Configure Sharepoint (MOSS) Single Sign-On


So I decided to use SSO for authentication with the BDC, and obviously learn what SSO was all about.  Accept from the start that configuration of the SSO service accounts and their requirements for use in SSO is confusing and very specific, check here for the full guide and requirements. Also check out these links for step by step guides on configuring SSO.

  1. http://www.thorprojects.com/blog/archive/2008/08/02/moss-single-sign-on-setup-step-by-step.aspx
  2. http://www.sharepointblogs.com/michael/archive/2007/07.aspx
  3. http://www.sharepointblogs.com/llowevad/archive/2007/06/25/sharepoint-2007-single-sign-on-setup.aspx

First step is to create 2 domain security groups (SSOADMINS and SSOMANAGERS), set the Group Scope as Global and Group Type as Security.

Create a domain user account (SSOADMIN) and make it a member of the SSOADMINS group, and also make SSOADMIN a member of the Administrators group on the encryption key server (SSO service server – see below). Also make any other user accounts who will manage Sharepoint SSO service settings members of the SSOADMINS group.

Add user accounts as members of the SSOMANAGERS group, for those accounts who will manage Single Sign-On Enterprise Application Definition settings.

Ensure that the SSOADMIN user is a member of the local Administrators group on each WFE server.

Create a login for the SSOADMIN user on the Sharepoint SQL Server machine and assign them to the dbcreator and securityadmin roles.

After making changes to domain accounts / groups, it might be a good idea if your re-logon/restart your MOSS server. Also it may be worthwhile logging into your MOSS server as the SSOADMIN user while configuring SSO Server settings.  Last time I configured SSO I kept getting the “You do not have sufficient rights to perform this operation” error message, which I solved by logging in as the SSOADMIN user to make those changes.

Configure the Microsoft Single Sign-On Service (services snap-in) to start automatically using the SSOADMIN user account for it’s logon details. This must be done on each WFE server and also on the Indexing server.

* Note: Do not start the SSO service on any server yet, the first server on which the SSO service is started becomes the encryption key server.

On the machine you’ve decided will be the encryption key server, start the SSO service. On this machine, log into Sharepoint Central Admin.

Add the SSOADMIN user to the farm administrators group.

In Site Settings -> Permissions, add the SSOADMINS and SSOMANAGERS groups and give them Read permissions.

In Operations -> Service Accounts, select the Single Sign-On service and set the credentials to the SSOADMIN user account.

In Operations –> Manage Settings for Single Sign-On, select Manage Server Settings; 

Set the Single Sign-On Administrator Account to the SSOADMINS group.

Set the Enterprise Application Definition Administrator Account to the SSOMANAGERS group.

Leave the remaining options as default and click OK.

If you see an error message displayed to the effect that you don’t have enough permissions, rights, access denied etc, check that you’ve configured the logins on SQL Server, made the SSOADMIN a local Administrator, finally you might login as SSOADMIN while you make these changes.

In Operations –> Manage Settings for Single Sign-On, select Manage Encryption Key;

Click Create Encryption Key, once this is finished you’ll probably want to back it up.

At this point you’re ready to start creating Enterprise Application Definitions and setting credentials for those EAD’s.

Published by

Phil Harding

SharePoint Consultant, Developer, Father, Husband and Climber.

2 thoughts on “Configure Sharepoint (MOSS) Single Sign-On

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s