Deployment Process
For the most recent version of Microsoft Host Integration Server documentation, see http://msdn.microsoft.com/library/gg241192.aspx.
The following steps give a high-level overview of secure deployment of Enterprise Single Sign-On (SSO). For detailed procedures on the actions to take in SQL Server, see the SQL Server documentation.
-
On the SQL Server domain controller, use the
New Trust Wizard
to create a trust with the following properties:
- Name:
ORCH.com
- Direction:
Two-way
- Sides:
This domain only
- Outgoing Trust Authentication Level - Local Domain:
Selective authentication
- Password:
Choose a password
- Confirm Outgoing Trust:
Yes
- Confirm Incoming Trust:
No
- Name:
ORCH.com
-
On the ORCH.com domain controller, use the
New Trust Wizard
to create a trust with the following properties:
- Name:
SQL.com
- Direction:
Two-way
- Sides:
This domain only
- Outgoing Trust Authentication Level - Local Domain:
Selective authentication
- Password:
Must be the same as password for ORCH.com
- Confirm Outgoing Trust:
Yes
- Confirm Incoming Trust:
No
- Name:
SQL.com
-
On the ORCH.com domain controller, set the domain-wide trust for Incoming from SQL.COM.
-
On the SQL.com domain controller, set the domain-wide trust for Outgoing from ORCH.COM.
-
On the ORCH.com domain controller, raise the domain functional level to Windows Server 2003.
-
In the ORCH domain, create the following new users:
-
ORCH\SSOSvcUser
-
ORCH\TestAppUser
-
ORCH\AffAppUser
-
ORCH\SSOSvcUser
-
Add
Act as part of the operating system
to SSOSvcUser and TestAppUser.
-
Add
Allowed to Authenticate
privilege to ORCH\TestAdmin.
-
Add ORCH\SSOSvcUser to SQL2 in the SQL domain. This step requires using Advanced View in Active Directory Microsoft Management Console (MMC).
-
On the SQL2 computer, create the following two new logons:
-
ORCH\TestAdmin
-
ORCH\SSOSvcUser
-
ORCH\TestAdmin
-
On the SQL2 domain, create two domain global groups:
-
ORCH\SSOAdminGroup
-
ORCH\SSOAffAdminGroup
-
ORCH\SSOAdminGroup
-
Add
Allowed to Authenticate
privilege to the ORCH\SSOAdminGroup group.
-
On the SQL2 database, create the following new logon:
-
ORCH\SSOAdminGroup
-
ORCH\SSOAdminGroup
-
Install the master secret server as follows:
-
Log onto NTS5 using ORCH\TestAdmin.
-
Install Enterprise SSO, using SQL2 as the master secret server.
-
Log onto NTS5 using ORCH\TestAdmin.
-
Log on to HIS1 using ORCH\TestAdmin, and install Enterprise Single Sign-On. Configure ESSO as SSO join HIS2, using database server name SQL2.
-
Install the Enterprise Single Sign-On Admin utility on HIS3 using ORCH\TestAdmin.
-
Add the following users to the following groups:
-
Add ORCH\TestAppUser to ORCH\SSOAdminGroup
-
Add ORCH\AffAppUser to ORCH\TestAffUserGroup
-
Add ORCH\TestAppUser to ORCH\SSOAdminGroup
-
Install SQL Server 2000a Enterprise on HIS3, and add logon ORCH\AffAppUser.
-
On the HIS1 machine, open a command prompt and use the following commands to set constrain delegation and protocol transition:
- setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\SSOSvcUser
- setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\TestAppUser
- setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\SSOSvcUser
-
On the
ORCH\SSOSvcUser
and
ORCH\TestAppUser
property pages, set the proper delegation for both user accounts by selecting the following options:
- Trust this user for delegation to specified services only
- Use any authentication protocol
- Trust this user for delegation to specified services only
-
Using ORCH\TestAdmin on the HIS1 computer, perform the following:
-
Add ORCH\TestAppUser to Remote Desktop User Group.
-
Grant
Impersonate after authenticated
privilege to ORCH\SSOSvcUser.
-
Grant
Impersonate after authenticated
privilege to ORCH\TestAppUser.
-
Add ORCH\TestAppUser to Remote Desktop User Group.
-
Verify your deployment by logging on to HIS1 using ORCH\TestAppUser and running the following application configuration:
Run LogonExternalUser Test.
<SSO> <application name="TestApp"> <description>An SSO Test Affiliate Application</description> <contact>AffAppUser@ESSOV2.EBiz.Com</contact> <appUserAccount>ORCH\TestAffAdminGroup</appUserAccount> <appAdminAccount>ORCH\TestAffUserGroup</appAdminAccount> <field ordinal="0" label="User ID" masked="no" /> <field ordinal="1" label="Password" masked="yes" /> <flags groupApp="no" configStoreApp="no" allowTickets="no" validateTickets="yes" allowLocalGroups="yes" ticketTimeout="yes" adminGroupSame="no" enableApp="yes" hostInitiatedSSO="yes" validatePassword="yes"/> </application> </SSO>
See Also
Show: