Chapter 6: The Microsoft Single Sign-On Service


In the previous chapter, you created a basic web part that accessed a database using credentials retrieved from properties of the web part. Although this made for a simple design, it required users to type their credentials in clear text directly into the property pane. As we stated several times, this technique is unacceptable for a production environment. This is where the Microsoft Single Sign-On (SSO) service comes in to play.

You should note right at the outset that configuring SSO is complicated and getting it to work correctly is tricky. The configuration steps require several cryptic hand edits to configuration files that impact code access security. The overall experience can be frustrating, but the rewards are worth the effort when you finally eliminate all the annoying secondary log-ins required by your enterprise applications.

Setting Up SSO

SSO is a combination of a Windows 2003 service, a SQL Server data store, and web-based administration tools that provide credential storage and retrieval services to your web parts . SSO is installed by default along with SharePoint Portal Server (SPS); however, the service is stopped and set to manual start-up. In order to begin working with SSO, you must configure and start the service.

Before the SSO service can be started, you must create a new global security group that will contain an account used to run the service. This same group will contain the accounts that are authorized to administer the SSO service. The account used to run the SSO service will also be a member of this group. This group must meet several requirements:

  • Belong to the local administrators group on the job server.

  • Belong to the local administrators group on the server running the configuration database.

  • Belong to the STS_WPG and SPS_WPG groups ”which run all of the pooled SharePoint components and resources ”on every server in the farm where SPS is installed.

  • Have db_owner and public rights for the SharePoint Services configuration database.

  • Belong to the Server Administrators role for the SQL Server instance where the SSO database is located.

Once you have defined a security group with an account, you can configure the SSO service to run under the specified account. Additionally, you can add users to the security group so that they can define credentials in the data store. Designated users may then define sets of applications and credentials for enterprise applications.

To set up the SSO account and start the service, follow these steps:

  1. Log in to SPSController as the domain administrator.

  2. Select Start Administrative Tools Active Directory Users and Computers.

  3. In the Active Directory Users and Computers dialog, right-click the Users folder and select New Group from the pop-up menu.

  4. In the New Object dialog, type MSSSOAdmins in the Group Name . Any member of this group will be allowed to administer the SSO service.

  5. Click OK.

  6. In the Active Directory Users and Computers dialog, right-click the Users folder and select New User from the pop-up menu.

  7. In the New Object dialog, type MSSSOService in the Full Name and User Logon Name boxes.

  8. Click Next .

  9. Type a password for the account.

  10. Uncheck the "User must change password at next logon" box.

  11. Check the "User cannot change password" box.

  12. Check the "Password never expires " box.

  13. Click Next.

  14. On the next screen, uncheck the "Create an Exchange mailbox" box.

  15. Click Next.

  16. On the next screen, click Finish.

  17. Right-click the MSSSOService object and select Properties from the pop-up menu.

  18. On the Member Of tab, click Add.

  19. Type in the account name sps\MSSSOAdmins and click the Check Names button.

  20. Once the account name is validated , click OK.

  21. Click OK again.

  22. Log in to SPSPortal as the domain administrator.

  23. Select Start Administrative Tools Computer Management.

  24. In the Computer Management dialog, expand the Local Users and Groups node and open the Groups folder.

  25. In the Groups folder, right-click Administrators and select Add to Group from the pop-up menu.

  26. In the Administrators Properties dialog, click Add.

  27. Type in the account name sps\MSSSOAdmins and click the Check Names button.

  28. Once the account name is validated, click OK.

  29. In the Administrators Properties dialog, click OK.

  30. In the Groups folder, right-click SPS_WPG and select Add to Group from the pop-up menu.

  31. In the SPS_WPG Properties dialog, click Add.

  32. Type in the account name sps\MSSSOAdmins and click the Check Names button.

  33. Once the account name is validated, click OK.

  34. In the SPS_WPG Properties dialog, click OK.

  35. In the Groups folder, right-click STS_WPG and select Add to Group from the pop-up menu.

  36. In the STS_WPG Properties dialog, click Add.

  37. Type in the account name sps\MSSSOAdmins and click the Check Names button.

  38. Once the account name is validated, click OK.

  39. In the STS_WPG Properties dialog, click OK.

    Note

    Because this book utilizes a single-server configuration, you do not have to add the MSSSOAdmin account to any other local groups. If you deploy a multiple-server configuration, be sure to add the account to the appropriate group for each server that meets the requirements outlined earlier.

  40. Select All Programs Microsoft SQL Server Enterprise Manager.

  41. In the SQL Server Enterprise Manager, expand the tree and select Console Root Microsoft SQL Servers SQL Server Group (local) (Windows NT) Security Logins.

  42. Right-click the Logins node and select New Login from the pop-up menu.

  43. In the Name field type sps\MSSSOAdmins .

  44. On the Database Access tab, check the box associated with the configuration database (e.g., SPS01_Config_db).

  45. In the list of database roles, check db_owner and public.

  46. On the Server Roles tab, check the Server Administrators box.

  47. Click OK.

  48. Select Start Administrative Tools Services.

  49. In the Services dialog, right-click the Microsoft Single Sign-On Service and select Properties from the pop-up menu.

  50. On the Log On tab, select the option This Account and type in sps\MSSSOService .

  51. Enter the password you set for this account.

  52. Click Apply.

  53. On the General tab, change the Startup Type to Automatic.

  54. Click Start to start the service.

Before you can access credentials using SSO, an application definition must be created for the credentials. Application definitions consist of a unique name for the application and the definition of the logon fields to accept. SSO is capable of managing a number of fields beyond user name and password. In fact, you can define any custom field for the service, such as domain or database name.

Accessing the administrative pages for SSO is done by selecting Start All Programs SharePoint Portal Server SharePoint Portal Server Single Sign-On Administration. When you first access the administration pages, only one option is available. You must complete the setup of the MSSSO service by clicking the Manage Server Settings link. The server settings require you to specify the accounts that will be used to manage the SSO service and define new applications. Until these settings are complete, you cannot define new applications. Figure 6-1 shows what the page should look like the first time you access it.

click to expand
Figure 6-1: The Manage Server Settings page

To specify server settings, take these steps:

  1. Log on to SPSPortal as member of MSSSOAdmins.

  2. Select Start All Programs SharePoint Portal Server SharePoint Portal Server Single Sign-On Administration.

  3. On the Manage Settings for Single Sign-On page, click Manage Server Settings.

  4. On the Manage Server Settings page, type sps\MSSSOAdmins into the Account Name box for both the Single Sign-On Settings and Enterprise Application Definition Settings sections.

  5. Click OK.

Once the initial settings are entered, you may return to the Manage Settings for Single Sign-On page where the additional hyperlinks will be available. Selecting Enterprise Application Definition Settings Manage Settings for Enterprise Application Definitions opens a page where you may define new applications. This page allows you to name the application, define the fields that should be managed, and determine whether the application will use a group or individual log-in. Figure 6-2 shows the available configuration options.

click to expand
Figure 6-2: Defining an application

You should use a group log-in when you want a single set of credentials to be used by web parts regardless of what user is accessing the system. This design is often associated with read-only information where users do not normally need separate identification. An organization might use this, for example, to give employees access to public information regarding corporate performance. In this scenario, it is not important which employee is accessing the system because the read-only information will not change.

Where you are more concerned about access and permissions, you should use an individual log-in. Applications defined with an individual log-in will require that each end user have their own set of credentials. SSO is capable of prompting individuals for credentials the first time they use a web part; after this, the service automatically stores the credentials for future use.

To create an enterprise applications definition, follow these steps:

  1. Log on to SPSPortal as a member of MSSSOAdmins.

  2. Select Start All Programs SharePoint Portal Server SharePoint Portal Server Single Sign-On Administration.

  3. On the Manage Settings for Single Sign-On page, select Enterprise Application Definition Settings Manage Settings for Enterprise Application Definitions.

  4. On the Manage Enterprise Application Definitions page, click the New Item link.

  5. On the Create Enterprise Application Definition page, type My Application into the Display Name box.

  6. Type MyApp into the Application Name box.

  7. Type < administrator@sps.local > into the Contact E-mail Address box.

  8. Change the Account Type to Individual.

  9. Type User name into the Field 1: Display Name box.

  10. Type Password into the Field 2: Display Name box.

  11. Choose the Yes option for Mask under Field 2 to mask the password when it is entered.

  12. Click OK.

Although SSO is capable of prompting users for credentials, you can set them up ahead of time by using the administrative web pages. Because you will not know individual log-in information, this capability is clearly most useful when an application is defined to utilize a group log-in. Individual log-ins will generally prompt users for credentials when they first use the web part. We'll see how to utilize this capability in code later on.

Here is what you need to do to define log-in credentials:

  1. Log in to SPSPortal as a member of the MSSSOAdmins group.

  2. Select Start All Programs SharePoint Portal Server SharePoint Portal Server Single Sign-On Administration.

  3. On the Manage Settings for Single Sign-On page, select Enterprise Application Definition Settings Manage Account Information for Enterprise Application Definitions.

  4. In the User Account Name box enter sps\administrator .

  5. Click OK.

  6. On the Account Information page, type sa into the User Name box.

  7. Type the sa password into the Password box for your SPSPortal installation of SQL Server.

  8. Click OK.




Microsoft SharePoint[c] Building Office 2003 Solutions
Microsoft SharePoint[c] Building Office 2003 Solutions
ISBN: 1590593383
EAN: N/A
Year: 2006
Pages: 92

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net