BizTalk Server 2010: Enterprise SSO Survival Guide

BizTalk Server 2010: Enterprise SSO Survival Guide


Introduction

Enterprise Single Sign-On (ESSO) is an important component of BizTalk Server. ESSO is responsible for securely storing critical information such as secure configuration properties  for the BizTalk adapters. On each computer where BizTalk runtime is installed the ESSO is present. Typically ENTSSO is installed to: C:\Program Files\Common Files\Enterprise Single Sign-On. This article will provide you with the necessary information on ESSO, how to manage and troubleshoot it.

Managing Enterprise Single Sign-On

You can manage the ESSO using two command line tools:
  • SSOManage
  • SSOConfig

These tools can be found in the directory C:\Program Files\Common Files\Enterprise Single Sign-On.

SSOConfig

SSOConfig Commandline commands:

Command
Description
 -setDB  set SQL Server and SSO database names
 -showDB  show the SQL Server and SSO database names
 -createDB  create SSO database
 -upgradeDB  upgrade SSO database
 -generateSecret  generate new SSO master secret
 -backupSecret  backup current SSO master secret
 -restoreSecret
 restore SSO master secret
 -auditLevel  set SSO server audit level (see below)
 -setSSL  set SSL encryption
 -replayFiles  set directory for replay files
 -syncAge  set maximum password age (for password sync)
 -remoteLookup
 allow remote lookup of credentials
 -discover  discover SSO servers
 -status  display SSO server status
 -allowPS  allow password sync (from PCNS or MIIS)
 -reportFilterErrors  report password filter errors (at runtime)
 -scp  Service Connection Points (SCP)

 

Audit Level

There are two audit level settings – the “positive” audit level, which controls audits of things that succeed, and the “negative” audit level, which controls audits of things that fail. The possible values for the audit levels are:

  • 0 = off
  • 1 = low
  • 2 = medium
  • 3 = high
Examples:
ssoconfig -auditlevel
Reports the current audit level

ssoconfig -auditlevel 0 3
Does not report successes; reports high/verbose for failures

ssoconfig -auditlevel 1 1
Reports low for both successes and failures

SSOManage

SSOMange Commandline commands:

Configuration functions

Command
Description
 -server  set SSO server name (for current user)
 -serverall set SSO server name (for all users)
 -showserver show the SSO server name(s)

 

Administration functions

 Command Description
 -updatedb  update SSO database
 -enablesso  enable SSO
 -disablesso  disable SSO
 -tickets  control SSO ticket behavior
 -enable  enable SSO features
 -disable  disable SSO features
 -displaydb  display current SSO database settings

Application functions

 Command Description
 -listapps  list existing applications
 -displayapp  display application information
 -createapps  create new applications
 -deleteapp  delete an existing application
 -updateapps  update existing applications
 -enableapp  enable application
 -disableapp  disable application
 -purgecache  purge the credential cache for an application

Mapping functions

Command
Description
 -listmappings  list mappings for a user
 -createmappings  create mappings for users
 -deletemappings  delete mappings for users
 -enablemapping  enable a single mapping for a user
 -disablemapping  disable a single mapping for a user
 -deletemapping  delete a single mapping for a user
 -setcredentials  set external credentials for a user

Troubleshooting

There is a document that can aid you in troubleshooting BizTalk Server 2010 Setup and MSDN page Troubleshooting Enterprise Single Sign-On. For troubleshooting it is best to turn both audit levels to high:  ssoconfig –auditlevel 3 3.

In case your problem is reproducible, set both the audit levels to high, clear the event log, wait for 1 minute or restart the ENTSSO service (to make sure the ENTSSO service picks up the new audit levels), and try the repro scenario. Take a look in the event log after the reproduction of the problem.

See Also

Read suggested related topics:

Another important place to find a huge amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on the TechNet Wiki.
Sort by: Published Date | Most Recent | Most Useful
Comments
  • I've been looking for a simple guide like this, Thank you!

  • The Command Line options for these is reversed.  Try "SSOManage -showDB", then try "SSOConfig -showDB".

    > SSOManage -?

    > SSOConfig -?

    This was confusing the first several times I found this site, but I only just now verified why I was confused.

  • BizTron, I've reversed the layout. The options should now align with the correct executable. Thanks!

  • Nice guide!

Page 1 of 1 (4 items)