locked
ENTSSO Service Account Change RRS feed

  • Question

  • Hello All,

    When ever there is a change in account on ENTSSO, there is always a mess created.

    Meaning: If suppose some one changes account on ENTSSO and when I am trying to access Send Port, Recieve Location or also host Instances while configuring them I come across an error saying Public Private key encryption failed and I have to restore secret key if I dont want to change the account back to the previous state.

    Why is it happening and what are the cautions that are needed to be taken while changing account on ENTSSO. 


    Thank You !!

    Monday, July 11, 2016 6:00 AM

Answers

  • Hello,

    To change the ENTSSO service account:

    1. Back up the master secret. For more information, see How to Back Up the Master Secret.

    2. Stop Enterprise Single Sign-On Services.

    3. Change the service account.

    4. Restart SSO and ignore any event log errors about a corrupted secret.

    5. Restore the master secret. For more information, see How to Restore the Master Secret.

    Refer: https://msdn.microsoft.com/en-us/library/aa953861.aspx

    Service or Account

    How to change user accounts

    Required tasks after changing user accounts

    How to change passwords

    Required tasks after changing passwords

    Enterprise Single Sign-On Service on Master Secret Server

    Restart the service

    Change the password of the account using the Services console.

    Restart the service

    Enterprise Single Sign-On Service

    Change the service account using the Services console.

    Restart the service

    Change the password of the account using the Services console.

    Restart the service

    Refer: How to Change Service Accounts and Passwords

    For detailed steps refer: How to change the Enterprise Single Sign-On (SSO) service account that is configured to run on the master secret server in BizTalk Server. Article refer to BT 2004, but it applies to all the BizTalk Server versions released till date.

    You must only follow these steps on the Enterprise SSO server that contains the master secret. To determine the server that contains the Master Secret, follow these steps:
    1. Open a command prompt. To do this, click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, change to the Enterprise SSO installation folder, and then type ssomanage -displaydb.

      Note By default, the installation folder for the Enterprise SSO service is Drive:\Program Files\Common Files\Enterprise Single Sign-On. In this folder name, Drive is the disk drive that contains the Enterprise Single Sign-On directory.
    To change the Enterprise SSO service account that is configured to run on the master secret server, follow these steps:
    1. Back up the master secret. To do this, follow these steps:
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, change to the Enterprise Single Sign-On installation directory.

        Note By default, the installation directory is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
      3. At the command prompt, type ssoconfig -backupsecret BackupFile

        Note BackupFile is the path of and the name of the file where the master secret will be backed up. For example, A:\Ssobackup.bak.
      4. Provide a password to help protect this backup file. You will be prompted to confirm the password and to provide a password hint to help you remember this password. 

        Important You must save and store the backup file in a security-enhanced location.
    2. At the command prompt, type net stop entsso to stop the SSO service.
    3. In Control Panel, open Administrative Tools, and then double-click Services.
    4. Right-click the Enterprise Single Sign-On service, and then click Properties.
    5. On the Log On tab, change the account and the password to the values that you want, and then click OK.

      Note This account must be a member of the SSO Administrators group. If it is not a member of the SSO Administrators group, add the account to the SSO Administrators group.
    6. Start the Enterprise SSO service.

      Note After you start the Enterprise SSO service, you will receive an error message in the application log on the master secret server that is similar to the following:

      The secret could not be loaded from the registry. The service account for the SSO service may have been changed or the secret may be corrupted. Restore the secret from a backup file.
      This error message will be resolved when you restore the master secret.
    7. Restore the master secret. To do this, follow these steps:
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, change to the Enterprise Single Sign-On installation directory.

        Note By default, the installation directory is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
      3. At the command prompt, type ssoconfig -restoresecret BackupFile.

        Note BackupFile is the path of and the name of the backup file.
      Note After you restore the master secret, you receive a message in the application log on the master secret server that is similar to the following:


      Recovered from failure to get master secrets. Secret Server Name: ServerName

      Note ServerName is a placeholder for the name of the master secret server.


    Rachit Sikroria (Microsoft Azure MVP)

    Monday, July 11, 2016 6:07 AM
    Moderator

All replies

  • Hello,

    To change the ENTSSO service account:

    1. Back up the master secret. For more information, see How to Back Up the Master Secret.

    2. Stop Enterprise Single Sign-On Services.

    3. Change the service account.

    4. Restart SSO and ignore any event log errors about a corrupted secret.

    5. Restore the master secret. For more information, see How to Restore the Master Secret.

    Refer: https://msdn.microsoft.com/en-us/library/aa953861.aspx

    Service or Account

    How to change user accounts

    Required tasks after changing user accounts

    How to change passwords

    Required tasks after changing passwords

    Enterprise Single Sign-On Service on Master Secret Server

    Restart the service

    Change the password of the account using the Services console.

    Restart the service

    Enterprise Single Sign-On Service

    Change the service account using the Services console.

    Restart the service

    Change the password of the account using the Services console.

    Restart the service

    Refer: How to Change Service Accounts and Passwords

    For detailed steps refer: How to change the Enterprise Single Sign-On (SSO) service account that is configured to run on the master secret server in BizTalk Server. Article refer to BT 2004, but it applies to all the BizTalk Server versions released till date.

    You must only follow these steps on the Enterprise SSO server that contains the master secret. To determine the server that contains the Master Secret, follow these steps:
    1. Open a command prompt. To do this, click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, change to the Enterprise SSO installation folder, and then type ssomanage -displaydb.

      Note By default, the installation folder for the Enterprise SSO service is Drive:\Program Files\Common Files\Enterprise Single Sign-On. In this folder name, Drive is the disk drive that contains the Enterprise Single Sign-On directory.
    To change the Enterprise SSO service account that is configured to run on the master secret server, follow these steps:
    1. Back up the master secret. To do this, follow these steps:
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, change to the Enterprise Single Sign-On installation directory.

        Note By default, the installation directory is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
      3. At the command prompt, type ssoconfig -backupsecret BackupFile

        Note BackupFile is the path of and the name of the file where the master secret will be backed up. For example, A:\Ssobackup.bak.
      4. Provide a password to help protect this backup file. You will be prompted to confirm the password and to provide a password hint to help you remember this password. 

        Important You must save and store the backup file in a security-enhanced location.
    2. At the command prompt, type net stop entsso to stop the SSO service.
    3. In Control Panel, open Administrative Tools, and then double-click Services.
    4. Right-click the Enterprise Single Sign-On service, and then click Properties.
    5. On the Log On tab, change the account and the password to the values that you want, and then click OK.

      Note This account must be a member of the SSO Administrators group. If it is not a member of the SSO Administrators group, add the account to the SSO Administrators group.
    6. Start the Enterprise SSO service.

      Note After you start the Enterprise SSO service, you will receive an error message in the application log on the master secret server that is similar to the following:

      The secret could not be loaded from the registry. The service account for the SSO service may have been changed or the secret may be corrupted. Restore the secret from a backup file.
      This error message will be resolved when you restore the master secret.
    7. Restore the master secret. To do this, follow these steps:
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, change to the Enterprise Single Sign-On installation directory.

        Note By default, the installation directory is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
      3. At the command prompt, type ssoconfig -restoresecret BackupFile.

        Note BackupFile is the path of and the name of the backup file.
      Note After you restore the master secret, you receive a message in the application log on the master secret server that is similar to the following:


      Recovered from failure to get master secrets. Secret Server Name: ServerName

      Note ServerName is a placeholder for the name of the master secret server.


    Rachit Sikroria (Microsoft Azure MVP)

    Monday, July 11, 2016 6:07 AM
    Moderator
  • Hi

    Please follow the following steps. Special care has to be taken to change the ENTSSO password on the Master Secret Server(the machine where SSO was configured first in the BizTalk Group).

    Steps to be done on the Master Secret Server are as follows-

    1. Ensure that you have a backup of the master secret. For more information, see How to Back Up the Master Secret.

    2. Change the service account using the Services console.

    3. Restore the master secret. For more information, see How to Restore the Master Secret.

    Note that on the other servers in the Group that join to the above Master Secret Server, you can change the password from the Services console normally, after the password has been changed on the ENTSSO Master Secret Server-

    Ref-

    https://msdn.microsoft.com/en-us/library/aa561505.aspx


    Thanks Arindam



    Monday, July 11, 2016 6:09 AM
    Moderator
  • Hi,

    You can look at the following MSDN articles to get notes and consideration before changing the Service Credentials.

    https://msdn.microsoft.com/en-us/library/aa561505.aspx

    https://blogs.msdn.microsoft.com/luke/2005/11/30/updating-biztalk-server-services-and-accounts-after-a-password-change/

    Hope this Helps!!!

    Please Mark as Answered if you satisfy with Reply.

    • Proposed as answer by vikas.a.mehta Monday, July 11, 2016 8:10 AM
    Monday, July 11, 2016 8:09 AM