GAPTHEGURU

Geek with special skills

BIZTALK: How to Cluster the Master Secret Server

The last few weeks I have been setting up a new Biztalk environment with the Biztalk databases on a MS SQL 2008 R2 SP1 failover cluster. In my last post i showed how to cluster the MSMQ and MSDTC and here is my way to cluster the Master Secret Server. When you cluster the master secret server, the Single Sign-On servers communicate with the active clustered instance of the master secret server. Similarly, the active clustered instance of the master secret server communicates with the SSO database.

To install and configure Enterprise SSO on the cluster nodes (Windows Server 2008)

  1. Install BizTalk Server 2010 on each cluster node. In the Component Installation dialog box of the Microsoft BizTalk Server Installation Wizard, select to install the Enterprise Single Sign-On Administration Module and Enterprise Single Sign-On Master Secret Server components. After installation has completed successfully you have the option to run the BizTalk Server 2010 Configuration program but do not do so at this time.
  2. Create domain groups with the names SSO Administrators and SSO Affiliate Administrators. To create a clustered instance of the Enterprise SSO service, you must create the SSO Administrators and SSO Affiliate Administrators groups as domain groups.
  3. Create or designate a domain account that is a member of the SSO Administrators domain group. The Enterprise SSO service on each node will be configured to log on as this domain account. This account must have the Log on as a service right on each node in the cluster.
  4. Add the account that you are using to log on during the configuration process to the domain SSO Administrators group.
  5. Start the BizTalk Server 2010 Configuration program. Click Start, point to Programs, point to Microsoft BizTalk Server 2010, and then click BizTalk Server Configuration to display the Microsoft BizTalk Server 2010 Configuration dialog box.
  6. Choose the Custom Configuration option and enter the appropriate values for the Database server name, User name and Password fields. After entering these values click the Configure button to continue.
  7. Select the Enterprise SSOoption from the left pane of the Microsoft BizTalk Server 2010 Configuration dialog box and set the following options for the Enterprise SSO feature:
    1. Select the check the box next to Enable Enterprise Single Sign-On on this computer.
    2. Click the option to Create a new SSO system.
    3. Enter the appropriate values under Data stores for Server Name and Database Name.
    4. Verify that the domain account that you created earlier is the account that is associated with the Enterprise SSO service.
    5. Specify the domain SSO Administrators group that you created earlier as the group associated with the SSO Administrator(s) role.
    6. Specify the domain SSO Affiliate Administrators group that you created earlier as the group associated with the SSO Affiliate Administrator(s) role.
  8. Select the Enterprise SSO Secret Backup option from the left pane of the Microsoft BizTalk Server 2010 Configuration dialog box and provide the appropriate parameters for backing up the Enterprise SSO secret. By default the Enterprise SSO secret is backed up to <drive>:\Program Files\Common Files\Enterprise Single Sign-On\SSOxxxx.bak.
  9. Click the Apply Configuration option to display the Microsoft BizTalk Server 2010 Configuration Wizard Summary dialog box.
  10. Click Next to apply the configuration.
  11. Click Finish to close the Microsoft BizTalk Server 2010 Configuration Wizard.
  12. Close the Microsoft BizTalk Server 2010 Configuration program.
  13. Log on to the passive cluster node and start the BizTalk Server 2010 Configuration program.
  14. Choose the Custom Configuration option and enter the same values for the Database server name, User name, and Password fields that you entered when configuring the first cluster node. After entering these values click the Configure button to continue.
  15. Select the Enterprise SSOoption from the left pane of the Microsoft BizTalk Server 2010 Configuration dialog box and set the following options for the Enterprise SSO feature:
    1. Check the box next to Enable Enterprise Single Sign-On on this computer.
    2. Click the option to Join an existing SSO system.
    3. Enter the same values for the SSO Database Server Name and Database Name that you entered when configuring the first cluster node.
    4. Enter the same value for the domain account that you entered when configuring the first cluster node.
  16. Click the Apply Configuration option to display the Microsoft BizTalk Server 2010 Configuration Wizard Summary dialog box.
  17. Click Next to apply the configuration.
  18. Click Finish to close the Microsoft BizTalk Server 2010 Configuration Wizard.
  19. Close the Microsoft BizTalk Server 2010 Configuration program.

To update the master secret server name in the SSO database

  1. Type the following commands from a command prompt on the active cluster node to stop and restart the Enterprise SSO service:
  1. net stop entsso

and

net start entsso

  1. Change the master secret server name in the SSO database to the cluster name by following these steps:
Note
The cluster name is the name defined for the network name resource that you have created in the cluster group / clustered service or application that will contain the clustered Enterprise SSO service. For example, the name may be BIZTALKCLUSTER.
    1. Paste the following code in a text editor:
  1. <sso>
  2.   <globalInfo>
  3.     <secretServer>BIZTALKCLUSTER</secretServer>
  4.   </globalInfo>
  5. </sso>
Note
BIZTALKCLUSTER is a placeholder for the actual network name resource that is created in the cluster group / clustered service or application.
    1. Save the file as an .xml file. For example, save the file as SSOCLUSTER.xml.
    2. At a command prompt, change to the Enterprise SSO installation folder. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
    3. Type the following command at the command prompt to update the master secret server name in the database:

10.ssomanage -updatedb XMLFile

Note
XMLFile is a placeholder for the name of the .xml file that you saved earlier.

To create the clustered Enterprise SSO resource (Windows Server 2008)

  1. If the cluster is not configured with a clustered Distributed Transaction Coordinator (MSDTC) resource then follow the steps in my last post.
  2. Click Start, Programs, Administrative Tools, and then Failover Cluster Management to start the Failover Cluster Management program.
  3. In the left hand pane, right-click Failover Cluster Management and click Manage a Cluster.
  4. On the Select a cluster to manage dialog box, enter the cluster to be managed and click OK.
  5. In the left hand pane click to select a clustered service or application that contains an IP Address and Network Name resource.
Note
A clustered Enterprise SSO service does not explicitly require the use of a clustered Physical Disk resource in the same group.
  1. Right-click the clustered service or application, point to Add a resource, and click Generic Service to display the New Resource Wizard dialog.
Important
In the Generic Service Parameters dialog box, if you do not click to select the Use Network Name for computer name check box, SSO client computers will generate an error similar to the following when they try to contact this clustered instance of the Enterprise SSO service:

Failed to retrieve master secrets.

Verify that the master secret server name is correct and that it is available. Secret Server Name: ENTSSO Error Code: 0x800706D9, there are no more endpoints available from the endpoint mapper.

  1. On the Select Service page of the New Resource Wizard, click to select Enterprise Single Sign-On Service and click Next.
  2. On the Confirmation page click Next.
  3. On the Summary page click Finish. A clustered instance of the Enterprise Single Sign-On Service will appear under Other Resources in the center pane of the Failover Cluster Management interface.
  4. Right-click the clustered instance of the Enterprise Single Sign-On Service and select Properties to display the Enterprise Single Sign-On Service Properties dialog box.
  5. Click the Dependencies tab of the properties dialog box and click Insert.
  6. Click the drop down box under Resource, select the Name: resource and click OK.

To restore the master secret on the second cluster node (Windows Server 2008)

  1. In Failover Cluster Management, right click the clustered service or application that contains the clustered Enterprise Single Sign-On service and then click Bring this service or application online to start all of the resources in the clustered service or application.
  2. Right-click the clustered service or application, point to Move this service or application to another node, and click the second node. This step moves the clustered service or application that contains the clustered Enterprise Single Sign-On service from the first node to the second node.
  3. Right-click the clustered Enterprise Single Sign-On service and click Take this service or application offline, then right-click the clustered instance of the Enterprise SSO service and click Bring this service or application online.
Note
If this step is not completed the attempt to restore the master secret may not succeed.
  1. Copy the master secret backup file from the first node to the \Enterprise Single Sign-On installation folder on the second node. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
  2. Log on to the second node and at a command prompt, change to the Enterprise SSO installation folder.
  3. Type the following command from the command prompt to restore the master secret to the second node:
  1. ssoconfig -restoresecret RestoreFile
Note
Replace RestoreFile with the path of and the name of the backup file that contains the master secret.
  1. The master secret is stored in the registry at the following location:
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO\SSOSS
  3. Move the clustered service or application that contains the clustered Enterprise Single Sign-On service from this cluster node to other cluster node to ensure failover functionality. Then move the cluster group back to verify fail-back functionality.

 

Advertisements

03/12/2012 - Posted by | Biztalk, SQL Scripting, Sql Server, SSO, T-SQL | , , , ,

1 Comment »

  1. Another good blog post. Something else we have found is that we needed to make the clusterer Enterprise SSO dependant on the clustered MSDTC as well (I guess your blog post doesn’t assume that both have been done). This ensures that in the case of a failover that MSDTC is started first so there are no problems starting the SSO Service.

    Keep up the great blogging 🙂

    Comment by Johann | 03/12/2012 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: