You are here: Home » Uncategorized » SharePoint 2007 Single Sign-On Setup
  • June
  • 25
  • 2007

SharePoint 2007 Single Sign-On Setup

Posted by dwollerman
Commenting disabled for this post

I went through and ran through setting up SSO for a test environment to see what all the hype was about. I can't believe that the administration accounts are that confusing to setup. Here are the steps that I took to get the SSO configured and the database created.

  1. Create a domain service account (ex: Demosa-ssoadmin)
    • DO NOT ADD ACCOUNT TO ANY DOMAIN GROUPS YET
  2. OPTIONAL: Create a domain security group with "Group Scope" as "Global" and with "Group Type" as "Security". Do not select "Distribution" or "Local Domain" options. (ex: SSO Administrators)
    • Add in the demosa-ssoadmin service account
    • OPTIONAL: add in other domain accounts for users who will be administrating the SSO Application Definition files. 
  3. Add the domain security group (SSO Administrators) to the local administrators group on all SharePoint WFE servers.
  4. Log into the WFE server that is running "Central Administration" web site. 
  5. Start the "Microsoft Single Sign-on Service" in the Windows Services MMC.
    • Set to "Automatic"
    • Run the service under a domain service account (ex: Demosa-ssoadmin)
    • Start the service
  6. If there are more WFE servers plus servers running Excel Services, Start the Microsoft SSO service on those servers now. If Buisness Data Catalog search is used then also start the SSO Service on the index server as well
    • NOTE: the first server that the service is started on becomes the encryption key server
  7. In SQL, make sure that the domain service account (Demosa-ssoadmin) running the Microsoft SSO service has the following roles assigned on SQL Server
    • dbcreator
    • securityadmin 
  8. Remote into the "Encryption Key Server" (Should be the first server that SSO was started) and fire up SharePoint Central Administration
    • Make sure you are logged into Central Administration with a SharePoint Administration account
  9. Navigate to "Central Administration -> Site Settings -> Permissions" and add one of the following with "Read" permissions
    • IF USING GROUP: domain security group (SSO Administrators)
    • IF USING USER: domain service account used to run the service.
  10. Also add the domain service account used to run the service to the Farm's administrators group
  11. Navigate to "Central Administration -> Operations -> Service Accounts" and double check the "Single Sign-on Service" credentials. If not set to the domain account (demosa-ssoadmin) then set it up here as well.
  12. Navigate to "Central Administration -> Operations -> Manage Single Sign-On -> Manage Server Settings" to setup SSO for SharePoint
    • Single Sign-On Administrator Account: GROUP: DemoSSO Administrators or USER: Demosa-ssoadmin
    • Enterprise Application Definition Administrator Account: GROUP: DemoSSOAdministrators or USER: Demosa-ssoadmin
    • Database Server Name (use netbiosinstance naming convention)
    • Database Name
    • Timeout settings (I used Default)
    • Ok

Once this runs though there should be a database created and one should be able to start configuring the encryption keys and other settings related to SSO for SharePoint. I found a few sites that spell this out, but there was alot of fluff around it, hopefully I dumbed it down enough to get things rolling. I will be posting more information as regard to the configuration of SSO now that the setup has succeeded in the future.

Filed under: Uncategorized