MOSS MVP

I've moved my blog to http://blog.falchionconsulting.com!. Please update your links. This blog is no longer in use--you can find all posts and comments at my new blog; I will no longer be posting to this site and comments have been disabled.

Monday, April 20, 2009

Configuring SSO via STSADM

I can’t actually take credit for this particular command – in fact I’ve never configured SSO so I personally don’t know much about it.  I got the code from Stef van Hooijdonk who graciously provided the code he produced.

I made a few minor changes to Stef’s code just to bring it in line with the rest of my code but otherwise it’s as was provided to me – as such I’m not really prepared to support this command as I didn’t personally create it but it’s really straightforward.  One word of caution – the code uses a class which has been flagged as being meant for internal use only and not for use in custom code – specifically the Microsoft.SharePoint.Portal.SignleSignon.Configuration class.  Here’s the code:

   1: #if MOSS
   2: using System;
   3: using System.Collections.Specialized;
   4: using System.Text;
   5: using Lapointe.SharePoint.STSADM.Commands.OperationHelpers;
   6: using Lapointe.SharePoint.STSADM.Commands.SPValidators;
   7: using Microsoft.SharePoint.Portal.SingleSignon;
   8: using System.Diagnostics;
   9:  
  10: namespace Lapointe.SharePoint.STSADM.Commands.Security
  11: {
  12:     public class ConfigureSso : SPOperation
  13:     {
  14:         /// <summary>
  15:         /// Initializes a new instance of the <see cref="ConfigureSso"/> class.
  16:         /// </summary>
  17:         public ConfigureSso()
  18:         {
  19:             SPParamCollection parameters = new SPParamCollection();
  20:             parameters.Add(new SPParam("adminaccount", "admin", true, string.Empty, new SPNonEmptyValidator()));
  21:             parameters.Add(new SPParam("enterpriseapplicationaccount", "eaa", true, string.Empty, new SPNonEmptyValidator()));
  22:             parameters.Add(new SPParam("sqlserver", "sql", true, string.Empty, new SPNonEmptyValidator()));
  23:             parameters.Add(new SPParam("database", "db", true, string.Empty, new SPNonEmptyValidator()));
  24:             parameters.Add(new SPParam("tickettimeout", "tick", false, "2", new SPIntRangeValidator(1, 60), "Please specify minutes between 1 and 60"));
  25:             parameters.Add(new SPParam("auditlogs", "logs", false, "10", new SPIntRangeValidator(1, 90), "Please specify days between 1 and 90."));
  26:  
  27:             StringBuilder sb = new StringBuilder();
  28:             sb.Append("\r\n\r\nConfigure the SSO Service in the Farm. \r\n\r\nParameters:");
  29:             sb.Append("\r\n\t-admin <admin account or group that will admininster the SSO Service>");
  30:             sb.Append("\r\n\t-eaa <admin account or group that will administer the enterprise applications>");
  31:             sb.Append("\r\n\t-sql <sql server for the SSO Database>");
  32:             sb.Append("\r\n\t-db <database name for the SSO Storage>");
  33:             sb.Append("\r\n\t[-tick] <minutes a sso ticket is valid, defaults to 2>");
  34:             sb.Append("\r\n\t[-logs] <days to keep logs, defaults to 10>");
  35:  
  36:             Init(parameters, sb.ToString());
  37:         }
  38:  
  39:         #region ISPStsadmCommand Members
  40:  
  41:         /// <summary>
  42:         /// Gets the help message.
  43:         /// </summary>
  44:         /// <param name="command">The command.</param>
  45:         /// <returns></returns>
  46:         public override string GetHelpMessage(string command)
  47:         {
  48:             return HelpMessage;
  49:         }
  50:  
  51:         /// <summary>
  52:         /// Runs the specified command.
  53:         /// </summary>
  54:         /// <param name="command">The command.</param>
  55:         /// <param name="keyValues">The key values.</param>
  56:         /// <param name="output">The output.</param>
  57:         /// <returns></returns>
  58:         public override int Execute(string command, StringDictionary keyValues, out string output)
  59:         {
  60:             output = string.Empty;
  61:  
  62:             string adminAccount = Params["adminaccount"].Value;
  63:             string eaDefAccount = Params["eaa"].Value;
  64:             string sqlServer = Params["sqlserver"].Value;
  65:             string database = Params["database"].Value;
  66:  
  67:             uint ticketTimeout = 2;
  68:             if (Params["tickettimeout"].UserTypedIn)
  69:                 ticketTimeout = uint.Parse(Params["tickettimeout"].Value);
  70:  
  71:             uint auditLogs = 10;
  72:             if (Params["auditlogs"].UserTypedIn)
  73:                 auditLogs = uint.Parse(Params["auditlogs"].Value);
  74:  
  75:             Configure(adminAccount, eaDefAccount, sqlServer, database, ticketTimeout, auditLogs);
  76:  
  77:             return OUTPUT_SUCCESS;
  78:         }
  79:  
  80:         #endregion
  81:  
  82:         /// <summary>
  83:         /// Configures the SSO settings.
  84:         /// </summary>
  85:         /// <param name="adminAccount">The admin account.</param>
  86:         /// <param name="eaDefAccount">The ea def account.</param>
  87:         /// <param name="sqlServer">The SQL server.</param>
  88:         /// <param name="database">The database.</param>
  89:         /// <param name="ticketTimeout">The ticket timeout.</param>
  90:         /// <param name="auditLogs">The audit logs.</param>
  91:         private static void Configure(string adminAccount, string eaDefAccount, string sqlServer, string database, uint ticketTimeout, uint auditLogs)
  92:         {
  93:             try
  94:             {
  95:                 Log("Connecting to {0}", sqlServer);
  96:                 Configuration.ConfigureSecretServer(
  97:                     adminAccount,
  98:                     eaDefAccount,
  99:                     sqlServer,
 100:                     database,
 101:                     ticketTimeout,
 102:                     auditLogs);
 103:                 Log("SSO Configured succesfull.");
 104:             }
 105:             catch (Exception exc)
 106:             {
 107:                 if (exc.Message.Contains("-2147023143"))
 108:                     Log("Error occured in setting the SSO Server settings. Is the SSOService configured to run as a domain account?", EventLogEntryType.Error);
 109:                 throw;
 110:             }
 111:  
 112:             Log("Generating MasterSecret..");
 113:             Configuration.GenerateMasterSecret(false);
 114:             Log("Master Secret Key set.");
 115:         }
 116:  
 117:     }
 118: }
 119: #endif

The help for the command is shown below:

C:\>stsadm -help gl-configuresso

stsadm -o gl-configuresso


Configure the SSO Service in the Farm.

Parameters:
        -admin <admin account or group that will administer the SSO Service>
        -eaa <admin account or group that will administer the enterprise applications>
        -sql <sql server for the SSO Database>
        -db <database name for the SSO Storage>
        [-tick] <minutes a sso ticket is valid, defaults to 2>
        [-logs] <days to keep logs, defaults to 10>

The following table summarizes the command and its various parameters:

Command Name Availability Build Date
gl-configuresso MOSS 2007 Released: 4/17/2009

Parameter Name Short Form Required Description Example Usage
adminaccount admin Yes Admin account or group that will administer the SSO service. -adminaccount domain\spadmin

-admin domain\spadmin
enterpriseapplicationaccount eaa Yes Admin account or group that will administer the enterprise application. -enterpriseapplicationaccount domain\spadmin

-eaa domain\spadmin
sqlserver sql Yes SQL Server name for the SSO database. -sqlserver sql1

-sql sql1
database db Yes Database name for the SSO storage. -database SSODB

-db SSODB
tickettimeout tick No Minutes an SSO ticket is valid, defaults to 2. -tickettimeout 2

-tick 2
auditlogs logs No Day to keep logs, defaults to 10. -auditlogs 10

-logs 10

The following is an example of how to configure SSO:

stsadm -o gl-configuresso –adminaccount domain\spadmin –enterpriseapplicationaccount domain\spadmin –sqlserver sql1 –database ssodb –tickettimeout 2 –auditlogs 10

2 comments:

Shoaib Ahmed said...

While running the command i got the following error.

"A call to SPS Single Sign-on failed. The error code returned was '-2146893788'

Any suggestions??

Gary Lapointe said...

Does it work if you do it through the browser?