Microsoft BizTalk Server 2004
Clustering the Master Secret Server

It is strongly recommended that you follow the instructions in this section to cluster the Enterprise Single Sign-On (SSO) service on the master secret server successfully.

Before you start configuring SSO in a cluster environment, it is recommended that you understand how clustering works. For more information, see "Clustering Services in Windows Server 2003" available at http://go.microsoft.com/fwlink/?LinkId=18373.

The following figure shows the SSO system with a clustered master secret server.

When you cluster the master secret server, the Single Sign-On Servers communicate to the active clustered instance of the master secret server. Similarly, the active clustered instance communicates with the Credential database.

You must be an SSO administrator to perform this procedure.

Caution  You cannot install the master secret server on a Network Load Balancing (NLB) cluster.

To cluster the master secret server

  1. Perform a custom installation of BizTalk Server to install the master secret server on the first node (active) of the cluster. For example, you can install it on computer Master Secret Server 1. For more information, see the BizTalk Server Installation Guide located at http://go.microsoft.com/fwlink/?linkid=22120.
  2. On the Configuration Wizard, do the following:
    Use thisTo do this
    Configuration Questions pageIn the Will this Single Sign-On server (SSO) hold the master secret key? drop down list, select Yes, and then click Next. For more information, see Using the Configuration Wizard
    Windows Accounts pageSpecify the service account credentials for the SSO service. This must be a member of the SSO Administrators group
    Database Configurations pageSpecify the location of the SQL Server and Credential database (SSODB).
  3. Back up the master secret on the active node. For more information about backing up the master secret, see Backing Up the Master Secret.
  4. Perform a custom installation to install the master secret server on the second node (passive) of the cluster (Master Secret Server 2). Configure the SSO Server on the second node of the cluster using the BizTalk Configuration Wizard. However, as this is not the initial installation of the master secret server, in the Configuration Wizard, on the Configuration Questions page, in the Is this the master secret server? drop down list, select No, and then click Next.
  5. From the command line, type net stop entsso to stop the SSO service.
  6. After you install and configure SSO on both the active and passive cluster nodes and stop the SSO service, change the master secret server name in the credential database to the cluster name (for example SSO CLUSTER). In other words, change the name of the master secret server from Master Secret Server 1 to SSO CLUSTER.
    1. Open the text editor of your choice. Cut and paste the following text into an .xml file (for example: SSO CLUSTER.xml) and save the file: 
      <sso>
  <globalInfo>
     <secretServer>SSO_CLUSTER</secretServer>
  </globalInfo>
</sso>
    2. At the command line prompt, navigate to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On. Type ssomanage -updatedb <name of the .xml file in the previous step> to update the master secret server name in database.
  7. If runtime errors appear, ignore them for now. The Microsoft Distributed Transaction Coordinator (DTC) is detecting an internal inconsistency. DTC was not configured to run on a cluster, and therefore it is unable to start. To resolve this error condition, configure the DTC to run on a cluster:
  8. On Master Secret Server 1, at the command line prompt, type with comclust -a.
    1. From the Services console, right-click Distributed Transaction Coordinator, and then click Restart.
    2. On Master Secret Server 2, at the command line prompt, type with comclust -a.
    3. From the Services console, right-click Distributed Transaction Coordinator, and then click Restart.

To configure the service and resource parameters for the cluster

  1. Open Cluster Administrator, and then click the cluster group that has the master secret server cluster.
  2. On the File menu, point to New, and then click Resource.
    1. On the New Resource window, do the following, and then click Next:
      Use thisTo do this
      NameType the name of the SSO resource. For example, ENTSSO
      Resource typeFrom the drop down list, select Generic Service
    2. On the Possible Owners window, include each cluster node as a possible owner of the ENTSSO resource.
  3. After you create the ENTSSO resource, right-click ENTSSO, and click Properties.
  4. In the Cluster Properties dialog box, click the Security tab, and verify that the user under which the application is running has sufficient user rights (not a local administrator) to access the cluster.

To restore the master secret on the second node

  1. Open Cluster Administrator, right- click the cluster group that has the master secret server cluster, and then click Move group. This moves the master secret server resources from the first node to the second node.
  2. On the Start menu, click run, and then type cmd.
  3. At the command line prompt, navigate to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
  4. Type ssoconfig -restoresecret <restore file>, where <restore file> is the path and name of the back-up file that contains the master secret.

See Also

Enterprise Single Sign-On System

Master Secret Server

Removing Enterprise Single Sign-On Dependencies

SSO (BizTalk Server Samples Folder)

Installing Enterprise Single Sign-On

To download updated BizTalk Server 2004 Help from www.microsoft.com, go to http://go.microsoft.com/fwlink/?linkid=20616.

Copyright © 2004 Microsoft Corporation.
All rights reserved.
Page view tracker