How to cluster the Enterprise Single Sign-On (SSO) service on the master secret server in BizTalk Server 2004 (884178)



The information in this article applies to:

  • Microsoft BizTalk Server 2004 Developer Edition
  • Microsoft BizTalk Server 2004 Enterprise Edition
  • Microsoft BizTalk Server 2004 Partner Edition
  • Microsoft BizTalk Server 2004 Standard Edition

SUMMARY

The Microsoft BizTalk Server 2004 Application service maintains a hard-coded dependency upon the Enterprise Single Sign-On (SSO) service that is installed with BizTalk Server 2004. The Enterprise SSO service must be able to communicate with the master secret server to start. We recommend that you cluster the Enterprise SSO service on the master secret server to provide fault tolerance for the master secret server.

INTRODUCTION

This article describes the steps that you must follow to cluster the Enterprise SSO service on the master secret server in BizTalk Server 2004.

Before you configure SSO in a cluster environment, we recommend that you understand how clustering works. For more information, visit the following Microsoft Web site: Follow the steps in this article to cluster the Enterprise SSO service on the master secret server. You must be an SSO administrator to perform this procedure.

Caution You cannot install the master secret server on a Network Load Balancing (NLB) cluster.

back to the top

Cluster the master secret server

  1. Create Domain groups with the names SSO Administrators and SSO Affiliate Administrators. To create a clustered instance of the Enterprise SSO service, you must create the SSO Administrators and SSO Affiliate Administrators groups as Domain Groups.
  2. Create or designate a Domain account. The Enterprise SSO service on each node will be configured to log on as this Domain account. This account must have the Log on as a service right on each node in the cluster. This account must also be granted Full Control access to the cluster. To grant Full Control access to this account, follow these steps:
    1. Start the Cluster Administrator. To do this, click Start, point to Programs, point to Administrative Tools, and then click Cluster Administrator.
    2. Select the cluster.
    3. On the File menu, click Properties.
    4. On the Security tab, grant the Domain account Full Control access to the cluster.
  3. Add the account that you are using to log on during the configuration process to the domain SSO Administrators group.
  4. Perform a custom installation of BizTalk Server to install the master secret server on the first node (active) of the cluster. For more information about how to perform a custom installation of BizTalk Server, see the BizTalk Server Installation Guide that is located at the following Microsoft Web site:Note The master secret server must be configured on a cluster that is separate from the BizTalk Server or BizTalk Servers. Do not cluster the master secret server on the same computer or computers that you are running BizTalk Server on. If you create a clustered instance of the master secret server on the same computer that your BizTalk Server is running on, the BizTalk Server will not function correctly when the clustered instance of the master secret server is moved to a different node.
  5. Set the following options in the BizTalk Server Configuration Wizard:
    Dialog boxDo this
    Configuration Questions dialog boxClick Yes in the Will this Single Sign-On server (SSO) hold the master secret key? list, and then click Next. For more information, see the following Microsoft Developer Network (MSDN) Web site:
    Windows Accounts dialog boxSpecify the service account credentials for the SSO service that you configured in step 2. Make sure that this account is a member of the Domain SSO Administrators group.
    Database Configurations dialog boxSpecify the location of the SQL Server and Credential database (SSODB).
  6. Back up the master secret on the active node. For more information about how to back up the master secret, see the following MSDN Web site:
  7. At a command prompt, type net stop entsso to stop the SSO service.
  8. Perform a custom installation to install the master secret server on the second node (passive) of the cluster. Configure the SSO server on the second node of the cluster by using the BizTalk Configuration Wizard. Because this is not the initial installation of the master secret server, in the Configuration Questions dialog box in the BizTalk Configuration Wizard, click No in the Is this the master secret server? list. Then, click Next.
  9. Create a new cluster group in the Cluster Administrator that will contain the clustered Enterprise SSO service. Add an IP Address resource and a Network Name resource to this cluster group. For a valid IP address to use for the new IP Address resource, contact your network administrator. Use a unique network name for the Network Name resource. For example, name the Network Name resource SSOCLUSTER.
  10. At a command prompt, type net start entsso to ensure that the SSO service is running.
  11. After you install and configure SSO on both the active and the passive cluster nodes, change the master secret server name in the credential database to the cluster name. The cluster name is the Network Name resource that you have created in the cluster group that will contain the clustered Enterprise SSO service. For example, the name may be SSOCLUSTER. To do this, follow these steps:
    1. Paste the following code in a text editor:
      <sso>
        <globalInfo>
           <secretServer>SSOCLUSTER</secretServer>
        </globalInfo>
      </sso>
    2. Save the file as an .xml file. For example, save the file as SSO CLUSTER.xml.
    3. At a command prompt, change to the Enterprise SSO installation folder. By default, the installation folder is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
    4. Type ssomanage -updatedb XMLFile to update the master secret server name in the database.

      Note Replace XMLFile with the name of the .xml file that you saved in step b.
  12. If you receive runtime error messages, ignore them for now. The Microsoft Distributed Transaction Coordinator (MSDTC) detects an internal inconsistency. MSDTC was not configured to run on a cluster. Therefore, MSDTC cannot start. To resolve these error messages, configure the MSDTC to run on a cluster. To do this, follow these steps:
    1. On the active cluster node, type comclust -a at a command prompt.
    2. In the Services console, right-click Distributed Transaction Coordinator, and then click Restart.
    3. On the inactive cluster node, type comclust -a at a command prompt.
    4. In the Services console, right-click Distributed Transaction Coordinator, and then click Restart.
back to the top

Configure the service and resource parameters for the cluster

  1. Start Cluster Administrator.
  2. Click the cluster group that you created for the clustered Enterprise SSO service.
  3. On the File menu, point to New, and then click Resource.
  4. In the New Resource window, follow these steps:
    1. In the Name box, type the name of the SSO resource. For example, ENTSSO.
    2. In the Resource type list, click Generic Service.
    3. Click Next.
  5. In the Possible Owners dialog box, include each cluster node as a possible owner of the ENTSSO resource.
  6. In the Dependencies dialog box, add a dependency to the Name resource that you created for this group, and then click Next.
  7. In the Generic Service Parameters dialog box, type entsso for the Service name, leave Start parameters blank, click to select the Use Network Name for computer name check box, click Next, and then click Finish in the Registry Replication dialog box.

    Note If you do not click to select the Use Network Name for computer name check box, SSO client computers will generate an error similar to the following when they try to contact this clustered instance of the Single Sign-On Service:
    Failed to retrieve master secrets. Verify that the master secret server name is correct and that it is available. Secret Server Name: ENTSSO Error Code: 0x800706D9, There are no more endpoints available from the endpoint mapper.
  8. After you create the ENTSSO resource, right-click ENTSSO, and then click Properties.
  9. In the Cluster Properties dialog box, click the Security tab, and then verify that the user under which the cluster resource is running has sufficient user rights to access the cluster.
back to the top

Restore the master secret on the second node

  1. In Cluster Administrator, right-click the cluster group that includes the master secret server cluster, and then click Move group. This step moves the master secret server resources from the first node to the second node.
  2. At a command prompt, change to the Enterprise SSO installation folder. By default, the installation folder is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
  3. Type ssoconfig -restoresecret RestoreFile.

    Note Replace RestoreFile with the path of and the name of the backup file that contains the master secret.
back to the top

Modification Type:MajorLast Reviewed:8/9/2006
Keywords:kbHOWTOmaster kbBTSSso kbhowto KB884178 kbAudDeveloper