Creating the Encryption Key

The encryption key is used as part of the encryption process for credentials used with single-sign on. The key helps to decrypt encrypted credentials stored in the single sign-on database.

The first time you configure single sign-on and enterprise application definitions on the Manage Server Settings for Single Sign-On page, the encryption key is created automatically.

You can regenerate the key if the previous credentials are compromised or if you have a policy to change the key after a certain number of days.

When you create an encryption key, you can choose to re-encrypt the existing credentials with the new key. When you re-encrypt the Microsoft Single Sign-On service (SSOSrv) credential store, events are logged in the Microsoft Windows Server 2003 application event log. Once re-encryption is initiated, you can monitor the application event log to verify that the credential store has been re-encrypted. Event ID 1032 is recorded in the application event log when re-encryption is started. Even ID 1033 is recorded in the application event log when re-encryption has ended. If there are any failures during re-encryption, an event is recorded in the log.

If the job server is restarted or SSOSrv is stopped on the job server during the re-encryption process, you should look in the event log for errors. If the event log reports an error, you must restart the re-encryption process from the Manage Encryption Key page.

To reencrypt the existing credentials, the RunAs user of the single sign-on service must be a member of the SQL Server 2000 server administrator role on the computer running SQL Server 2000.

Note  During the re-encryption process, Write operations such as updating credentials and changing application definitions are not allowed. Read operations such as retrieving credentials continue to work as normal.

Recommendation   It is recommended that you change or restore the encryption key during non-peak periods.

Important  You cannot manage the encryption key remotely. To manage the encryption key, go to the computer running as the job server and specify these settings locally.

Create the encryption key

1. Do one of the following:
   • On the SharePoint Portal Server Central Administration for server_name page, in the Component Configuration section, click Manage settings for single sign-on.
   • Click Start, point to All Programs, point to SharePoint Portal Server, and then click SharePoint Portal Server Single Sign-On Administration.
2. On the Manage Settings for Single Sign-On for server_name page, in the Server Settings section, click Manage encryption key.
3. On the Manage Encryption Key page, in the Encryption Key Creation section, click Create Encryption Key.
4. On the Create Encryption Key page, to re-encrypt the credentials for the single sign-on database, select the Re-encrypt all credentials by using the new encryption key check box, and then click OK.

   Important  This is a long-running operation. If you do not re-encrypt the existing credentials with the new encryption key, users must retype their credentials and administrators for application definitions must retype group credentials.

5. Click OK.

After the key is created, you should back it up. For information about backing up the encryption key, see Backing Up the Encryption Key.