionKR<'0RJ
LSSO
Lapplication na#eKRSSO.ppUostPro%p.pp<R
Ldescription. Pro%p T)pe .ffiliate .pplication for ost Initiated SSO
associating #%ltiple non-*indows %ser to a single *indows %ser
acco%nt5"o#aina#eD*indows3ser.cco%nt<6L;description
Lcontactso#eoneco#pan)na#e'co#L;contact
Lwindows.cco%nt"o#aina#eD*indows3ser.cco%nt<L;windows.cco%nt
Lapp.d#in.cco%nt"o#aina#eD.pp.d#inPro%pUISSOL;app.d#in.cco%nt
Lfield ordinalKR0R la$elKR3ser I"R #askedKRnoR ;
Lfield ordinalKR<R la$elKR+asswordR #askedKR)esR ;
Lflags hostInitiatedSSOKR)esR validate+asswordKR)esR gro%p.ppKR)esR
ena$le.ppKR)esR ;
L;application
L;SSO
Sa)ple M@ &ile to create an Affiliate Application that supports
both $ino%s Initiate SS* an Host Initiate SS*
LJ7#l versionKR<'0R J
- LSSO
- Lapplication na#eKRSSO.pp<R
Ldescription.n Individ%al T)pe .ffiliate .pplication for $oth ost Initiated
SSO and *indows Initiated SSOL;description
Lcontactso#eoneco#pan)na#e'co#L;contact
Lapp3ser.cco%nt"o#aina#eD.pp3serPro%pL;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD.pp.d#inPro%pL;app.d#in.cco%nt
Lfield ordinalKR0R la$elKR3ser I"R #askedKRnoR ;
58
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 59/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Lfield ordinalKR<R la$elKR+asswordR #askedKR)esR ;
Lflags hostInitiatedSSOKR)esR validate+asswordKR)esR
windowsInitiatedSSOKR)esR ena$le.ppKR)esR ;
L;application
L;SSO
59
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 60/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
'0 &onfig%ring +assword S)nchronization
&ull S"nchroni'ation
$ino%s S"nchroni'ation: *hen a password change is #ade in a *indowss)ste# $) a *indows %ser( the new password is sent to the non-*indows s)ste# to
s)nchronize the %sers password in the non-*indows %ser director)' .fter this changeis s%ccessf%ll) #ade( the password is %pdated for the appropriate #apping in the
SSO &redential "ata$ase'
#on-$ino%s S"nchroni'ation: *hen a password is changed in a non-*indows
s)ste# then the change is capt%red and sent to the *indows environ#ent'Enterprise SSO service ena$led for +assword S)nchronization( %pdates the *indows
sec%rit) s)ste# 5.ctive "irector)6 and the SSO &redential "ata$ase for thecorresponding %ser'
Partial S"nchroni'ation
This applies to E7ternal S)nchronization onl)( s%ch as when the password change isinitiated fro# a non-*indows s)ste#' The .d#inistrator can config%re SSO s%ch thatpasswords can $e different $etween *indows and non-*indows s)ste#s' *hen a
password is changed in a non-*indows s)ste# then the change is capt%red and sent
to the *indows environ#ent' Enterprise SSO service ena$led for +asswordS)nchronization %pdates onl) the SSO &redential "ata$ase for the corresponding
%ser' The %sers password in *indows sec%rit) s)ste# 5.ctive "irector)6 is not%pdated'
#ote: *hen a *indows password change occ%rs( +artial S)nchronization is nots%pported' or e7a#ple( there is never a case where the password capt%red on
*indows is %pdated in the &redential "ata$ase onl)' In other words( *indows
password change capt%re is %sef%l onl) for the %ll S)nchronization case'
Ho% it %or.s
*hen a *indows %ser changes his or her password( the password change is %pdated
on a *indows 2000 "o#ain &ontroller $) a password change capt%re "' The+assword &hange otification Service 5+&S6 on the "o#ain &ontroller notifies the
SSO Server a$o%t this change' The SSO server then looks in the SSO &redential"ata$ase for an) non-*indows s)ste#s that need to receive an %pdate a$o%t this
password for the %ser' .fter the +assword change is #ade on the non-*indows %serdata$ases( then the #appings are %pdated in the SSO data$ase when notification is
received' This wa)( the passwords are never o%t of s)nc for e7a#ple( onl) if the
password change for 3ser. #ade it to the non-*indows s)ste# Mainfra#e<( thepassword in the #apping corresponding to Mainfra#e< is %pdated for 3ser.'
*hen a non-*indows %ser changes his or her password in a %ll S)nchronization
scenario( the password change is %pdated in the SSO &redential "ata$ase and also in*indows .ctive "irector) for that %ser' In this case if there is a fail%re in %pdating
the *indows %ser password with the new password( the change in the SSO&redential "ata$ase is still done' This is $eca%se the #ainfra#e %sers password has
60
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 61/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
alread) changed and the data$ase needs to $e %pdated for Single Sign-on scenariosto work'
+assword S)nchronization .dapters 5aka +S .dapters6 are reC%ired for password
s)nchronization to work' These adapters are integrated with +assword
S)nchronization Interface 5+SI6 of Enterprise SSO' *hen sending password changesfro# *indows to non-*indows s)ste#( Enterprise SSO C%e%es %p the password
changes for the +S .dapter to pick %p' Si#ilarl)( password changes received fro#
non-*indows s)ste#s thro%gh the +S .dapter are sent to Enterprise SSO to %pdatethe credentials in the SSO &redential "ata$ase and optionall) %pdate the %sers
.ctive "irector) password' Each +S .dapter has a ,eceive otification :%e%e and"a#ping :%e%e associated with it' These C%e%es are stored in the centralized
&redential "ata$ase'
1a)ping
One of the co##on pro$le#s with +assword S)nchronization is looping of password
changes' To prevent this pro$le#( Enterprise SSOs +assword S)nchronization feat%rehas a $%ilt-in #echanis# to prevent password loops' This prevents the sa#e passwordchange fro# $eing sent to an) s)ste# #ore than once' This is reC%ired to avoid looping
of passwords changes when f%ll s)nchronization of password is done'
Ea)ple! . *indows %ser 3ser. is config%red to have f%ll +assword S)nchronization
with 3serB on an IBM #ainfra#e s)ste# and to 3ser& on a 3I1 s)ste#' %ll +asswordS)nchronization is ena$led for $oth non-*indows s)ste#s'
There are three cases of da#pening password changes!
!ase 5( In the case of %ll S)nchronization( when receiving a password change fro#
3serB on a #ainfra#e( the credential #apping for 3serB is changed in the &redential
"ata$ase and then the change is propagated to the *indows side for the corresponding*indows %ser 53ser.6' *hen 3ser.s password is changed in .ctive "irector)( thispassword change is sent $ack to the Enterprise SSO Server as a *indows password
change that 8%st occ%rred' In this case( the password change is da#pened $) EnterpriseSSO for 3serB( $%t the password change is received $) the +assword S)nchronization
.dapter that corresponds to 3ser& for a 3I1 s)ste#'
!ase 2( M%ltiple SSO Servers can $e config%red as targets to receive password changes
fro# "o#ain &ontroller for relia$ilit) scenarios' In this case( the "o#ain &ontroller willp%sh changes to $oth Enterprise SSO Servers' In this case( onl) the first one that
receives the password change will go thro%gh and the other change is da#pened'
!ase ( *hen a *indows password change is capt%red 5for 3ser.6 and sent to the#ainfra#e 5for 3serB6( the password change is capt%red on the #ainfra#e and sent$ack to SSO' The Enterprise SSO' Server da#pens this change $eca%se this is a change
that it 8%st sent to the #ainfra#e'
61
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 62/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
'< &onfig%ring "o#ain &ontroller forcapt%ring *indows password change+assword &hange otification Service 5+&S6 needs to $e config%red on the "o#ain&ontroller' This co#ponent is availa$le in a package called +&S'#si and is located in
ost Integration Server 2004 &"' ook %nder L&",OOTD+latfor#D+&S
This +&S'#si package also incl%des the +assword &apt%re ilter co#ponent that needs
to $e installed on all the "o#ain &ontrollers to capt%re the password change' +&S itselfneeds to $e config%red onl) once'
Active 1irector" Sche)a Etension
If )o%r organization separates the Sche#a .d#inistrator role fro# the "o#ain.d#inistrator role( then the Sche#a .d#inistrator #a) need to e7tend the sche#a
separatel) fro# the installation of the Microsoft +assword &hange otification
Service' The +&S'MSI file ena$les a Sche#a .d#inistrator to e7tend the sche#a
onl)( with the following co##and!
%!I&'&(.&'& )i *(N!.%!I !(&%$"N+,R/&
The sche#a onl) needs to $e e7tended once per .ctive "irector) forest' The
replication process will replicate the sche#a #odifications to all "o#ain &ontrollers'
"%ring the installation of the Microsoft +assword &hange otification Service( there
are sche#a entries added to .ctive "irector) that appl) to the entire forest' Thesesche#a %pdates are reC%ired to define the config%ration for the Microsoft +assword
&hange otification Service' These attri$%tes are not config%red to $e stored in thePlo$al &atalog'
Sche)a *bFect !lasses Ae b" the Microsoft Pass%or !hange
#otification Service!
& Id Is Inde7ed In Plo$al &atalog
#S-MIIS-+&S-Target <'2'A40'<<=??@'<'?'24 alse alse
#S-MIIS-+&S-Service <'2'A40'<<=??@'<'?'2?0 alse alse
Sche)a Attributes Ae b" the Microsoft Pass%or !hange #otificationService!
& Id Is Inde7edIn Plo$al&atalog
62
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 63/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
#S-MIIS-+&S-TargetP3I" <'2'A40'<<=??@'<'4'<A? alse alse
#S-MIIS-+&S-TargetS+ <'2'A40'<<=??@'<'4'<A@ alse alse
#S-MIIS-+&S-TargetServer <'2'A40'<<=??@'<'4'<A> alse alse
#S-MIIS-+&S-
Target.%thenticationService
<'2'A40'<<=??@'<'4'<AA
alse alse
#S-MIIS-+&S-
Target3sera#eor#at
<'2'A40'<<=??@'<'4'<A
alse alse
#S-MIIS-+&S-
Target/eep.liveInterval
<'2'A40'<<=??@'<'4'<00
alse alse
#S-MIIS-+&S-
Target"isa$led
<'2'A40'<<=??@'<'4'<0<
alse alse
#S-MIIS-+&S-TargetEncr)ption/e)
<'2'A40'<<=??@'<'4'<02alse alse
#S-MIIS-+&S-
ServiceMa7:%e%eength
<'2'A40'<<=??@'<'4'<0=
alse alse
#S-MIIS-+&S-
ServiceMa7:%e%e.ge
<'2'A40'<<=??@'<'4'<04
alse alse
#S-MIIS-+&S-
ServiceMa7otification,etries
<'2'A40'<<=??@'<'4'<0?
alse alse
#S-MIIS-+&S-Service,etr)Interval
<'2'A40'<<=??@'<'4'<0@alse alse
#S-MIIS-+&S-
TargetE7cl%sionSI"
<'2'A40'<<=??@'<'4'<0A
alse alse
#S-MIIS-+&S-
TargetIncl%sionSI"
<'2'A40'<<=??@'<'4'<0
alse alse
#ote: .s is tr%e for ever) o$8ect in .ctive "irector)( sche#a o$8ects are protected
$) .ccess &ontrol ists 5.&s6' Therefore( onl) a%thorized %sers can alter thesche#a'
To add or #odif) a class definition or attri$%te definition( )o% add or #odif) the
corresponding classSche#a o$8ect or attri$%teSche#a o$8ect' This process is si#ilarto adding or #odif)ing an) o$8ect in .ctive "irector)( e7cept that additional checks
are perfor#ed to ens%re that changes do not ca%se inconsistencies or pro$le#s inthe sche#a'
63
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 64/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
or #ore details on the .ctive "irector) sche#a( please visit MS" at the following3,!
http!;;www'#icrosoft'co#;reso%rces;doc%#entation;windowsServ;200=;all;techref;en-%s;*2/=T,Usche#Uhow'aspJ,.MEKTr%eFw2k=trUsche#UhowUfhep
!onfiguring a target using P!#S+&S %ses the concept of GtargetsH to descri$e the s)ste#s that receive the
password notifications' *hen )o% install the service on the "o#ain &ontroller( thesche#a is e7tended to ena$le the definition of Gtargets(R $%t no targets are defined'
.fter the server restarts( the ad#inistrator #%st define one or #ore GtargetsH in
.ctive "irector) $efore password notifications will $e sent'
Each target has a separate Gincl%sion filterH and Ge7cl%sion filter'R These filters are%sed to restrict the flow of sensitive passwords off the do#ain' or instance( )o%
t)picall) do not want ad#inistrator and #achine passwords to $e sent o%t $) the
service' The filter #a) $e an) sec%rit) gro%p in the do#ain' To send passwords forall %sers( $%t not send ad#inistrative passwords( )o% #ight choose to %se G"o#ain
3sersH as the incl%sion filter( and G"o#ain .d#insH as the e7cl%sion filters'
I)portant: The incl%sion filter is reC%ired' The e7cl%sion filter is %sed to f%rther
restrict the incl%sion filter( and it is optional' If the filters are #issing or invalid( no
passwords will $e C%e%ed for that target'
&onfig%ring a target is a #%ltistep process'
<' Select the gro%ps to %se for the incl%sion and e7cl%sion filter' These #a) $e
e7isting sec%rit) gro%ps( or newl) create sec%rit) gro%ps' 5 #ote: Beca%se of sec%rit) caching( #e#$ership changes for these gro%ps #a) take %p to <0
#in%tes $efore the) are recognized $) the service'6
2' Set the Service +rincipal a#e 5S+6 on the target service acco%nt' The S+ isa propert) on the acco%nt o$8ect in .ctive "irector) that is %sed $) the
/er$eros protocol to #%t%all) a%thenticate the service and the target' The S+takes the for# of GETSSO;Lf%ll)-C%alified co#p%ter na#e'
Ea)ple: setspn Y. ETSSO;sso-server-<'fa$rika#'co# fa$rika#Dssosvcact
The S+ #%st $e set on the service acco%nt that is r%nning the Enterprise SSO
Service' The S+ #%st $e %niC%e and cannot appear on an) other acco%nt orthe /er$eros a%thentication will fail and passwords will not flow' .dditional
infor#ation on tro%$leshooting /er$eros can $e fo%nd athttp!;;www'#icrosoft'co#;technet;prodtechnol;windowsserver200=;technologi
es;sec%rit);tker$del'#sp7'
To set the S+( %se the SETS+'E1E %tilit) incl%ded in the *indows 2000S%pport Tools or *indows 200= S%pport Tools on the *indows Server &"'
=' 3se the +&S&P'E1E %tilit) 5installed in D+rogra# ilesDMicrosoft +assword&hange otification6 to add a target for the service' The target is defined on
one "o#ain &ontroller( and .ctive "irector) takes care of replicating thedefinition to all other "o#ain &ontrollers'
64
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 65/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
+&S&P Lco##and Larg%#ents
&o##ands!
IST ists the c%rrent config%ration'
SE,I&E &onfig%res the service settings' ;!nn Ma7i#%# :%e%e ength'
0 K %nli#ited' ,ange 0 - 424@>2?' ;.! Ma7i#%# :%e%e .ge in seconds'
0 K %nli#ited' ,ange 0 - 424@>2?' ;,!nn Ma7i#%# otification ,etries'
0 K %nli#ited' ,ange 0 - <000' ;I!nn ,etr) Interval in seconds'
,ange <0 - =@00'
.""T.,PET .dds a new target'
MO"IT.,PET Modifies an e7isting target' ;!na#e 3niC%e na#e of the target'
;.!address :" or address of the target server' ;S!S+ Service +rincipal a#e of the target' ;+!+rotocol +rotocol to %se'
&%rrentl) onl) Q/er$erosQ is s%pported' ;I!gro%p ilter incl%sion gro%p na#e to per#it
passwords to $e forwarded' W;E!gro%p ilter e7cl%sion gro%p na#e to prevent
passwords fro# $eing forwarded' ;!nn 3ser na#e for#at delivered to the target'
< K 3SE,U.MEUT+EU<>> 2 K 3SE,U.MEUT+EU&.OI&.
= K 3SE,U.MEUT+EUT4
4 K 3SE,U.MEUT+EU"IS+. ? K 3SE,U.MEUT+EU"OM.IUSIM+E @ K 3SE,U.MEUT+EUETE,+,ISEUSIM+E
> K 3SE,U.MEUT+EUP3I" K 3SE,U.MEUT+EU3SE,U+,I&I+.U.ME
<0 K 3SE,U.MEUT+EU&.OI&.UE1 ;I!nn /eep-alive Interval in seconds'
0 K "isa$led' ,ange 0 - =@00' ;"!Tr%e;alse "isa$les the target'
SE&3,ET.,PET Sets the sec%rit) filters for the specified target'
;!na#e 3niC%e na#e of the target'
;I!gro%p ilter incl%sion gro%p na#e to per#it passwords to $e
forwarded' W;E!gro%pX ilter e7cl%sion gro%p na#e to prevent passwords
fro# $eing forwarded'
"EETET.,PET "eletes an e7isting target' E.BET.,PET Ena$les an e7isting target'
"IS.BET.,PET "isa$les an e7isting target' ;!na#e 3niC%e na#e of the target'
65
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 66/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Ea)ple!+cnscfg addtarget ;n!sso-server-< ;a!sso-server-<'fa$rika#'co#
;s!ETSSO;sso-server-<'fa$rika#'co# ;p!/er$eros ;fi!H"o#ain 3sersH ;fe!H"o#ain .d#insH ;f!= ;i!0 ;d!false
#ote: Onl) %ser na#e for#at = 53SE,U.MEUT+EUT46 is s%pported $etween
+&S and Enterprise SSO'
4' Optionall) %se the +&S&P'E1E %tilit) to config%re the service level options'
The service config%ration contains ti#ing and size li#its for the entire service(instead of a specific target' These incl%de C%e%e length and age( #a7i#%#
n%#$er of retries( and the retr) interval' If the service config%ration is not
defined( then the Microsoft +assword &hange otification Service will %se thefollowing defa%lts!
Ma7i#%# :%e%e ength! 3nli#ited 5disk space li#itations appl)6Ma7i#%# :%e%e .ge! >2 ho%rs
Ma7i#%# otification ,etries! 3nli#ited,etr) Interval! @0 seconds
'2 Enterprise SSO +assword S)nchronization&onfig%rations
Enabling Pass%or S"nchroni'ation in the SS* s"ste)
<' On the Start #en%( click ;un'
2' In the ,%n dialog $o7( t)pe c)8 and then click *<'
=' .t the co##and line( go to the Enterprise Single Sign-on installation
director)' 5The defa%lt installation director) is Ldrive!D+rogra#
ilesD&o##on ilesDEnterprise Single Sign-on'6
4' +assword S)nchronization glo$al optionsNonl) the SSO ad#inistrator canperfor# these operations'
• ssomanage -enable 0ins1nc ( This ena$les *indows +assword
S)nchronization' +assword changes can $e received "o#ain
&ontrollers and forwarded to +assword S)nchronization .dapters to
#ake changes on the non-*indows s)ste#6• ssomanage –enable exts1nc full ( This ena$les %ll +assword
S)nchronization fro# non-*indows s)ste#s' +assword changes fro#
non-*indows s)ste#s can $e received thro%gh adapters and %sed to%pdate the SSO &redential "ata$ase and the password in .ctive
"irector)'
• ssomanage –enable exts1nc partial ( This ena$les +artial
+assword S)nchronization' +assword changes fro# non-*indows
66
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 67/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
s)ste#s can $e received thro%gh adapters and %sed to %pdate theSSO credential data$ase6
1isabling $ino%s Pass%or S"nchroni'ation in the SS* s"ste)
o% can %se ssomanage –disable to disa$le the appropriate +assword
S)nchronization options
!onfiguring ;epla" files
,epla) files are te#porar) files created on the Enterprise SSO Server acting as a
+assword S)nchronization Server that is receiving password changes fro# a non-*indows s)ste#' These files are created onl) if the server loses the connection to
the &redential "ata$ase 5re#ote S: Server6' *hen this happens( passwordchanges received fro# the non-*indows s)ste# are te#poraril) stored encr)pted in
a sec%re location' Once the connection to the &redential "ata$ase is $ack %p( thepassword changes in the ,epla) files are repla)ed $ack into the &redential "ata$ase
and the file is cleared o%t and deleted' *hen it repla)s the changes into the
&redential "ata$ase( the server co%ld again lose the connection in the #iddle of thechange' or this reason( a +rogress file is created to keep track of the progress
#ade'
This ,epla) file and +rogress file are config%red onl) on the server perfor#ing therole of +assword S)nchronization Server in the Enterprise SSO s)ste#' B) defa%lt(
,epla) files are disa$led' If the ad#inistrator has not config%red ,epla) files and theconnection to the &redential "ata$ase is lost( then password changes #ade $) non-
*indows %sers co%ld $e lost' This wo%ld res%lt in the non-*indows %ser having toreinitiate the password change once the s)ste# is f%nctioning nor#all)'
To set ,epla) files( r%n ssoconfig -repla12iles <repla1 files director1> 3-default.
"efa%lt is GZ3SE,+,OIEZD.pplication "ataDETSSOH 5for the ETSSO serviceacco%nt6'
Setting the ,epla) file as ssoconfig –repla1files –default will store the ,epla) and+rogress files %nder the Z3SE,+,OIEZD.pplication "ataDETSSO director) for
the Enterprise SSO service acco%nt
#ote: In addition( for repla) files to $e created( the +S .dapter has a flag that
#%st $e ena$led' This is the Store #otifications /%hen offline propert) that isdescri$ed in section '4'2
#ote: *hen receiving password changes fro# the "o#ain &ontroller( if the
Enterprise SSO Server loses connection to the &redential "ata$ase( then EnterpriseSSO lets +&S know a$o%t this and the password changes are C%e%ed %p on the
"o#ain &ontroller itself' Once the s)ste# is f%nctioning nor#all)( password changeswill contin%e to flow' If the sa#e %ser has #ade #ore than one change d%ring thisti#e( onl) the #ost recent one will go thro%gh'
Age pass%orsIf the password change in the ,epla) files( or the password change received fro# the"o#ain &ontroller( or the password change received fro# the non-*indows
environ#ent e7ceeds the +assword S)nchronization age li#it( the password is
67
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 68/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
discarded and will not $e s)nchronized' The +assword S)nchronization age can $econfig%red on the Enterprise SSO server perfor#ing the role of +assword
S)nchronization 5this can $e one or #ore servers6' B) defa%lt( the +asswordS)nchronization age is set to >2 hrs' To change this( r%n ssoconfig –s1ncage
<maximum pass0ord age – in hours>( and specif) the #a7i#%# password age'
#ote: The +&S co#ponent on the "o#ain &ontroller also has this setting and itdefa%lts to >2 hrs as well' If )o% decide to red%ce or increase this password age( it is
reco##ended that )o% #ake the sa#e change for Enterprise SSO and for +&Sconfig%rations' This can $e achieved $) %sing the pcnscfg'e7e %tilit) on the "o#ain
&ontroller and the ssoconfig'e7e %tilit) on the Enterprise SSO +asswordS)nchronization server'
'= +assword S)nchronization .daptersOnl) an SSO .d#inistrator can create +assword S)nchronization .dapters in the SSOs)ste#' Most of the ad#inistrative operations for +assword S)nchronization can $e
perfor#ed onl) $) SSO .d#inistrators' *hen an SSO .d#inistrator creates+assword S)nchronization .dapters( there are two sec%rit) acco%nts that the
ad#inistrator needs to specif)' These are do#ain gro%p acco%nts!
1. app,serAccount( The +assword S)nchronization .dapter r%nti#e acco%nt #%st
$elong to this gro%p to operate with SSO services to send and receive password
changes'
2. appA)inAccount( Me#$ers of this gro%p can ad#inister this +assword
S)nchronization .dapter' If the SSO .d#inistrator does not want to specif)
another gro%p( the) can specif) the SSO .d#inistrator gro%p acco%nt itself as theapp.d#in.cco%nt'
To create a Pass%or S"nchroni'ation Aapter
<' In the ,%n dialog $o7 t)pe cmd and then click *<'
2' .t the co##and line( go to the Enterprise Single Sign-on installation director)'5The defa%lt installation director) is Ldrive!D+rogra# ilesD&o##on
ilesDEnterprise Single Sign-on'6
=' T)pe ssops -create <adapter %ain '%+ file>'
To A an Affiliate Applications to a Pass%or S"nchroni'ation
Aapter
This will associate .ffiliate .pplications and their corresponding #appings to the+assword S)nchronization .dapter'
<' In the ,%n dialog $o7( t)pe cmd and then click *<'
2' .t the co##and line( go to the Enterprise Single Sign-on installationdirector)'
=' T)pe ssops -addapp <application name> <adapter name>
68
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 69/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
To Enable a Pass%or S"nchroni'ation Aapter
<' In the ,%n dialog $o7( t)pe cmd and then click *<'
2' .t the co##and line( go to the Enterprise Single Sign-on installation
director)'
=' T)pe ssops -enable <adapter name=
To create a +roup Aapter for Pass%or S"nchroni'ation
Pro%p adapters are optional' This is onl) reC%ired when #ore than one +assword
S)nchronization .dapter needs to $e initialized at the sa#e ti#e' More details areavaila$le in section '='?
<' In the ,%n dialog $o7( t)pe cmd and then click *<'
2' .t the co##and line( go to the Enterprise Single Sign-on installation
director)'
=' T)pe ssops -create <4roup adapter '%+ file> 5See a sa#ple for this
$elow'6
To a an iniviual Pass%or S"nchroni'ation Aapter to the +roup
Aapter
<' In the ,%n dialog $o7( t)pe and then click *<'
2' .t the co##and line( go to cmd the Enterprise Single Sign-on installation
director)'
=' T)pe ssops -addo4roup <adapter name> <group adapter name>
Su))ar" of All Pass%or S"nchroni'ation A)inistration *ptions -
ssops co))ans
+assword S)nchronization f%nctions!
-list ! list e7isting adapters
-displa) ! displa) adapter infor#ation
-create ! create new adapter5s6
-set+rops ! set properties for adapter
-%pdate ! %pdate e7isting adapter5s6-delete ! delete an e7isting adapter
-ena$le ! ena$le adapter
-disa$le ! disa$le adapter
-add.pp ! add application for adapter
-delete.pp ! delete application for adapter
69
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 70/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
-reset ! reset notification or da#ping C%e%es
-addToPro%p ! add adapter to adapter gro%p
-deletero#Pro%p ! delete adapter fro# adapter gro%p
Affiliate Applications an Pass%or S"nchroni'ation Aapters
.ffiliate .pplications and +assword S)nchronization .dapters 5+S .dapters6 need to$e associated for +assword S)nchronization to work' .ffiliate .pplications contain the
#appings for the end %sers for who# +assword S)nchronization is done'
,%les
<6 More than one .ffiliate .pplication can $e associated with the sa#e +asswordS)nchronization .dapter'
26 o% cannot associate the sa#e .ffiliate .pplication with #ore than one +assword
S)nchronization .dapter'
=6 Onl) +artial S)nchronization 5non-*indows to *indows6 can $e done for *indowsInitiated Pro%p t)pe .ffiliate .pplications'
46 Mapping !onflicts( Onl) one credential field in the .ffiliate .pplication can $e
s)nchronized' or e7a#ple( an application can contain %serid( password< andpassword2 as their three fields' If there are #ore than two fields( then the
ad#inistrator #%st specif) which one sho%ld $e s)nchronized when doing +asswordS)nchronization' If there are two fields( then %serid is alwa)s the first field( the
second field is password( and the ad#inistrator does not have to specif) a specialflag'
Sa)ple Affiliate Application M@ %ith s"nc flag enable for one fiel
<application name="wo!neSync" <descriptionapp with two #ields$ one with sync<%description<contactadmin&#a'ri(am.com<%contact<)ser*ro)p#a'ri(am+)ser,rp1<%)ser*ro)p<appdmin*ro)p#a'ri(am+admin,rp<%appdmin*ro)p<#ield ordinal="0" la'el="/ser Id" mas(ed="no"%<#ield ordinal="1" la'el="Password1" mas(ed="yes"%<#ield ordinal="" la'el="Password" mas(ed="yes" sync="yes"%<#la,s allowic(ets="yes" alidateic(ets="no"%
<%application
?6 B) defa%lt( +assword S)nchronization will not $e done if there is a #apping
conflict for %ser acco%nts across .ffiliate .pplications' This applies to $oth *indowsto non-*indows +assword S)nchronization and non-*indows to *indows %llS)nchronization' This does not appl) to non-*indows to *indows +artial
S)nchronization'
Ea)ple: .ss%#e that there is a +assword S)nchronization .dapter +S< that is
associated with two .ffiliate .pplications! ..++< and ..++2' These applications
contain the following #appings!
70
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 71/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Mapping table
.B,I/.MDwin%ser< ..++< e7t%ser<.B,I/.MDwin%ser2 ..++2 e7t%ser<
*hen e7t%ser<s password is changed on the non-*indows s)ste#( it is capt%red
and sent to Enterprise SSO thro%gh +assword S)nchronization .dapter +S< tochange the *indows password for $oth .B,I/.MDwin%ser< and.B,I/.MDwin%ser2' B) defa%lt( +assword S)nchronization is not done in s%ch a
case for the *indows %sers' Onl) the password in the SSO &redential "ata$ase will$e %pdated' The sa#e applies in the other direction'
Mapping table
.B,I/.MDwin%ser< ..++< e7t%ser<.B,I/.MDwin%ser< ..++2 e7t%ser2
*hen *indows %ser .B,I/.MDwin%ser< changes the password( the password can$e changed for $oth e7t%ser< and e7t%ser2 thro%gh the +assword S)nchronization
.dapter +S<' B) defa%lt tho%gh( +assword S)nchronization is not done in s%ch a casefor the e7ternal %sers and the password change received is discarded'
owever( for $oth these cases( +assword S)nchronization will $e done( if the
G.llowMapping&onflictsH flag is set to 9es in the +assword S)nchronization .dapterproperties'
1efinition of properties an flags in a Pass%or S"nchroni'ation Aapter
na)e( a#e of the adapter recognized $) Enterprise SSO Services'
escription( "escription of the +assword S)nchronization .dapter'
co)puter( a#e of the co#p%ter that the adapter will $e installed on' This can also
$e a cl%ster na#e if the adapter is installed on a cl%stered SSO server' The +S.dapter will operate onl) on this co#p%ter'
app,serAccount( a#e of the do#ain gro%p that contains the service acco%nt of
the +assword S)nchronization .dapter'
appA)inAccount( a#e of the do#ain gro%p that can $e assigned to ad#inister
this adapter' If the SSO .d#inistrator does not want to delegate ad#inistration toother %sers( then specif) the SSO .d#inistrators gro%p acco%nt for this propert)'
properties file( a#e of the file that contains the propert) definitions for the+assword S)nchronization adapters' If a +S .dapter reC%ires Server a#e and +ort
%#$er as part of its config%ration( the properties file sho%ld contain thisinfor#ation' See the e7a#ples descri$ed %nder the vario%s t)pes of +S .dapters
sections for #ore infor#ation'
locali'e( So#e co##on adapter properties localized strings are availa$le as part of
Enterprise SSO' If this is set to es( then Enterprise SSO will displa) the localizedstrings when r%nning on a non-*indows platfor#' In the Enterprise SSO version that
is availa$le with ost Integration Server 2004 [apanese version( this is applica$leand it will displa) the localized strings' The na#es of properties for which
prelocalized strings are availa$le are!
RServer a#eR
71
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 72/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
R+ort %#$erR
R3 a#eR
RT+ a#eR
RMode a#eR
Rost a#eR
R+ort a#eR
R,etr) &o%ntR
R,etr) "ela)R
s"nc&ro)Aapter( Setting this flag to 9es( wo%ld ena$le non-*indows to *indows+assword S)nchronization for this adapter'
verif"*lPass%or( Setting this flag to 9es( will force Enterprise SSO to verif) theold password when it receives new password change fro# this +assword
S)nchronization .dapter' This wo%ld #ean that the +assword S)nchronization.dapter #%st provide the old and new password when sending the password change
to the SSO Server'change$ino%sPass%or( Setting this flag to 9es #eans f%ll s)nchronization is
ena$led when receiving password changes fro# a non-*indows s)ste# for this+assword S)nchronization .dapter' This wo%ld #ean that the #apping in the SSO
&redential "ata$ase is changed and the %sers *indows password in .ctive "irector)is changed as well'
s"ncToAapter( Setting this flag to 9es wo%ld ena$le *indows to non-*indows+assword S)nchronization for this adapter'
sen*lPass%or( Setting this flag to 9es wo%ld force Enterprise SSO to send theold password along with the new password for this +assword S)nchronization
.dapter to pick %p( which will then $e sent to the non-*indows s)ste#'
allo%Mapping!onflicts( "efa%lt setting for this flag is #o' In a case where #orethan < .ffiliate .pplication is associated with the sa#e +assword S)nchronization.dapter( there co%ld $e #apping conflicts that ca%se +assword S)nchronization not
to $e done for the %sers that have a #apping conflict' If this is set to 9es $) thead#inistrator( +assword S)nchronization will $e done'
The following sections contain sa#ple 1M files for +assword S)nchronization.dapters'
'='< Bi-"irectional +assword S)nchronization
.daptersMain M@ &ile
L\-- This file is %sed with the ssops -create co##and to create the protot)peadapter na#ed R+S.dapter0<'R
This adapter receives *indows password changes fro# SSO Services to sendthe# to a non-*indows s)ste#' SSO Services receives the password changes
fro# the "o#ain &ontroller when a *indows %ser changes their password'
72
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 73/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
This adapter also receives password changes fro# non-*indows s)ste#s andsends the# to SSO Services for s)nchronizing the SSO &redential "ata$ase
and so that SSO Services can %pdate the *indows %serQs password in .ctive"irector)' --
Lsso
Ladapter na#eKR+S.dapter0<R
Ldescription. Bi-"irectional +assword S)nc .dapter'L;description
Lco#p%ter&OM+3TE,.ME'"OM.I'&OML;co#p%ter
Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%pL;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%pL;app.d#in.cco%nt
Lproperties fileKR+ropertiesU+S.<'7#lR localizeKR)esR;
Lflags
s)ncro#.dapterKR)esR
verif)Old+asswordKRnoR
change*indows+asswordKR)esR
s)ncTo.dapterKR)esR
sendOld+asswordKRnoR
;
L;adapter
L;sso
Properties M@ &ile /PropertiesDPSA5()l
L\-- co##ent - for e7a#ple! +ropert) definitions for +S.dapter0< ersion <'0--
Lproperties
Lpropert) ordinalKR0R na#eKR+rop0R #askedKRnoR displa)KRServer
a#eR t)peKRTUBST,R defa%ltKRR;
73
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 74/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Lpropert) ordinalKR<R na#eKR+rop<R #askedKRnoR displa)KRT&+;I+ +ortRt)peKRTU3I4R defa%ltKRR;
L;properties
'='2 *indows +assword S)nchronization Onl).dapters
Main M@ &ile
L\-- This file is %sed with the Rssops -createR co##and to create the
+rotot)pe .dapter na#ed R+S.dapter02'R This adapter receives passwordchanges fro# SSO Services and sends the password change to a non-
*indows s)ste#' SSO Services receives the *indows %ser password changefro# the "o#ain &ontroller' --
Lsso
Ladapter na#eKR+S.dapter02R
Ldescription. +assword S)nc .dapter to send the password change to anon-*indows s)ste#'L;description
Lco#p%ter&OM+3TE,.ME'"OM.I'&OML;co#p%ter
Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%p2L;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%p2L;app.d#in.cco%nt
Lproperties fileKR+ropertiesU+S.2'7#lR localizeKR)esR;
Lflags
s)ncro#.dapterKRnoR
verif)Old+asswordKRnoR
change*indows+asswordKRnoR
s)ncTo.dapterKR)esR
sendOld+asswordKRnoR
;
L;adapter
74
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 75/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
L;sso
'='= on-*indows +artial +assword
S)nchronization Onl) .dapters
Main M@ &ile
L\-- This file is %sed with the Rssops -createR co##and to create the
+rotot)pe .dapter na#ed R+S.dapter0='R This adapter sends the passwordchange fro# a non-*indows s)ste# to SSO Services to %pdate the SSO
#apping in the SSO &redential "ata$ase' --
Lsso
Ladapter na#eKR+S.dapter0=R
Ldescription. +artial S)nchronization+assword S)nc .dapter thatreceives password change fro# a non-*indows s)ste#'L;description
Lco#p%ter&OM+3TE,.ME'"OM.I'&OML;co#p%ter
Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%p=L;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%p=L;app.d#in.cco%nt
Lproperties fileKR+ropertiesU+S.='7#lR localizeKR)esR;
Lflags
s)ncro#.dapterKR)esR
verif)Old+asswordKRnoR
change*indows+asswordKRnoR
s)ncTo.dapterKRnoR
sendOld+asswordKRnoR
;
L;adapter
L;sso
75
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 76/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
'='4 on-*indows %ll +asswordS)nchronization Onl) .dapters
Main M@ &ile
L\-- This file is %sed with the Rssops -createR co##and to create the+rotot)pe .dapter na#ed R+S.dapter04'R This adapter sends the password
change fro# a non-*indows s)ste# to SSO Services to %pdate the SSO#apping in the SSO &redential "ata$ase' This password is also changed in
.ctive "irector) $) SSO Services for the corresponding *indows %ser' --
Lsso
Ladapter na#eKR+S.dapter04R
Ldescription. %ll S)nchronization +assword S)nc .dapter that receives
password changes fro# non-*indows s)ste#'L;description
Lco#p%ter&OM+3TE,.ME'"OM.I'&OML;co#p%ter
Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%p4L;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%p4L;app.d#in.cco%n
t
Lproperties fileKR+ropertiesU+S.4'7#lR localizeKR)esR;
Lflags
s)ncro#.dapterKR)esR
verif)Old+asswordKRnoR
change*indows+asswordKR)esR
s)ncTo.dapterKRnoR
sendOld+asswordKRnoR
;
L;adapter
L;sso
76
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 77/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
'='? Pro%p +assword S)nchronization.daptersPro%p +assword S)nchronization .dapters can $e created to associate #%ltiple+assword S)nchronization .dapters with the sa#e Pro%p adapter' This allows the
Pro%p adapter to interact with SSO to initialize all +assword S)nchronization.dapters that are related' or e7a#ple( a third part) #ight have one Pro%p adapter
and #%ltiple individ%al adapters' Pro%p adapters are %sed pri#aril) for r%nti#einitialization of individ%al +assword S)nchronization .dapters'
Sa#ple 1M to create a gro%p adapter!
L\-- This file is %sed with the ssops -create co##and to create the protot)pe gro%p
adapter na#ed R+SPro%p.dapter0<'RPro%p .dapters are %sed to allow initialization of #%ltiple +assword S)nchronization
.dapters at the sa#e ti#e' o% can associate individ%al +assword S)nchronization
.dapters with a Pro%p .dapter %sing ssops -addToPro%p co##and' --
Lsso
Ladapter na#eKR+SPro%p.dapter0<R
Ldescription. Pro%p +assword S)nchronization .dapter'L;description
Lco#p%ter&OM+3TE,.ME'"OM.I'&OML;co#p%ter
Lapp3ser.cco%nt"o#aina#eD+wdS)nc3serPro%pL;app3ser.cco%nt
Lapp.d#in.cco%nt"o#aina#eD+wdS)nc.d#inPro%pL;app.d#in.cco%nt
Lproperties fileKR+ropertiesUPro%p.dapter<'7#lR localizeKR)esR;
Lflagsgro%p.dapterKR)esR
;
L;adapter
L;sso
ike individ%al +assword S)nchronization .dapters( Pro%p .dapters can haveproperties associated with the# as well'
77
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 78/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
'4 +roginet +assword S)nchronization .dapter&onfig%ration
Once Enterprise SSO config%ration is co#pleted for +assword S)nchronization( the
act%al +assword S)nchronization .dapters need to $e installed and config%red'
These adapters can $e o$tained fro# http!;;eps'proginet'co#;' "etaileddoc%#entation is availa$le with the adapters that e7plains how to set%p the adapters
on the *indows and ost s)ste#s' .dapters are availa$le for IBM ,.&( &. .&;2(&. Top Secret( and IBM OS;400 Sec%rit) s)ste#'
This section gives an overview of the co#ponents and the config%ration of the
*indows co#ponent of the adapter'
These adapters have two co#ponents!<' $ino%s co)ponent( The co#ponent that is integrated with the Enterprise
SSO +assword S)nchronization Interface' This r%ns on the Enterprise SSO Serverperfor#ing the role of +assword S)nchronization Server' This co#ponent is
referred to as e+S controller' This is a *indows service registered in the Service&ontroller Manager and is responsi$le for!
a' ,eceiving password changes fro# the Enterprise SSO and sending it to itsco%nterpart co#ponent on the ost s)ste#'
$' Sending password change to the Enterprise SSO s)ste# that it receives fro#the +assword S)nchronization .dapter r%nning on the ost s)ste#'
2' Host !o)ponent( This is the co%nterpart co#ponent that needs to $e installedand config%red on the appropriate ost s)ste# 5IBM #ainfra#e or OS;4006' This
co#ponent is responsi$le for!a' &apt%ring password changes #ade on the ost s)ste# and sending it to its
co%nterpart *indows co#ponent'$' ,eceiving password changes fro# e+S controller on *indows and #aking the
password change in the sec%rit) data$ase on the ost s)ste#'
'4'<' Install and &onfig%ring the e+S&ontroller
a%nch the eps&ontroller'e7e set%p package to install the e+S &ontroller 5*indowsco#ponent of the +assword S)nchronization .dapter6 on the Enterprise SSO
+assword S)nchronization Server' .fter )o% accept the appropriate license agree#ent
and specif) the location where the adapter needs to $e installed( the followingconfig%ration needs to $e done'
<6 T&+;I+ or S. connectivit) to the ost S)ste#
In the case of T&+;I+( specif) the Port #u)ber 5defa%lt is 4>4>46 to $e %sed' IfS. connectivit) is %sed( then the e+S &ontroller %ses ost Integration Server to
connect to the ost s)ste#' In the case of S.( specif) the @, #a)e to $e %sed'
26 Specif) the adapter na#e
78
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 79/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
This is the na#e that this adapter will $e known as in the Enterprise SSO s)ste#'This na#e sho%ld $e listed when )o% r%n ssops –list ' This can $e a gro%p +assword
S)nchronization .dapter as well'
=6 Specif) the service acco%ntSpecif) the service acco%nt for the e+S &ontroller to r%n %nder' This is the acco%nt
that the adapter will %se to co##%nicate with ETSSO' This service acco%nt #%st$elong the app3ser.cco%nt specified for this +assword S)nchronization .dapter when
it was created in Enterprise SSO'
Ea)ple:
"escri$ed here is an e7a#ple to config%re +assword S)nchronization .dapter on sso-server<'fa$rika#'co# to an IBM #ainfra#e s)ste# 5ost<6 with IBM ,.& r%nning
on it
<6 On sso-server<( create the adapter %sing the following 1M files
Main M@ file /ProgDA1;A!&()l
Lsso
Ladapter na#eKR+rogU.",.&R
Ldescription. Bi-"irectional +assword S)nc .dapter' L;description
Lco#p%tersso-server<'fa$rika#'co#L;co#p%ter
Lapp3ser.cco%ntfa$rika#D+S.3SE,<L;app3ser.cco%nt
Lapp.d#in.cco%ntfa$rika#DSSO.d#inistratorsL;app.d#in.cco%nt
Lproperties fileKR+ropertiesU+S.<'7#lR localizeKR)esR;
Lflags
s)ncro#.dapterKRnoRverif)Old+asswordKRnoR
change*indows+asswordKR)esRs)ncTo.dapterKR)esR
sendOld+asswordKRnoR ;
L;adapter
L;sso
+roperties ile 5+ropertiesU+S.<'7#l6
Lproperties
Lpropert) ordinalKR0R na#eKRI+."",ESSR #askedKRnoR displa)KRServer a#eRt)peKRTUBST,R defa%ltKRost<R;
79
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 80/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Lpropert) ordinalKR<R na#eKR+O,T3MBE,R #askedKRnoR displa)KRT&+;I+ +ortRt)peKRTUI4R defa%ltKR4>4>4R;
L;properties
To create the adapter( r%n ssops –create *rog#$5R$(2.xml
26 Ena$le the adapter' ,%n ssops –enable *rog#$5R$(2
=6 .dd .ffiliate .pplication to adapter' This is the .ffiliate .pplication 5for e7a#ple(.ff.ppforMainfra#e<6 $eing %sed for Single Sign-on scenarios that contain the
#appings for which +assword S)nchronization needs to $e done' ,%n ssops –addapp $ff$ppfor%ainframe6 *rog#$5R$(2
#ote! In addition to the +S .dapter( the .ffiliate .pplication #%st $e ena$led andthe #appings #%st then $e ena$led for +assword S)nchronization to take place'
46 Install the +roginet e+S &ontroller on sso-server<'fa$rika#'co# and specif) thefollowing!
a6 .dapter na#e as ProgDA1;A!&$6 Service acco%nt for e+S'e7e 5*indows service6 as fa$rika#DprogsvcNthis
acco%nt #%st $e a #e#$er of fa$rika#D+S.3ser<' This is reC%ired for theservice to co##%nicate with Enterprise SSO'
'4'2 Other +assword S)nchronization .dapter&onfig%ration +ropertiesTo change the server na#e or I+ address( or an) other properties of the adapteronce it is config%red( )o% can r%n ssops –setprops *rog#$5R$(2 *hen the adapter is created in the SSO s)ste#( the following properties are set $)
defa%lt!
] otification ,etr) &o%nt ! <
] otification ,etr) "ela) 5in #in%tes6 ! ?
] Ma7i#%# +ending otifications ! A] Store otifications 5when offline6 ! Tr%e
] indicates these are SSO S)ste# properties for the +assword S)nchronization.dapter and not properties that co#e fro# the +S .dapter itself
These can $e #odified %sing ssops –setprops <adapter name> as well' The retr)
co%nt and the retr) dela) val%es are reversed $) defa%lt 5which is a known iss%e6'
That can $e easil) changed $) r%nning ssops –setprops <adapter name> fro#the co##and line'
;etr" !ount for aapterIf the adapter fails to indicate to Enterprise SSO that it co#pleted processing the
password change( Enterprise SSO will retr) the password change at the config%red #otification ;etr" !ount and #otification ;etr" 1ela" /in )inutes for the
+assword S)nchronization .dapter'
80
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 81/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Mai)u) Pening #otificationsEach adapter has a #a7i#%# pending notifications val%e( which is the #a7i#%#
n%#$er of o%tstanding confir#ations that are allowed in either direction 5Eithersending passwords to Enterprise SSO or receiving passwords fro# Enterprise SSO6'
Store #otifications /%hen offline
*hen the SSO s)ste# is offline( notifications will contin%e to $e stored for the+assword S)nchronization .dapter when this option is set to tr%e' This works with
repla) files config%ration' *hen the SSO s)ste# is offline 5s%ch as when aconnection to the data$ase is not availa$le6( password changes fro# the +assword
S)nchronization .dapters will $e stored in the ,epla) file specified' If the ,epla) fileis not config%red( the password change will $e discarded'
'? igh .vaila$ilit) for +asswordS)nchronization
In addition to cl%stering Master Secret Server and &redential "ata$ase 5in S:Server6 %sing MS&S 5Microsoft &l%stering Services6 in .ctive;+assive #ode( the+assword S)nchronization Server co##%nicating with "o#ain &ontrollers and
+assword S)nchronization .dapters can $e cl%stered %sing the sa#e process'"etails for cl%stering are e7plained in section ?'?
Optionall)( for *indows +assword S)nchronization( )o% can achieve high availa$ilit)
witho%t cl%stering Enterprise SSO server' To achieve this( two Enterprise SSO serversneed to $e registered as targets for +&S'
owever( this option cannot $e %sed for the Enterprise SSO +asswordS)nchronization Server that has the +assword S)nchronization .dapters installed' To
achieve high availa$ilit) along with +assword S)nchronization .dapters( it isreco##ended to cl%ster it %sing MS&S in .ctive;+assive #ode'
'@ Start%p of +assword S)nchronization#od%le in ETSSO Service
Tho%gh the +assword S)nchronization feat%re of Enterprise SSO is installed( theinterfaces will not start %p'
The ETSSO service will start operating for *indows initiated password changesfro# "o#ain &ontroller co#ponent 5+&S6( onl) if the following are tr%e!
• *inS)nc is ena$led'
• One +S .dapter for *indows to non-*indows password s)nchronization
e7ists'
• .ffiliate .pplications with #appings are associated with the +S .dapter'
81
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 82/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
If an) of the preceding conditions are not tr%e( when a password change is sent for+&S to ETSSO( the change is discarded'
Si#ilarl)( the ETSSO service will start operating for non-*indows Initiatedpassword changes fro# +S .dapters onl) if the following are tr%e!
• E7tS)nc is ena$led for +artial or %ll S)nchronization
• One +S .dapter for non-*indows to *indows +assword S)nchronization
e7ists'
• .ffiliate .pplications with #appings are associated with the +S .dapter'
If an) of the preceding conditions are not tr%e( when a password change is sent fro#+S .dapter to ETSSO( the change is discarded'
82
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 83/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<0'0 Sec%rit)So#e of the feat%res of Enterprise SSO regarding sec%rit) and reco##endations toi#prove overall sec%rit) of Enterprise SSO deplo)#ent are descri$ed later'
!o))unication bet%een SS* Server an S?@ ServerIt is strongl) reco##ended that )o% ena$le SS for all co##%nication with the SSO
&redential "ata$ase on S: Server and all SSO Servers 5incl%ding the Master SecretServer6' To %se SS for sec%re co##%nication with S: Server( refer to
http!;;#sdn'#icrosoft'co#;li$rar);defa%lt'aspJ%rlK;li$rar);en-%s;dnnetsec;ht#l;SecetT<'asp'
.fter SS has $een set %p for S: Server( there are two options to ena$le SS fro#
the S: Server client co#p%ter 5in this case an SSO Server6
<' o% can ena$le this for all clients on that co#p%ter $) %sing the &lient etwork
3tilit) of S: Server' The advantages and disadvantages of doing this are disc%ssed
in the MS" article #entioned previo%sl)'
2' o% can ena$le this for SSO Server co##%nications $) setting the SS flag %singthe ssoconfig'e7e co##and line %tilit) of Enterprise Single Sign-on' ro# the
co##and line in the director) LdeviceD+rogra# ilesD&o##on ilesDEnterpriseSingle Sign-onD( r%n the co##and ssoconfig –set!!+ 1es to ena$le it' Setting this
flag will ena$le the Enterprise SSO service to %se SS in its connection to S:Server' ote that if SS is not config%red correctl) for S: Server all SSO operations
will fail'
@oc. o%n $ino%s Accounts use b" Enterprise SS*
3se do#ain gro%ps and do#ain acco%nts to i#prove the overall sec%rit) of )o%r
deplo)#ent'
Enterprise SSO sec%rit) is pri#aril) $ased on the vario%s roles in the SSO S)ste#'SSO .d#inistrator is the highest privilege role in the SSO S)ste#' This gro%p sho%ld
$e locked down' The Enterprise SSO service acco%nts need to $e a #e#$er of thisgro%p as well' Ens%re that no other services are %sing the sa#e service acco%nt'
.lso( Enterprise SSO service acco%nt sho%ld not $e ad#inistrator acco%nts' . do#ainservice acco%nt #%st $e created and %sed 8%st for Enterprise SSO service'
The SSO .d#inistrators role sho%ld $e assigned to onl) tr%sted individ%als in )o%r
enterprise'
Other roles( s%ch as SSO .ffiliate .d#inistrator( .pplication .d#inistrator( and
.pplication 3sers sho%ld $e locked down as well' These are highl) reco##ended to$e do#ain gro%p acco%nts' Ens%re that these gro%p acco%nts onl) contain the %seracco%nts that the) a$sol%tel) need to have' or e7a#ple( if an end %ser does not
reC%ire a #apping an) longer( then in addition to deleting the %ser #apping fro#Enterprise SSO for the .ffiliate .pplication( #ake s%re that the %ser is re#oved fro#
the .pplication 3sers gro%p acco%nt for that .ffiliate .pplication as well'
83
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 84/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
!o))unication bet%een SS* Servers
.ll co##%nication $etween the SSO Servers and the Master Secret Server is thro%gh
encr)pted ,+&' .lso( the co##%nication $etween SSO ad#inistrative or clientco#ponent and the SSO Server is thro%gh encr)pted ,+&' It is reco##ended to %se
/er$eros $etween SSO ad#inistrative and client co#ponents and SSO Server' To do
so( )o% wo%ld need to register a Service +rincipal a#e 5S+6 for the SSO serviceacco%nt %sing the setspn %tilit)' o% can then specif) the S+ fro# the SSO.d#inistrative or client co#ponents when accessing the SSO Server'
Pass%or S"nchroni'ation
&o##%nication $etween +&S on "o#ain &ontrollers and SSO Servers assigned as atarget %se /er$eros' This ens%res that there is #%t%al a%thentication $etween the
two co#ponents' *hen receiving password changes fro# the "o#ain &ontroller( theSSO Server also checks if the password change is $eing sent to it fro# a "o#ain
&ontroller'
+assword S)nchronization .dapter service acco%nts sho%ld $e config%red to %se adifferent service acco%nt fro# the Enterprise SSO service acco%nt' .lso( the
+assword S)nchronization .dapters service acco%nt sho%ld not $e %sed $) an) otherservices'
Ens%re that the ad#inistrators gro%p acco%nt and the %ser gro%p acco%nt specified
for the +assword S)nchronization .dapter are locked down and onl) contain %seracco%nts that need to $e a #e#$er of these gro%ps' or e7a#ple( onl) the +assword
S)nchronization .dapter service acco%nt #%st a #e#$er of the %ser gro%p acco%ntassigned for the +assword S)nchronization .dapter'
!o)puter loc. o%n
.ll the co#p%ters r%nning Enterprise SSO #%st $e locked down' Onl) ad#inistratorsthat a$sol%tel) reC%ire access to these co#p%ters #%st have access' Ideall)( onl) the
SSO .d#inistrators sho%ld $e the local co#p%ter ad#inistrators of these co#p%tersas well' Especiall)( #ake s%re that the servers that contain the SSO &redential
"ata$ase( the Master Secret Server( and the Enterprise SSO +asswordS)nchronization Servers are locked down $) giving access onl) to the SSO
.d#inistrators gro%p acco%nt'
<0'< Sec%re "eplo)#entThis section provides an overview of a sa#ple sec%re deplo)#ent that can $e
achieved when %sing Enterprise SSO'o% co%ld place the SSO &redential "ata$ase in a different do#ain fro# the
processing SSO Servers' Then )o% co%ld have processing SSO Servers r%nning on
BizTalk Server and ost Integration Servers for look%p to $e perfor#ed' This set%p
has two do#ains( +,O&'co# and S:'&OM'
"o#ain +,O&'co#
+,O& "o#ain &ontroller
84
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 85/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
SSO0 Master Secret Server
SSO< *indows Initiated SSO Server
SSO2 ost Initiated SSO server
SSO= Master Secret Server
SSO4 .d#inistrator $o7
• SSO? +assword S)nchronization Server to receive *indows password
changes and also +assword S)nchronization .dapters to receive and
send changes fro#;to non-*indows s)ste#s'
"o#ain S:'co#
S: "o#ain &ontroller
S:< SSO data$ase
<' . two-wa) selective a%thentication tr%st $etween +,O&'&OM andS:'&OM #%st $e esta$lished' To do so( on the do#ain controller( r%n
Start .ll +rogra#s .d#inistrative Tools .ctive "irector) "o#ains
and Tr%sts and follow the instr%ctions to set%p Selective .%thentication 2-wa) with the other do#ain' This config%ration has to $e done on do#aincontroller in +,O&'&OM and S:'&OM do#ains'
2' The Allowed to Authenticate privilege needs to $e assigned to ETSSO
Service acco%nt 5+,O&'&OM do#ain %ser6 to S:< in do#ain S:'&OM'To do so( fro# the .ctive "irector) MM& snap-in for 3sers and &o#p%ters
5need to switch on avance vie% in ." MM& snap-in( right-click theacco%nt and then view the Properties for the acco%nt' &lick the Securit"ta$ and select the Allo% check $o7 for the .llowed to .%thenticate option'
=' . new login in S:< server 5in S:'&OM6 needs to $e created for the
ETSSO Service acco%nt 5+,O&'&OM do#ain %ser6'
This wa)( onl) the acco%nts and gro%ps that reC%ire access to the other do#ain is
given access' .ccess for all other +,O&'&OM acco%nts are denied in S:'&OMdo#ain' Onl) the ETSSO service acco%nt will have access to the data$ase la)er'
,efer the MS" article on Accessing ;esources across 1o)ains for additionalinfor#ation'
*hen %sing Enterprise SSO with BizTalk Server 2004( also refer to the Planning aSecure 1eplo")ent doc%#entation'
85
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 86/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<<'0 Tro%$leshooting
<<'< Peneral ,eco##endations
<<'<'< .pplication Event og*hen a pro$le# is enco%ntered( the first place to check for f%rther infor#ation is the.pplication Event og' *hen it enco%nters an error Enterprise SSO will log either an
Error or *arning #essage with f%rther details a$o%t the pro$le#' Infor#ational#essages are also logged'
The a#o%nt of infor#ation logged to the event log is controlled $) a%dit levels'
There are two a%dit level settingsNthe GpositiveH a%dit level( which controls a%dits of
things that s%cceed( and the GnegativeH a%dit level( which controls a%dits of thingsthat fail'
or tro%$leshooting( it is $est to t%rn $oth a%dit levels to high %sing
ssoconfig –auditlevel 7 7
ssoconfig'e7e and the other co##and line tools are installed in the defa%lt installlocation!
D+rogra# ilesD&o##on ilesDEnterprise Single Sign-On
If )o%r pro$le# is reprod%ci$le( set $oth the a%dit levels to high( clear the event log(
wait for < #in%te or restart the Enterprise SSO service 5to #ake s%re the Enterprise
SSO service picks %p the new a%dit levels6( and tr) the scenario again' Take a look inthe event log after the scenario'
,estarting the ETSSO service is a good wa) to deter#ine whether the config%rationis correct!
1. ro# the co##and pro#pt( r%n net stop &N!!"
2. &lear the .pplication event log fro# the Event iewer snap-in' *hen )o%
clear( the log( it is reco##ended that )o% save the e7isting data in the
.pplication event log $eca%se it #ight contain other %sef%l infor#ation'3. ro# the co##and pro#pt( net start ETSSO
4. &heck the .pplication event log
ote that there #a) $e so#e dependent services that will also $e stopped when
Enterprise SSO is stopped'
<<'<'2 .ccess "enied response*hen Gaccess deniedH is ret%rned to a caller $) Enterprise SSO it will alwa)s log a#essage in the .pplication Event og' There are also so#e cases where Gaccess
deniedH #a) $e ret%rned to the caller $efore that call reaches Enterprise SSO( inwhich case there will not $e an event log #essage'
86
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 87/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
The event log #essage logged $) Enterprise SSO will give the .ffiliate .pplication
na#e if it is availa$le' That can $e %sed to check the SSO access acco%nt na#es forthe .ffiliate .pplication' To do so( r%n ssomanage –displa1app <application
name>
The SSO s)ste# access acco%nts can also $e viewed $) r%nning the co##and( ssomanage –displa1db
The SSO service #%st $e r%nning for these co##ands to s%cceed'
B) defa%lt( the SSO &onfig%ration *izard creates the following local gro%p acco%nts!
SSO .d#inistrator K GSSO .d#inistratorsH
SSO .ffiliate .d#inistrator K GSSO .ffiliate .d#inistratorsH
It is reco##ended that )o% change these gro%ps to do#ain gro%ps' This can $e
achieved $) perfor#ing ssomanage –updatedb <globalinfo.xml> and passing inthe right gro%p na#es
In BizTalk Server 2004( SSO &onfig Store applications are %sed to sec%rel) storeproperties for send and receive handlers' These SSO &onfig Store applications are
created $) the ost &onfig%ration *izard' or these SSO &onfig Store applications(the SSO acco%nts are set as follows!
.pplication .d#inistrators K GBizTalk Server .d#inistratorsH
.pplication 3sers K GBizTalk .pplication 3sersH or GBizTalk Isolated ost 3sersH
o% can list all the SSO applications( incl%ding SSO &onfig Store applications' To doso( r%n ssomanage –listapps all
!hec. the follo%ing
i'Tal. Server Aapter ;eee) Tic.et( The service acco%nt of the BizTalk Server.dapter that redee#s the ticket #%st $elong to the .pplication .d#inistrators gro%p
for the .ffiliate .pplication at a #ini#%#'
;eee) Tic.et Caliation( There #%st $e a tr%sted s%$s)ste# in the end-to-endprocess when %sing BizTalk .dapters with Enterprise SSO' Onl) tr%sted osts sho%ld
$e %sed in BizTalk Server when working with Enterprise SSO'*hen creating a new #essage in Orchestration( ens%re that the SS*Tic.et and
*riginatorSI1 conte7t properties are copied over( so that the Send .dapter canredee# the Ticket'
IssueTic.et in i'Tal. Aapter( *hen an SSO Ticket is $eing iss%ed( ens%re thatthe BizTalk Server *e$ Service .dapter or TT+ .dapter is config%red onl) to %se*indows Integrated Sec%rit)( and has the privilege to i#personate the end %ser
while #aking the reC%est to ETSSO'
Host Integration Server( Ens%re that the ost Integration Server co#ponent thatis calling Enterprise SSO to o$tain the ost credentials is config%red to %se *indows
Integrated Sec%rit) and has i#personation privileges' or e7a#ple( the Transaction
87
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 88/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
Integrator 'et .pplication on a *e$ server sho%ld $e config%red to %se *indowsIntegrated Sec%rit)' .non)#o%s access #%st $e disa$led'
Pass%or S"nchroni'ation Aapter Service Account( &heck if the service
acco%nt for the +S .dapter $elongs to the app3ser.cco%nt specified for the +S.dapter when creating it in ETSSO'
<<'<'= Ena$le MS"T&Enterprise SSO %ses MS"T& for distri$%ted transactions' Ens%re that MS"T& isena$led for #%lti$o7 config%rations on the SSO Servers( Master Secret Server( and
the S: Server co#p%ter 5that contains the SSO &redential "ata$ase6' To do so(refer the proced%re at http!;;#sdn'#icrosoft'co#;li$rar);defa%lt'aspJ
%rlK;li$rar);en-%s;tro%$leshooting;ht#;e$izUopsU$asUad#inUkhfe'asp'
<<'<'4 Sa#ple 1M referencesIn ost Integration Server 2004( Enterprise SSO has vario%s sa#ple 1M files
located %nder D+rogra# ilesD&o##on ilesDEnterprise Single Sign-OnDS"/DSa#plesDManageD' 3se these as references to create .ffiliate .pplications( 3ser
Mappings( and +assword S)nchronization .dapters for different t)pes of .ffiliate.pplications'
In BizTalk Server 2004 installation( a s%$set of these sa#ples are located in the
BizTalk Server S"/ install director) 5Lroot installDS"/Dsa#plesDSSOD#anage6
+lobal ,pates in SS* S"ste)Plo$alInfo'7#l' Sa#ple to #ake glo$al %pdates in Enterprise SSO %sing ssomanage–updatedb <globalinfo.xml>
#ote! If )o% change the SSO .d#inistrator acco%nt( )o% #%st disa$le the SSO
S)ste# $efore perfor#ing this operation' Once the change is perfor#ed( )o% canena$le the SSO S)ste#'
Single Sign-*n Affiliate Applications$ISS*DIniviualDAffApp()l( *indows Initiated SSO for creating a one-one
#apping' This is t)picall) %sed in with ost Integration Server scenarios
$ISS*DIniviualDAffAppD$ithTic.ets()l( *indows Initiated SSO for creatinga one-one #apping with ticketing ena$led' This is t)picall) %sed in with BizTalk
Server scenarios
$ISS*D+roupDAffApp()l( *indows Initiated SSO for creating a #an)-one#apping' This is t)picall) %sed in ost Integration Server scenarios'
$ISS*D+roupDAffAppD$ithTic.ets()l( *indows Initiated SSO for cresting a
#an)-one #apping with ticketing ena$led' This is t)picall) %sed in BizTalk Server
scenarios'
88
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 89/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
HISS*DIniviualDAffApp()l( ost Initiated SSO for creating a one-one#apping creation' This is t)picall) %sed t)picall) in ost Integration Server
Transaction Integrator I+ scenarios'
HISS*DHost+roupDAffApp()l( ost Initiated SSO for creating a #an)-one#apping' This is t)picall) %sed with ost Integration Servers Transaction Integrator
I+ scenarios'
$ISS*DHISS*DIniviualDAffApp()l( *indows Initiated and ost InitiatedSSO for creating a one-one #apping' This is t)picall) %sed in ost Integration Server
when $oth scenarios are reC%ired in the sa#e .ffiliate .pplication'
Single Sign-*n ,ser Mappings,serMapping()l( To create #%ltiple #appings for one or #ore .ffiliate.pplications for *indows Initiated or ost Initiated scenarios'
,serMappingDHost+roup()l( To create #an)-< #apping for ost Initiated SSO'
!onfig Store Affiliate Application!onfigStoreDAffApp()l( To create a &onfig%ration Store t)pe .ffiliate .pplicationto store and retrieve BizTalk config%ration data'
Sa)ple M@ for Pass%or S"nchroni'ation AaptersP%S"ncPSA5DMainDi1irectional()l( To create a +S .dapter that s%pports*indows to non-*indows and non-*indows to *indows +assword S)nchronization'
It %ses the propert) file located at +wdS)ncD+ropertiesU+S.<'7#l
P%S"ncPSA2DMainD$ino%sto#on$ino%sD&ullS"nc()l( To create a +S.dapter that s%pports *indows to non-*indows +assword S)nchronization' It %ses
the propert) file located at +wdS)ncD+ropertiesU+S.2'7#l
P%S"ncPSADMainD#on$ino%sPartialS"nc()l( To create a +S .dapterthat s%pports non-*indows to *indows partial +assword S)nchronization' It %ses the
propert) file located at +wdS)ncD+ropertiesU+S.='7#l
P%S"ncPSA4DMainD#on$ino%s&ullS"nc()l( To create a +S .dapter thats%pports non-*indows to *indows f%ll +assword S)nchronization' It %ses the
propert) file located at +wdS)ncD+ropertiesU+S.4'7#l
P%S"ncPS+roupAapter5()l( To create a +S .dapter that s%pports non-
*indows to *indows f%ll +assword S)nchronization' It %ses the propert) file locatedat +wdS)ncD+ropertiesU+S.4'7#l
P%S"ncPropertiesD+roupAapter5()l( To create a gro%p +S .dapter thatcan $e associated with #%ltiple +assword S)nchronization adapters'
The follo%ing S1 files are also available to valiate M@ files:.ffiliate.pplication'7sd3serMapping'7sd
Plo$alInfo'7sd+wds)ncD +S.dapterU.ll'7sd
89
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 90/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<<'<'= Penerate trace infor#ationIn addition( trace infor#ation can $e generated and sent to Microsoft +rod%ctS%pport Services' To do so( %se the trace'c#d %tilit) availa$le in the BizTalk Server
2004 installation' or Enterprise SSO availa$le with ost Integration Server 2004(trace'c#d is availa$le in the installation director) 5D+rogra# ilesD&o##on
ilesDEnterprise Single Sign-OnD6
3sing the trace'c#d reC%ires *indows Event Tracing tools 5tracelog'e7e6' o% can
o$tain these fro# +latfor# S"/'
Steps3sing the co##and pro#pt( go to the D+rogra# ilesD&o##on ilesDEnterprise
Single Sign-On director) and perfor# the following steps 5Ens%re that tracelog'e7e isin )o%r path6!
<' trace –start –high2' ,epro the fail%re scenario
=' trace –stop
4' Send the ESSO'$in generated in the sa#e director) to Microsoft +rod%ct S%pportServices'
To obtain tracelog(ee8 follo% these steps:
<' To download the Tracelog'e7e file( visit the Microsoft +latfor# S"/ download *e$site at http!;;www'#icrosoft'co#;#sdownload;platfor#sdk;sdk%pdate;'
2' On the "ownloads #en% of the *e$ site( click Install'
=' On the S"/ 3pdate &atalog page( select onl) the uil environ)ent s%$ feat%re%nder &ore S"/'
4' Scroll to the top of the page( and then click Start Installation'
?' &lick !ontinue and the +latfor# S"/ Installation *izard N *e$ +age "ialog page
will appear'
@' On the +latfor# S"/ Installation *izard *e$ +age "ialog page( click Accept toaccept the Microsoft End 3ser icense .gree#ent'
>' On the &onfir# Installation Selections page( click !ontinue twice' The Installation
Stat%s page will appear'
A' &lick Install #o%( and then click *< to co#plete the installation'
' ocate the "rive!D+latfor# S"/ Installation olderD$in folder and then cop) the
Tracelog'e7e file to the Enterprise SSO install location where trace'c#d is located' Inthe case of BizTalk Server 2004( this is in the root director) of BizTalk Server install
location'
90
7/21/2019 Enterprise SSO Whitepaper
http://slidepdf.com/reader/full/enterprise-sso-whitepaper 91/91
Single Sign-on Services for Microsoft Enterprise .pplication Integration Sol%tions
<<'2 /nown Iss%es
<<'2'< 1+ Service +ack 2 iss%es
*hen 1+ S+2 was introd%ced( it tightened %p the defa%lt ,+& sec%rit) on the s)ste#(which ca%ses Enterprise SSO to fail' . registr) ke) needs to $e set to allow ,+&
connections thro%gh T&+;I+ connections to co#plete' ,efer tohttp!;;s%pport'#icrosoft'co#;defa%lt'asp7JscidKk$en-%sA4<A= for details'
<<'2'2 &l%stering iss%es
Incorrect !luster #a)e
One co##on cl%stering iss%e is that the correct &l%ster etwork a#e is not $eing
%sed for the Master Secret Serve na#e' . cl%ster #a) in fact have #ore than one&l%stered etwork a#e' &heck that )o% have the cl%stered Enterprise SSO Service
associated with the correct &l%ster etwork a#e and that this &l%stered etworka#e is the Master Secret Server na#e that is %sed in the SSO &redential "ata$ase'
MS1T! error uring clustering
"%ring cl%stering of the Enterprise SSO service( if r%nti#e errors appear related to
the "istri$%ted Transaction &oordinator 5"T&6( check if "T& has $een cl%stered' If"T& is alread) availa$le as a &l%ster ,eso%rce( then the "T& is 8%st detecting an
internal inconsistenc) $eca%se it was not config%red to r%n on a cl%ster' Therefore itis %na$le to start' To resolve this error condition config%re the "T& to r%n on a
cl%ster with comclust -a on $oth #achines and then restart the "T&'
;eferenceshttp:GG%%%()icrosoft(co)Gbi'tal.http:GG%%%()icrosoft(co)Gi)
http:GG%%%()icrosoft(co)Ghiserver
http:GG%%%()icrosoft(co)GsharepointGProginet Pass%or S"nchroni'ation Aapters
T i l ft f HIS 2004