SharePoint Blogs / SharePoint University
SharePoint Blogs and SharePoint University - all in one place!
Dave Wollerman's SharePoint Blog » SharePoint 2007 Single Sign-On Setup
Need SharePoint Training? Attend a SharePoint Bootcamp!

Please delete cookies related to sharepointblogs.com and sharepointu.com to resolve login issues!

SharePoint 2007 Single Sign-On Setup
I went through and ran through setting up SSO for a test environment to see what all the hype was about. I can't believe that the administration accounts are that confusing to setup. Here are the steps that I took to get the SSO configured and the database created.
  1. Create a domain service account (ex: Demo\sa-ssoadmin)
    • DO NOT ADD ACCOUNT TO ANY DOMAIN GROUPS YET
  2. OPTIONAL: Create a domain security group with "Group Scope" as "Global" and with "Group Type" as "Security". Do not select "Distribution" or "Local Domain" options. (ex: SSO Administrators)
    • Add in the demo\sa-ssoadmin service account
    • OPTIONAL: add in other domain accounts for users who will be administrating the SSO Application Definition files. 
  3. Add the domain security group (SSO Administrators) to the local administrators group on all SharePoint WFE servers.
  4. Log into the WFE server that is running "Central Administration" web site. 
  5. Start the "Microsoft Single Sign-on Service" in the Windows Services MMC.
    • Set to "Automatic"
    • Run the service under a domain service account (ex: Demo\sa-ssoadmin)
    • Start the service
  6. If there are more WFE servers plus servers running Excel Services, Start the Microsoft SSO service on those servers now. If Buisness Data Catalog search is used then also start the SSO Service on the index server as well
    • NOTE: the first server that the service is started on becomes the encryption key server
  7. In SQL, make sure that the domain service account (Demo\sa-ssoadmin) running the Microsoft SSO service has the following roles assigned on SQL Server
    • dbcreator
    • securityadmin 
  8. Remote into the "Encryption Key Server" (Should be the first server that SSO was started) and fire up SharePoint Central Administration
    • Make sure you are logged into Central Administration with a SharePoint Administration account
  9. Navigate to "Central Administration -> Site Settings -> Permissions" and add one of the following with "Read" permissions
    • IF USING GROUP: domain security group (SSO Administrators)
    • IF USING USER: domain service account used to run the service.
  10. Also add the domain service account used to run the service to the Farm's administrators group
  11. Navigate to "Central Administration -> Operations -> Service Accounts" and double check the "Single Sign-on Service" credentials. If not set to the domain account (demo\sa-ssoadmin) then set it up here as well.
  12. Navigate to "Central Administration -> Operations -> Manage Single Sign-On -> Manage Server Settings" to setup SSO for SharePoint
    • Single Sign-On Administrator Account: GROUP: Demo\SSO Administrators or USER: Demo\sa-ssoadmin
    • Enterprise Application Definition Administrator Account: GROUP: Demo\SSOAdministrators or USER: Demo\sa-ssoadmin
    • Database Server Name (use netbios\instance naming convention)
    • Database Name
    • Timeout settings (I used Default)
    • Ok

Once this runs though there should be a database created and one should be able to start configuring the encryption keys and other settings related to SSO for SharePoint. I found a few sites that spell this out, but there was alot of fluff around it, hopefully I dumbed it down enough to get things rolling. I will be posting more information as regard to the configuration of SSO now that the setup has succeeded in the future.

Posted 06-25-2007 8:49 AM by dwollerman

Comments

Links (6/26/2007) « Steve’s SharePoint Stuff wrote Links (6/26/2007) « Steve’s SharePoint Stuff
on 06-26-2007 9:02 PM

Pingback from  Links (6/26/2007) « Steve’s SharePoint Stuff

Bpk wrote re: SharePoint 2007 Single Sign-On Setup
on 06-27-2007 12:21 AM

can u be more clear with the explanation. Please give the steps in detail as we are facing a bit difficulty trying to make out what to do

Raghavaa wrote re: SharePoint 2007 Single Sign-On Setup
on 06-27-2007 8:14 AM

Can u pls elobarate or explain clearly because I am unable to understand.

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 06-27-2007 11:43 AM

This is about as clear as I can get. What type of details do you need? I found it very difficult to get this going. Keep in mind this only starts the SSO storage mechanism, you would still need to implement a sso based authentication provider for the sites. That I don't have information on yet.

Ifran wrote re: SharePoint 2007 Single Sign-On Setup
on 06-28-2007 2:41 AM

Lets say if i have a Sharepoint Site running "Site A" on Server A and a web site "Site B" hosted by thirdparty company in Ohio. Can i implement a Single Sign on for the two sites.

Ifran wrote re: SharePoint 2007 Single Sign-On Setup
on 06-28-2007 3:14 AM

Additon to the above question.

Site A is Sharepoint Site and Site B is an asp.net application or ASP Web Site.

We want Sharepoint to be the hosting site for Site B also (I mean same frontend, maybe thru a webpart or something)

Do i have to rely on SAML or Will the SSO of Share point do the job.

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 06-28-2007 7:29 AM

From what I understand about it, if you want to use SSO in a web part, you will have to develop that web part to identify the user and compare them against an SSO store to gather their credentials for the other application you are having them access, then the web part will have to impersonate those new credentials to be able to access that application.

Also, MOSS 2007 EE has an authentication provider called "Web SSO". This provider can be used to allow sharepoint authentication through an SSO store if you already are utilizing one, but I believe Kerberos authentication will need to be used for that web application to allow for the delegation of user credentials. I am not sure of the details on how to setup Web SSO authentication, that was going to be my next step with this posting.

Amit wrote re: SharePoint 2007 Single Sign-On Setup
on 06-29-2007 11:19 AM

i followed your instructions but error occurs "You do no have enough permission". Please guide.

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 06-30-2007 2:28 PM

I will have to look through it again. I was able to get the SSO store connected up using these instructions. I will repost my findings

Mike Walsh's WSS and more wrote WSS FAQ additions and corrections LXI - 25th June - 1st July 2007
on 07-01-2007 1:37 AM
snehal parkar wrote re: SharePoint 2007 Single Sign-On Setup
on 07-02-2007 5:06 AM

i have set up all SSO SETTINGS and all encryption key settings and started the service. now i have a provided a link to the sharepoing site A on the sharepoint site B , when i clicked on the link it asking me for POP UP again, y so??  all sso database is configured how come but still for pop up

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 07-02-2007 8:22 AM

configuring SSO in SharePoint central administration does not automatically setup all of SharePoint for SSO capability. I just creates an SSO store and provides a service to SharePoint.

If you want to have SSO through a web part you will need to develop a web part that query's the store for the current logged in users application credentials and impersonate those credentials to the other application.

If you want SharePoint to use SSO for an authentication mechanism, then you have to either use the Web SSO authentication provider as part of MOSS EE or create a custom provider for MOSS SE or WSS. Then configure it to use an existing SSO Store. this of SSO the same way you think of Forms based authentication in MOSS.

Setting up Single Sign On (SSO) for MOSS 2007 « Patrick’s Bytes wrote Setting up Single Sign On (SSO) for MOSS 2007 « Patrick’s Bytes
on 07-18-2007 3:15 AM

Pingback from  Setting up Single Sign On (SSO) for MOSS 2007 « Patrick’s Bytes

Michel wrote re: SharePoint 2007 Single Sign-On Setup
on 08-01-2007 3:23 AM

Could you explain step 10 a little more?

I did the steps, but with the last step i click ok and then get a message:

Login falied for user 'NT AUTHORITY\ANONYMOUS LOGON'

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 08-01-2007 7:03 AM

Step 10 has you putting the service account the SSO service is running as into the SharePoint Central Administration Farm Administrators group. In this case it would be the Demo\sa-ssoadmin account. You have to run the service as a domain account, running the account as anonymous or logging into central admin as anonymous is not recommended.

Dilip wrote re: SharePoint 2007 Single Sign-On Setup
on 08-07-2007 11:14 AM

I had to add the sa-ssoadmin account as a site collection administrator and I had to log-on as sa-ssoadmin account to the server when setting up the SSO for it to work. I was getting " "You do no have enough permission" error without the two steps above.

Collin wrote re: SharePoint 2007 Single Sign-On Setup
on 08-09-2007 11:22 AM

I had the same issue Dilip had; however, logging into the server as the domain admin account resolved the issue without having to add it as a site collection administrator.

Ifran wrote re: SharePoint 2007 Single Sign-On Setup
on 08-23-2007 4:04 PM

I was able to successfully create the Single signonaccount and the database also.

I want to create a link on the page that uses the sso to signon. Do i have to create a webpart. Please advice.

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 08-23-2007 9:51 PM

if there is a control or a web part that is rendering data from another source or a web part that is connecting to another system for interactions and integration between sharepoint there needs to be code written into the control or web part that will tell it to go grab the users SSO credentials.

MOSS 2007 enterprise comes with a web sso provider so you don't have to use windows authenitcation. You can have them log into sharepoint with their sso credentials, then that session should be able to pass through to the web parts automatically.

chandrika wrote re: SharePoint 2007 Single Sign-On Setup
on 08-27-2007 3:00 AM

how can i access asp.net application from sharepoint site using sso service?

dwollerman wrote re: SharePoint 2007 Single Sign-On Setup
on 08-27-2007 7:29 AM

The short answer... a link.

This is because SSO is not managed by SharePoint. The ASP.NET application you are referencing needs to consume SSO for its credential store. Basically the "cookie" or current logged in user will be used to authenticate against the SSO store to allow the user into the ASP.NET application.

Need SharePoint Training? Attend a SharePoint Bootcamp!
Posts (c) their respective authors. Everything else (c) 2009 SharePoint Experts, Inc.