SharePoint and Single Sign-On Overview

One of the advantages of using SSO in SharePoint 2007 is that your users can have access to back-end data or external data from SharePoint without having to authenticate to the outside source. Users can view, create, and modify information on these sources based on the mapping between the user credentials to the external sources. SSO requires you use Windows credentials for user accounts in SharePoint. SSO invokes the SSO application programming interface (API) which has a Windows identity associated with it. SSO in SharePoint is provided by the single sign-on service called SSOSrv. To implement SSOSrv complete the following steps:

The SSO encryption-key server is the first server in which SSOSrv is enabled. This causes it to be assigned the encryption-key server role which generates and stores the encryption key used to encrypt and decrypt credentials that are stored in the SSO database. The encryption-key should be an application server such as the index server.
The SSOSrv must be installed on all web servers in the SharePoint server farm and on any computers that host Excel Services or Business Data Catalog search.

The SSO database is created when you configure SSO server settings in Central Administration and is hosted on the same database server that hosts the configuration database by default. The SSO environment is not backed up during normal server backups in because the SSO isn’t composed of data per se. Things to consider when backing up SSO:

To backup SSO you must backup both the encryption key and the SSO database.
You should backup the encryption key after you initially setup SSO and back it up again each time it is regenerated.
It is necessary to perform the backup function on the local machine containing the encryption key since this process cannot be performed over a remote link.
Only members of the SSO administration account have permissions to backup the encryption key.
The encrypting key can only be backed up onto removable storage such as an external USB device.

How you restore the SSO depends on a variety of circumstances. It isn’t always necessary to restore both the encryption key and the SSO database. You would want to restore the encryption key if you need to move a server role in your farm and that server is the encryption key server, or your might want to change the SSOSrv account’s security identifier (SID). In either case, when you restore the encryption key you will need to consider the following:

Disable SSOSrv on all servers in the farm.
Logon with an account that has SSO admin rights to the server in which you want to restore the key.
Configure SSO server farm-level settings in Central Administration.
Specify the existing SSO database.
Restore the encryption key.
Start the SSOSrv on all servers in the farm.

Sharee English (MCSD, MCAD, MCT) is the Director of Information Services at SeattlePro Enterprises, an IT training and consulting company. She started her career as a programmer, delving into Web technologies almost twenty years ago. Today she is a highly educated executive with background in software development, training, authoring, management, operations, administration and sales. Sharee holds a Master of Arts in Management (emphasis in Information Systems), a Bachelor of Science (B.S.) in Computer Science and a B.S. in Mathematics.