How to Change the Master Secret Server
After you set up the master secret server and configure the SSO database, you can change the master secret server if the original master secret server fails and cannot be recovered. To change the master secret server, you need to promote an SSO server to become the master secret server.
To change the Master Secret Server using the MMC Snap-in
On the Start menu, click All Programs, click Microsoft Enterprise Single Sign-On, and then click SSO Administration.
In the scope pane, right click System, and then click Properties. The Master secret server is displayed on the General tab of the System Properties dialog box.
Click Change to select a new Master secret server.
Important
When using the MMC Snap-in to change the Master Secret Server, the operation must be performed on the Master Secret Server. It is not possible to change the Master Secret Server using the MMC Snap-in from a computer that is not the Master Secret Server.
Logon to the new Master secret server to restore the Master secret to the registry of the new Master secret server.
On the Start menu, click Run, and then type cmd.
At the command line prompt, go to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Restart the new Master Secret Server.
Type ssoconfig –restoreSecret <restore file>, where <restore file> is the path and name of the file where the master secret is stored.
The master secret is stored in the registry at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO\SSOSS
Note
On a system that supports User Account Control (UAC), you may need to run the tool with Administrative privileges.
To promote a Single Sign-On Server to master secret server using the command line
Create an XML file that includes the name of the SSO server you want to promote to master secret server. For example,
<sso> <globalInfo> <secretServer>SSO Server name</secretServer> </globalInfo> </sso>Important
To change the Master Secret Server from a computer that is not the Master Secret Server make sure that the specified XML file contains only the Master Secret Server name. Specifically, it should not contain the SSO Administrators XML tag or the ssomanage -updatedb operation will fail.
On the Start menu, click Run, and then type cmd.
At the command line prompt, go to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssomanage –updatedb <update file>, where <update file> is the name of the XML file you create in step 1.
Note
On a system that supports User Account Control (UAC), you may need to run the tool with Administrative privileges.
Restart the Master Secret Server.
Type ssoconfig –restoresecret <restore file>, where <restore file> is the path and name of the file where the master secret is stored.
The master secret is stored in the registry at the following location:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftENTSSOSSOSS
Note
On a system that supports User Account Control (UAC), you may need to run the tool with Administrative privileges.
See Also
Master Secret Server
How to Cluster the Master Secret Server
How to Update the SSO Database
Using SSO
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for