This article describes the steps that you must follow to
cluster the Enterprise SSO service on the master secret server in BizTalk
Server 2004.
Before you configure SSO in a cluster environment, we
recommend that you understand how clustering works. For more information, visit
the following Microsoft Web site:
Follow the steps in this article to cluster the Enterprise SSO
service on the master secret server. You must be an SSO administrator to
perform this procedure.
Caution You cannot install the master secret server on a Network Load
Balancing (NLB) cluster.
Cluster the master secret server
- Create Domain groups with the names SSO Administrators and SSO Affiliate Administrators. To create a clustered instance of the Enterprise SSO service,
you must create the SSO Administrators and SSO Affiliate Administrators groups
as Domain Groups.
- Create or designate a Domain account. The Enterprise SSO
service on each node will be configured to log on as this Domain account. This
account must have the Log on as a service right on each node in the cluster. This account must also be
granted Full Control access to the cluster. To grant Full Control access to
this account, follow these steps:
- Start the Cluster Administrator. To do this, click
Start, point to Programs, point to
Administrative Tools, and then click Cluster
Administrator.
- Select the cluster.
- On the File menu, click
Properties.
- On the Security tab, grant the Domain
account Full Control access to the cluster.
- Add the account that you are using to log on during the
configuration process to the domain SSO Administrators group.
- Perform a custom installation of BizTalk Server to install
the master secret server on the first node (active) of the cluster. For more
information about how to perform a custom installation of BizTalk Server, see
the BizTalk Server Installation Guide that is located at the following
Microsoft Web site:Note The master secret server must be configured on a cluster that is separate from the BizTalk
Server or BizTalk Servers. Do not cluster the master secret server on the same
computer or computers that you are running BizTalk Server on. If you create a
clustered instance of the master secret server on the same computer that your
BizTalk Server is running on, the BizTalk Server will not function correctly
when the clustered instance of the master secret server is moved to a different
node.
- Set the following options in the BizTalk Server
Configuration Wizard:
| Dialog box | Do this |
|---|
| Configuration Questions dialog
box | Click Yes in the Will this Single Sign-On
server (SSO) hold the master secret key? list, and then click
Next. For more information, see the following Microsoft
Developer Network (MSDN) Web site: |
| Windows Accounts dialog
box | Specify the service account credentials for the SSO service that
you configured in step 2. Make sure that this account is a member of the Domain
SSO Administrators group. |
| Database Configurations dialog
box | Specify the location of the SQL Server and Credential database
(SSODB). |
- Back up the master secret on the active node. For more
information about how to back up the master secret, see the following MSDN Web
site:
- At a command prompt, type net stop
entsso to stop the SSO service.
- Perform a custom installation to install the master secret
server on the second node (passive) of the cluster. Configure the SSO server on
the second node of the cluster by using the BizTalk Configuration Wizard.
Because this is not the initial installation of the master secret server, in
the Configuration Questions dialog box in the BizTalk
Configuration Wizard, click No in the Is this the
master secret server? list. Then, click
Next.
- Create a new cluster group in the Cluster Administrator
that will contain the clustered Enterprise SSO service. Add an IP Address resource and a Network Name resource to this cluster group. For a valid IP address to use for
the new IP Address resource, contact your network administrator. Use a unique
network name for the Network Name resource. For example, name the Network Name
resource SSOCLUSTER.
- At a command prompt, type net start
entsso to ensure that the SSO service is running.
- After you install and configure SSO on both the active and
the passive cluster nodes, change the master secret server name in the
credential database to the cluster name. The cluster name is the Network Name
resource that you have created in the cluster group that will contain the
clustered Enterprise SSO service. For example, the name may be SSOCLUSTER. To
do this, follow these steps:
- Paste the following code in a text editor:
<sso>
<globalInfo>
<secretServer>SSOCLUSTER</secretServer>
</globalInfo>
</sso> - Save the file as an .xml file. For example, save the
file as SSO CLUSTER.xml.
- At a command prompt, change to the Enterprise SSO
installation folder. By default, the installation folder is
Drive:\Program Files\Common Files\Enterprise Single
Sign-On.
- Type ssomanage -updatedb
XMLFile to update the master secret
server name in the database.
Note Replace XMLFile with the name of the
.xml file that you saved in step b.
- If you receive runtime error messages, ignore them for now.
The Microsoft Distributed Transaction Coordinator (MSDTC) detects an internal
inconsistency. MSDTC was not configured to run on a cluster. Therefore, MSDTC
cannot start. To resolve these error messages, configure the MSDTC to run on a
cluster. To do this, follow these steps:
- On the active cluster node, type comclust
-a at a command prompt.
- In the Services console, right-click
Distributed Transaction Coordinator, and then click
Restart.
- On the inactive cluster node, type comclust
-a at a command prompt.
- In the Services console, right-click
Distributed Transaction Coordinator, and then click
Restart.
Configure the service and resource parameters for the cluster
- Start Cluster Administrator.
- Click the cluster group that you created for the clustered
Enterprise SSO service.
- On the File menu, point to
New, and then click Resource.
- In the New Resource window, follow these
steps:
- In the Name box, type the name of the
SSO resource. For example, ENTSSO.
- In the Resource type list, click
Generic Service.
- Click Next.
- In the Possible Owners dialog box,
include each cluster node as a possible owner of the ENTSSO
resource.
- In the Dependencies dialog box, add a
dependency to the Name resource that you created for this group, and then click
Next.
- In the Generic Service Parameters dialog
box, type entsso for the Service name,
leave Start parameters blank, click to select the Use
Network Name for computer name check box, click Next,
and then click Finish in the Registry
Replication dialog box.
Note If you do not click to select the Use Network Name for
computer name check box, SSO client computers will generate an error
similar to the following when they try to contact this clustered instance of
the Single Sign-On Service:Failed to retrieve master
secrets. Verify that the master secret server name is correct and that it is
available. Secret Server Name: ENTSSO Error Code:
0x800706D9, There are no more endpoints available from the endpoint
mapper.
- After you create the ENTSSO resource, right-click
ENTSSO, and then click Properties.
- In the Cluster Properties dialog box,
click the Security tab, and then verify that the user under
which the cluster resource is running has sufficient user rights to access the
cluster.
Restore the master secret on the second node
- In Cluster Administrator, right-click the cluster group
that includes the master secret server cluster, and then click Move
group. This step moves the master secret server resources from the
first node to the second node.
- At a command prompt, change to the Enterprise SSO
installation folder. By default, the installation folder is
Drive:\Program Files\Common Files\Enterprise Single
Sign-On.
- Type ssoconfig -restoresecret
RestoreFile.
Note Replace RestoreFile with the path of
and the name of the backup file that contains the master secret.