Clustered Enterprise Single Sign-On (ENTSSO) Setup
When you want to configure BizTalk Server on multiple NLB (network load balancing) nodes, you will have to install / configure the SSODB (Enterprise Single Sign-On – ENTSSO) service on a clustered SQL Server instance.
For this document, SQL Server runs clustered on a 2 node cluster – SERVERNODE1 and SERVERNODE2.
This document provides a real deployment – where the domain names are generic in this case. For example, I use / and then the BTS Group name – exactly as BTS ConfigFramework would create the group name when performing a default stand-alone installation. (i.e. The Domain is HAMILTON, so I created the group HAMILTON/HAM BizTalk Server Administrators. I followed this convention with all of the Groups. Below, I simply called the domain DOMAIN and abbreviated the name as DOM and then the Group name.
Finally, you do not need to know how to install SQL Server on a clustered server, but you will need to know the VIRTUALMACHINENAME and VIRTUALINSTANCENAME of the SQL Server we're deploying to.
- If they do not already exist, create two domain level groups for DOM SSO Administrators and DOM SSO Affiliate Administrators.
- Add our domain DOMAIN\BtsService account to run as part of the operating system on each of the cluster nodes. (SERVERNODE1 and SERVERNODE2)1.
- Add the DOMAIN\btsservice account to the DOM SSO Administrators group.
- Ensure that the service account has full control access to the cluster.
- To ensure this, start the Cluster Administrator.
- Select the cluster (on the left side, click the cluster – SQLCLUSTERNAME in this case).
- Select FileàProperties.
- On the Security tab, grant the DOM/BtsService domain account Full Control access to the cluster.
- Ensure that our cluster has been configured before we install the ENTSSO.
- Cluster resources are usually created by the network administrator(s).
- We had 2 cluster resources created:
- IP Resource (192.168.0.1)
- Name Resource (VIRTUALSSO)
- We created one cluster group, and this group name must match the Name Resource – or our ENTSSO will fail. We created a group called VIRTUALSSO.
- During the creation of the Cluster Group (VIRTUALSSO) we include our Resource Name and IP Resource as dependencies of this new Group.
- We are now ready to run the BTS installation.
- From the primary / active node of the cluster (SERVERNODE1 was primary when we did this).
- Run the Host Integration Server 2004 Installation.2
- Select a custom installation.
- Ensure that ONLY SSO and SSO Enterprise Manager are selected for installation.
Once the installation is complete, execute the ConfigFrameWork to setup our environment.
- Ensure that Yes is set for Will this Single Sign-On server (SSO) hold the master secret key? Click next.
- For the Windows Accounts, use the DOMAIN\BtsService account created earlier.
- For the Database Configuration, point the setup to VIRTUALMACHINE\VIRTUALINSTANCENAME.
Once this is complete, backup the master secret on the active node.
- Change to the C:\Program Files\Common Files\Enterprise Single Sign-On folder.
- Type ssoconfig –generatesecret . For the file name we named the file SSOINITDDMMMYY – where DD is the day, MMM is the month (i.e. JAN, FEB, MAR, etc.), and YY is the 2 digit year. Our first file may have been SSOINIT23APR05.BAK.
Now switch to the secondary node (SERVERNODE2) and execute the configframework.exe on this server.
- Ensure that No is set for Will this Single Sign-On server (SSO) hold the master secret key? Click next.
- For the Windows Accounts, use the DOMAIN\BtsService account created earlier.
- For the Database Configuration, point the setup to VIRTUALMACHINE\VIRTUALINSTANCENAME.
Now switch back to the primary node (SERVERNODE1) and change to the ENTSSO folder (C:\Program Files\Common Files\Enterprise Single Sign-ON).
Create (or copy/paste) the following into a text file and save it in this folder (we named the file ssodb.xml).
<sso>
<globalInfo>
<secretServer>VIRTUALSSO</secretServer>
</globalInfo>
</sso>
Once this file is saved, ensure that the ENTSSO server is running. Simply type net run entsso at the command prompt and it will start if it is not already running.
We now must configure ENTSSO to reference our new Secret Server name. To do this, type the following while in this folder (NOTE: replace with the filename you just created).
Type ssomanage –updatedb
If the command is successful, you will receive a response pretty quickly showing the new server name.
You could receive a runtime error regarding MSDTC – but we configured this prior to running this setup so we did not experience the error.
If you experience an error referencing the RPC server or no more endpoints available from the endpoint mapper then there is something invalid / incorrect in the Cluster Group configuration that was setup for this service. If you encounter this, review the Cluster Group configuration and ensure that 1) your Cluster Group name is the same as the Resource Name; 2) if the Cluster Resources / Group is correct, try simply restarting the ENTSSO from the Service Manager (StartàProgramsàAdministrative ToolsàServiceàEnterprise Single Sign-On).
The final stage is to configure the service and resource parameters for the cluster.
- Start the Cluster Administrator
- Click on our VIRTUALSSO cluster group
- From the File menu select NewàResource
- In the New Resource dialog enter:
- ENTSSO for the Name of the resource
- Select Generic Service for the resource type
- Click Next
- In the Possible Owners dialog, ensure that our two nodes appear as owners of the resource
- In the Dependencies dialog, select our VIRTUALSSO Name Resource and click Next.
- In the Generic Service Parameters dialog, type entsso for the service name, leave Start Parameters blank, and click (enable) Use Network Name for Computer name, then click Next.
- At the Registry Replication dialog, simply click Finish.
Be sure to bring our Cluster Group (and resources) On-Line.
Now we’re ready to begin the BizTalk Server deployments.
NOTES
- We created a DOMAIN level account named BtsService (the name is not case-sensitive. I spell it that way to emphasize there are two ‘s’ characters in the name). For each server that this account will need access to, we must set the service to Act as part of the operating system. To do this (and this must be done on each server / host computer that BizTalk communicates with), follow these steps:
- At the server select StartàRun and type in gpedit.msc and press .
- Expand Computer ConfigurationàWindows SettingsàSecurity SettingsàLocal Policies and click on User Rights Assignment.
- On the right side locate Act as part of the operating system and double-click here (or right-click and select Properties).
- Click the Add User or Group option and add AUBURN/BtsService.
- Click OK and OK again, to close out.
- Now close the Group Policy MMC console.
- Host Integration Server installs a newer version of the Enterprise Single Sign-On service, so we use HIS to setup our clustered SSODB and related service. Otherwise the HIS remote servers will fail indicating that the database is an older version and must be upgraded before proceeding. To get around this issue, simply install ENTSSO from the HIS 04 CD.