How to Cluster the Master Secret Server
We recommended that you follow the instructions in this section to cluster the Enterprise Single Sign-On (SSO) service on the master secret server successfully.
When you cluster the master secret server, the Single Sign-On servers communicate with the active clustered instance of the master secret server. Similarly, the active clustered instance of the master secret server communicates with the SSO database.
You must be an SSO administrator to perform this procedure.
Caution
You cannot install the master secret server on a Network Load Balancing (NLB) cluster.
To install and configure Enterprise SSO on the cluster nodes
Install BizTalk Server on each cluster node. In Component Installation, select Enterprise Single Sign-On Administration Module and Enterprise Single Sign-On Master Secret Server. After installation has completed successfully, do not run the BizTalk Server Configuration.
Create SSO Administrators and SSO Affiliate Administrators domain groups. To create a clustered instance of the Enterprise SSO service, you must create these groups as domain groups.
Create or designate a domain account that is a member of the SSO Administrators domain group. The Enterprise SSO service on each node is configured to log on as this domain account. This account must have the Log on as a service right on each node in the cluster.
Add the account that you are using to log on during the configuration process to the domain SSO Administrators group.
Important
Configuration of the Enterprise SSO service fails if steps 3 and 4 are not completed.
Start the BizTalk Server Configuration.
Select Custom Configuration option and enter the Database server name, User name, and Password values. Select Configure to continue.
Note
Since you are only be configuring the Enterprise SSO service at this time, you can just enter the domain account that you created earlier here.
Select the Enterprise SSO option from the left pane and set the following options for the Enterprise SSO feature:
Select the Enable Enterprise Single Sign-On on this computer check box.
Select Create a new SSO system.
Enter the Data stores for Server Name and Database Name values.
Verify that the domain account that you created earlier is the account that is associated with the Enterprise SSO service.
Enter the domain SSO Administrators group that you created earlier as the group associated with the SSO Administrator(s) role.
Enter the domain SSO Affiliate Administrators group that you created earlier as the group associated with the SSO Affiliate Administrator(s) role.
Select the Enterprise SSO Secret Backup option from the left pane and provide the appropriate parameters for backing up the Enterprise SSO secret. By default, the Enterprise SSO secret is backed up to <drive>:\Program Files\Common Files\Enterprise Single Sign-On\SSOxxxx.bak.
Click the Apply Configuration and review the Summary.
Click Next to apply the configuration.
Click Finish to close the Configuration wizard.
Close the BizTalk Server configuration.
Log on to the passive cluster node and start the BizTalk Server Configuration.
Choose the Custom Configuration option and enter the same values for the Database server name, User name, and Password that you entered when configuring the first cluster node. After entering these values, click Configure to continue.
Select the Enterprise SSO option from the left pane and set the following options for the Enterprise SSO feature:
Select the Enable Enterprise Single Sign-On on this computer option.
Select Join an existing SSO system.
Enter the same values for the SSO Database Server Name and Database Name that you entered when configuring the first cluster node.
Enter the same value for the domain account that you entered when configuring the first cluster node.
Select Apply Configuration to display the Summary.
Select Next to apply the configuration.
Select Finish to close the Configuration wizard.
Close the BizTalk Server Configuration.
To update the master secret server name in the SSO database
Type the following commands from a command prompt on the active cluster node to stop and restart the Enterprise SSO service:
net stop entssoand
net start entssoChange the master secret server name in the SSO database to the SSO network name configured within the cluster by following these steps:
Note
Specify the network name resource that you have created in the same cluster role that will contain the clustered SSO resource. For example, the name may be SSONETWORKNAME.
Paste the following code in a text editor:
<sso> <globalInfo> <secretServer>SSONETWORKNAME</secretServer> </globalInfo> </sso>Note
Replace SSONETWORKNAME with the actual network name that is created in the cluster role for SSO.
Save the file as an .xml file. For example, save the file as SSOCLUSTER.xml.
At a command prompt, change to the Enterprise SSO installation folder. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type the following command at the command prompt to update the master secret server name in the database:
ssomanage -updatedb XMLFileNote
XMLFile is a placeholder for the name of the .xml file that you saved earlier.
To create the clustered Enterprise SSO resource
If the cluster is not configured with a clustered Distributed Transaction Coordinator (MSDTC) resource then follow the steps in the "Improving Fault Tolerance in BizTalk Server by Using a Windows Server Cluster" white paper at https://go.microsoft.com/fwlink/?LinkId=69207 to create a clustered MSDTC resource.
Click Start, Programs, Administrative Tools, and then Failover Cluster Management to start the Failover Cluster Management program.
In the left hand pane, right-click Failover Cluster Management and click Manage a Cluster.
On the Select a cluster to manage dialog box, enter the cluster to be managed and click OK.
In the left hand pane click to select a clustered service or application that contains an IP Address and Network Name resource. Follow the steps in How to Create a Cluster Group with a Disk, IP Address, and Name Resource to create a group with an IP Address and Network Name resource if one does not already exist.
Note
A clustered Enterprise SSO service does not explicitly require the use of a clustered Physical Disk resource in the same group.
Right-click the clustered service or application, point to Add a resource, and click Generic Service to display the New Resource Wizard dialog.
Important
In the Generic Service Parameters dialog box, if you do not click to select the Use Network Name for computer name check box, SSO client computers will generate an error similar to the following when they try to contact this clustered instance of the Enterprise SSO service:
Failed to retrieve master secrets.
Verify that the master secret server name is correct and that it is available. Secret Server Name: ENTSSO Error Code: 0x800706D9, there are no more endpoints available from the endpoint mapper.
On the Select Service page of the New Resource Wizard, click to select Enterprise Single Sign-On Service and click Next.
On the Confirmation page click Next.
On the Summary page click Finish. A clustered instance of the Enterprise Single Sign-On Service will appear under Other Resources in the center pane of the Failover Cluster Management interface.
Right-click the clustered instance of the Enterprise Single Sign-On Service and select Properties to display the Enterprise Single Sign-On Service Properties dialog box.
Click the Dependencies tab of the properties dialog box and click Insert.
Click the drop down box under Resource, select the Name: resource and click OK.
To restore the master secret on the second cluster node
In Failover Cluster Management, right click the clustered service or application that contains the clustered Enterprise Single Sign-On service and then click Bring this service or application online to start all of the resources in the clustered service or application.
Right-click the clustered service or application, point to Move this service or application to another node, and click the second node. This step moves the clustered service or application that contains the clustered Enterprise Single Sign-On service from the first node to the second node.
Right-click the clustered Enterprise Single Sign-On service and click Take this service or application offline, then right-click the clustered instance of the Enterprise SSO service and click Bring this service or application online.
Note
If this step is not completed the attempt to restore the master secret may not succeed.
Copy the master secret backup file from the first node to the \Enterprise Single Sign-On installation folder on the second node. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Log on to the second node and at a command prompt, change to the Enterprise SSO installation folder.
Type the following command from the command prompt to restore the master secret to the second node:
ssoconfig -restoresecret RestoreFileNote
Replace RestoreFile with the path of and the name of the backup file that contains the master secret.
The master secret is stored in the registry at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO\SSOSS
Move the clustered service or application that contains the clustered Enterprise Single Sign-On service from this cluster node to other cluster node to ensure failover functionality. Then move the cluster group back to verify fail-back functionality.
See Also
How to Create a Cluster Group with a Disk, IP Address, and Name Resource
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for