Configuring Single-Sign On for SharePoint: Part 1

As you learned in a previous blog, Single Sign-On (SSO) enables SharePoint users to authenticate only once when they access applications through SharePoint sites. In this blog I will review the steps necessary to configure SSO in your SharePoint farm. Before we proceed with the configuration the following conditions must be met:

• Your server must belong to an Active Directory domain.
• Your server must be connected to a domain controller.
• You must use a domain user account (not a group account).
• You must use a SharePoint server farm account.
• You must be a member of the local Administrators group on the encryption-key server (which is the first server where we will start SSOSrv).
• You must be a member of the Security Administrators role and db_creator role on the computer running SQL Server.
• You must belong to the single sign-on administrators group.

Setting Up and Starting the Single Sign-On Service

1. Go to the Start menu and select All Programs –> Administrative Tools –> Computer Management.
2. Expand Services and Applications.
3. Click Services.
4. Locate Microsoft Single Sign-On Service and rt-click.
5. Select Properties.
6. On the General tab of the properties window, click the Startup Type drop down menu and select Automatic.
7. On the same tab, under Service status, click the Start button.
   
8. Click Ok to close the properties window.

Configuring the Single Sign-On Service 

You will need to perform these steps on each server in your server farm. Once the service is started we can now go configure SSO settings in Central Administration.

1. Open the Central Administration web application.
2. Navigate to the Operations page.
3. In the Security Configuration section, click Manage Settings for Single Sign-On.
   
4. On the Manage Server Settings page, click the Manage Server Settings link.
   
5. Enter the Single Sign-On administrator account name using the domain\username format. Note: The group or user specified here must meet all of the following criteria:
   • A Windows global group or individual user account – cannot be a domain local group account or a distribution list.
   • If a user is specified, the user must belong to the same account as the SSO service account and the configuration account for SSO.
   • If a group is specified, the SSO service account must be a member of that group and the configuration account for SSO must be a member of that group.
   • They must be a member of the Farm Administrators group on Central Administration.
6. Enter the Enterprise Application Definition Administrator Account. (This user or group must be member of the SharePoint Readers group on Central Administration).
7. In the Database Settings Section, enter the NetBIOS name of the single sign-on database server.
8. Enter the Database Name.
9. Enter the Time Out settings. The default value is 2 minutes.
10. Enter the Delete Audit Log Records Older than value. The default value is 10.
    
11. Click OK.

Creating an Encryption Key

1. Navigate to the Manage Settings for Single Sign-On page.
2. In the Server Settings section, click the Manage Encryption Key link.
   
3. Click Create Encryption Key.
4. Check the New Encryption Key checkbox.
5. Click OK.

Backing Up the Encryption Key

1. Navigate to the Manage Settings for Single Sign-On page.
2. In the Server Settings section, click the Manage Encryption Key link.
   
3. Navigate to the location where you want to backup the encryption key. This must be a removable storage device.
4. Click Back Up.

Restoring the Encryption Key

1. Navigate to the Manage Settings for Single Sign-On page.
2. In the Server Settings section, click the Manage Encryption Key link.
   
3. Navigate to the location where you placed the backup encryption key. This must be a removable storage device.
4. Click Restore. 

Note: You should always backup the encryption key when you backup the database. In Part 2 I will explain how to configure account information for an Enterprise Application Definition.