locked
EntSSO configuration in clustered environment RRS feed

  • Question

  • Hi All

    I am trying to use SSO Applications to store credentials and use it on Send / Receive ports. It worked fine on the development machine which is a standalone box. But while moving it to a higher clustered environment, I am facing some issues. 

    BTS_Service is a BT service account which is added to both BTS_SSO_Admins and BTS_SSO_Affiliate_Admins

    BTS_SSO_Service is an SSO Service account which is running the ENTSSO service and its also added to BTS_SSO_Admins and BTS_SSO_Affiliate_Admins

    1. Logged in using BTS_Service account
    2. Using SSO Administration - Created SSO Application as individual, allow tickets true.
    3. Using SSO Client Utility - Added credentials to the SSO Application 
    4. Now logged back in using the normal user credentials
    5. Ticketing component and pipeline is already deployed (tested in standalone - working fine)
    6. On a WCF Send port, used the Ticketing Send pipeline, and on credentials tab, selected the SSO Application created in Step 2. 
    7. while running, I get the below error

    There was a failure executing the send pipeline: "BizTalk_Server_Project1.SendPipelineSSOTicketRetriver, XXX.Pipeline.SSOTicketRetriever, Version=1.0.0.0, Culture=neutral, PublicKeyToken=sf343fs3t34daf8" Source: "SSO Ticket Retriever" Send Port: "XXXRequestResponse_WCFCustom" URI: "http://XXXXXXXXXXXXXX/XXXXXXXXXXXXXXX" Reason: Access denied.

    I have referred to Richard Seroter's post .

    http://blogs.msdn.com/b/richardbpi/archive/2005/08/09/building-and-executing-a-biztalk-single-sign-on-scenario.aspx

    Another big difference i see is that when in my development machine, i have windows accounts setup in BizTalk configuration under Enterprise SSO tab as below. while in the Clustered environment where I am facing the issue, windows accounts are not added. 

    Could that be the issue?


    mayur macwan

    Thursday, May 8, 2014 10:24 AM

Answers

  • I see you using SSO_Service_D as the SSO service account in production. Is this account a member of the domain SSO Administrators and SSO Affiliate Administrators Group?

    Regards.

    • Marked as answer by MacwanM Tuesday, May 20, 2014 9:52 AM
    Thursday, May 8, 2014 11:55 AM

All replies

  • Hi Mayur,

    Since you are working in cluster environment might be the SSO admin is configured in this clustered node. Also, check whether this cluster node contains SSO admin group. If yes, add your credential into this group. Since SSO denied access is popping up I believe you first try to add your credential in BizTalk SSO group (might be present in different cluster group).

    Thanks

    Thursday, May 8, 2014 10:53 AM
  • I see you using SSO_Service_D as the SSO service account in production. Is this account a member of the domain SSO Administrators and SSO Affiliate Administrators Group?

    Regards.

    • Marked as answer by MacwanM Tuesday, May 20, 2014 9:52 AM
    Thursday, May 8, 2014 11:55 AM
  • I have found a simple work around to this with a help of a colleague. will post the quick steps soon. but briefly, all it required was to create the application using the command line using ssomanage commands and the xml files with proper user account details. Will try to post the details soon. 

    mayur macwan

    Tuesday, May 20, 2014 9:52 AM