Show All

Hide All

Specifying Settings for Single Sign-On and Application Definitions

Before you can use single sign-on with enterprise application definitions, you must perform pre-configuration steps, configure the service, and supply the necessary information.

Overview of Single Sign-On Configuration Steps

Use the following steps to configure single sign-on:

1. Perform the pre-configuration steps. See "Perform pre-configuration steps" later in this document.
2. Enable the single sign-on service on the job server. For more information, see Enabling Single Sign-On.
3. Configure the single sign-on service by using the single sign-on administration pages. See "Specify settings for single sign-on and application definitions" later in this document.
4. Enable the single sign-on service on each front-end Web server. For more information, see Enabling Single Sign-On.

Perform pre-configuration steps

Before configuring single sign-on, you must set up the following:

1. Configuration account   Select the Windows account that will be used to configure single sign-on. When setting up single sign-on, you use this account to log on to the job server. This account must meet the following requirements:
   • Be a member of the local Administrators group on the job server.
   • Be a member of the local Administrators group on the computer running Microsoft SQL Server that stores the single sign-on database.
   • Belong to the single sign-on administrator account.
2. Single sign-on administrator account   Determine the Windows Global group or user account that will be used as the administrative account.
   • The single sign-on service “run-as” account must be this user or a member of this group.
   • This user or members of this group have full access to the single sign-on administration pages and can make configuration and application definition changes.
   • This group or user account is entered in the Account name box in the Single Sign-On Settings section on the Manage Server Settings for Single Sign-On page.
3. Single sign-on service account   Select the user account that will run the single sign-on service:
   • The single sign-on service account must be the same as the single sign-on administrator account or a member of the group account that is the single sign-on administrator account.
   • The account must be a member of the local group STS_WPG on all servers running Microsoft Office SharePoint Portal Server 2003 in the server farm.

     To make the user a member of STS_WPG

     1. On the taskbar, click Start, point to Administrative Tools, and then click Computer Management.
     2. In the console tree, under the System Tools node, expand the Local Users and Groups node.
     3. Click Groups.
     4. Double-click STS_WPG.
     5. In the STS_WPG Properties dialog box, click Add.
     6. Add the user.
   • The account must be a member of the local group SPS_WPG on all servers running SharePoint Portal Server in the server farm.

     To make the user a member of SPS_WPG

     1. On the taskbar, click Start, point to Administrative Tools, and then click Computer Management.
     2. In the console tree, under the System Tools node, expand the Local Users and Groups node.
     3. Click Groups.
     4. Double-click SPS_WPG.
     5. In the SPS_WPG Properties dialog box, click Add.
     6. Add the user.
   • The account must be a member of the public database role on the SharePoint Portal Server configuration database.

     Note  On a single server deployment, if the single sign-on service runs under an account that is a member of the local Administrators group, you do not need to ensure that the user has the public right on the configuration database. However, for security reasons it is recommended that you do not run the service under an account that is a member of the local Administrators group.

     To assign rights on the configuration database

     1. On the SQL Server computer, open SQL Server Enterprise Manager.
     2. Expand the Microsoft SQL Servers node.
     3. Expand the SQL Server Group node.
     4. Expand the (local) (Windows NT) node.
     5. Expand the Security node.
     6. Click Logins, and then do one of the following:
        • If the logon name does not exist, right-click Logins, click New Login, and then in the Name box, type the account for the user in the format DOMAIN\user_name.
        • If the logon name already exists, right-click the logon name, and then click Properties.
     7. Click the Database Access tab.
     8. In the Specify which databases can be accessed by this login section, select the check box for the configuration database.
     9. In the Database roles for database_name section, select the public check box.
     10. Click OK.
     11. Close SQL Server Enterprise Manager.
   • The account must be a member of the Server Administrators server role on the Microsoft SQL Server instance where the single sign-on database is located.

     Note  On a single server deployment, if the single sign-on service runs under an account that is a member of the local Administrators group, you do not need to ensure that the user is a member of Server Administrators server role on the Microsoft SQL Server instance where the single sign-on database is located. However, for security reasons it is recommended that you do not run the service under an account that is a member of the local Administrators group.

     To make the user a member of the Server Administrator role

     1. On the SQL Server computer, open SQL Server Enterprise Manager.
     2. Expand the Microsoft SQL Servers node.
     3. Expand the SQL Server Group node.
     4. Expand the (local) (Windows NT) node.
     5. Expand the Security node.
     6. Click Logins, and then do one of the following:
        • If the logon name does not exist, right-click Logins, click New Login, and then in the Name box, type the account for the user in the format DOMAIN\user_name.
        • If the logon name already exists, right-click the logon name, and then click Properties.
     7. Click the Server Roles tab.
     8. Select the Server Administrators check box.
     9. Click OK.
     10. Close SQL Server Enterprise Manager.
4. Enterprise application manager account   Determine the Windows Global group or account that will be used to give access to application definitions.
   • This account or members of this group have rights to create, modify or delete application definitions from the single sign-on administration pages.
   • This account or members of this group do not have rights to configure single sign-on. Only members of the single sign-on administrator account can configure single sign-on.
   • Rights that this user or members of this group have are automatically contained in the single sign-on administrator account.
   • This account or group is entered in the Account name box in the Enterprise Application Definition Settings section on the Manage Server Settings for Single Sign-On page.

Notes

• If you change the job server to another server, you must reconfigure single sign-on. After changing the job server, you must delete the entire registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ssosrv\Config on the old job server.
• If you reconfigure single sign-on and you want to change the account that you specified for managing the single sign-on service (the single sign-on administrator account), the user who reconfigures the single sign-on service and the single sign-on “run-as” user must be a member of both the current account that manages the service and the new account that you want to specify.

Important  You cannot configure single sign-on or manage the encryption key remotely. To configure single sign-on or manage the encryption key, go to the computer running as the job server and specify the settings locally.

Specify settings for single sign-on and application definitions

Before you can specify the settings for single sign-on and application definitions, Microsoft Single Sign-on service (SSOSrv) must be running. For more information, see Enabling Single Sign-On.

You must be logged on as the configuration account on the job server before running these steps.

1. On the SharePoint Portal Server Central Administration for server_name page, in the Component Configuration section, click Manage settings for single sign-on.

   – or –

   Click Start, point to All Programs, point to SharePoint Portal Server, and then click SharePoint Portal Server Single Sign-On Administration.

2. On the Manage Settings for Single Sign-On for server_name page, in the Server Settings section, click Manage server settings.
3. On the Manage Server Settings for Single Sign-On page, in the Single Sign-On Settings section, in the Account name box, type the name of the single sign-on administrator account that can set up and manage the single sign-on service.

   • Important  The account can be a group account or an individual user account. It cannot be a local domain group or a distribution list.

   • The format of the account is DOMAIN\group_name or DOMAIN\user_name.
4. In the Enterprise Application Definition Settings section, in the Account name box, type the name of the enterprise application manager account that can set up and manage application definitions.

   • Important  The account can be a group account or an individual user account. It cannot be a local domain group or a distribution list.

   • The format of the account is DOMAIN\group_name or DOMAIN\user_name.
5. In the Database Settings section, do the following:
   1. In the Server name box, type the name of the database server on which you want to store the settings and account information for single sign-on.
   2. In the Database name box, type the name of the single sign-on database.

      If the database does not exist, it is created.

6. In the Time Out Settings section, do the following:
   1. In the Ticket time out (in minutes) box, type the number of minutes to wait before allowing a ticket, or access token, to time out.
   2. In the Delete audit log records older than (in days) box, type the number of days to hold records in the audit log before deleting.

      Note  The audit log is overwritten after the number of days you specify. Because the log contains a record of any illicit operations or logon attempts, it is recommended that you maintain backup copies of the logs. The logs reside in the single sign-on database and are automatically backed up when you back up this database.

7. Click OK.
8. If a message box appears stating that you have reconfigured single sign-on, click OK.