There are seven main activities that we need to do:
- Create the SSO service account -- This is the account that the service will run under.
- Create the SSO groups -- These groups are used to control who has the ability to administer SSO (export the master key) and who has the ability to manage it (add/remove application definitions.)
- Configure the SSO Service - Set SSO to start and get it to use the service account.
- Configure SQL Server - Authorize the SSO service account to SQL server.
- Manage SSO - Setup SSO in MOSS including the groups and the database.
- Manage the encryption key -- Create the encryption key that will be used for protecting the username and password information on the system.
- Manage settings for enterprise application definitions -- Define what initial applications SSO will be setup to manage passwords for.
Create the SSO Service Account
In the following steps I'm going to add the user to the Domain Admins group in order to get the local administrator privileges requirement met. If you are working on a production installation, I'd recommend creating a group for SharePoint Farm Administrators and add that group to the local administrators group of each of the front end web servers -- as well as the index server. If you do this, use your farm administrators group rather Domain Admins in the steps below.
Let's get started.
- From the Start Menu click Administrative Tools-Active Directory Users and Computers
- In the left hand pane on the Users folder right click and select New-User from the menu that appears. If your organization places service accounts in a different organizational unit (OU) you can certainly add this account to that location.
- Enter the First Name (SharePoint SSO), Last Name (Service), and User logon name (SharePointSSOSvc) fields and click the Next button. You can name the account anything you want, however, these values make it clear what the account is used for.
- Enter the a password into the Password and Confirm password fields. Uncheck the User must change password at next logon checkbox. Check the User cannot change password and Password never expires checkboxes. Click the Next button. This sets the account up to be a service account.
- Click the Finish button.
- On the user that was just created, right click and select Properties.
- Click the Member Of tab.
- Click the Add button
- Enter the group name Domain Admins and click Check Names then click OK. As mentioned above, if you're using another group to provide local administrator access to the farm servers, use that group here.
- Click the OK button.
Create the SSO GroupsThere are two important groups for SSO. The first group is the administrative group which includes those users capable of administering SSO. This includes the ability to backup and restore the encryption key -- because of this they can effectively decrypt all user credentials in the SSO database and thus membership to this group should be severely limited. The second group, a managers group, is used to manage the application profiles in the SSO system. This group doesn't directly have access to passwords but could inadvertently delete all of the stored passwords. In the following steps we'll create both groups and add the SSO service account we created above into the administrators group.
- In Active Directory Users and Computers (still open from the last set of steps) from the left pane right-click Users and select New-Group. As before if your organization requires that groups be placed in a different OU, select that OU to create group in.
- Enter the Group Name (SharePoint SSO Administrators) and click the OK button.
- Left click the new group, and then right click the new group and select Properties.
- Click the Members tab.
- Click the Add button.
- Enter SharePointSSOSvc, click the Check Names button, and click the OK button.
- Click the OK button.
- In the left pane, right click Users and select New-Group. As before, if your organization requires a different location, use that location.
- Enter the Group Name (SharePoint SSO Managers) and click the OK button.
- Close Active Directory Users and Computers, we're done with it.
Configure the SSO ServiceBy default the SSO service in SharePoint doesn't start. In this activity we're going to enable the SSO service. On each server in the farm and then once completed we're going to change the account used for SSO in SharePoint Central Administration.
Let's start by setting the service to start automatically and manually starting it.
- On the Start menu click Administrative Tools-Services
- In the Services application in the right hand pane scroll down to the Microsoft Single Sign-on Service, right click and click Properties.
- Change the Startup type from Manual to Automatic.
- Click the Start button.
- Click the OK button.
- Close the Services application. We're done with it.
- Repeat steps 1-5 on each server in the SharePoint farm.
- On the Start menu click Administrative Tools-SharePoint 3.0 Central Administration