SSO

Thibaut Forgeot d'Arc

25/07/2003 à 14:29

bonjour Erol,
je suis en beta 2 TR française
valider le SSO permet de l'utiliser, après, il faut coder pour l'exploiter.

"EROL MVP SPS" wrote in message
news:

Bonjour Thibaut,

Vous étes en Bêta 2 TR FR ou Anglaise ?
La fonction Enable a single-sign-on n'est-elle pas suffisante ?
--
Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= > Si nous avons chacun un objet et que nous les échangeons, nous avons

chacun

un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons

chacun

deux idées.
Proverbe chinois.
=================== > Thibaut Forgeot d'Arc wrote:
> quelqu'un a-t-il une solution pour utiliser le SSO avec du code aspx
> (sans avoir à développer une webpart ou un composant en C# ou vb.NET)
> ? merci

EROL MVP SPS

25/07/2003 à 14:44

Bonjour Thibaut,

Il faut créer une clés, puis activer SSO, mais
je n'ai pas activé SSO sur mon serveur en Bêta 2 TR FR.
Je vais me renseigner, il n'existe pas beaucoup d'infos sur ce sujet
à ce jour.
--
Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= Si nous avons chacun un objet et que nous les échangeons, nous avons chacun
un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons chacun
deux idées.
Proverbe chinois.
===================

Thibaut Forgeot d'Arc wrote:

bonjour Erol,
je suis en beta 2 TR française
valider le SSO permet de l'utiliser, après, il faut coder pour
l'exploiter.

"EROL MVP SPS" wrote in message
news:
Bonjour Thibaut,

Vous étes en Bêta 2 TR FR ou Anglaise ?
La fonction Enable a single-sign-on n'est-elle pas suffisante ?
--
Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= >> Si nous avons chacun un objet et que nous les échangeons, nous avons
chacun un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons
chacun deux idées.
Proverbe chinois.
=================== >> Thibaut Forgeot d'Arc wrote:
quelqu'un a-t-il une solution pour utiliser le SSO avec du code aspx
(sans avoir à développer une webpart ou un composant en C# ou
vb.NET) ? merci

EROL MVP SPS

26/07/2003 à 07:40

Bonjour,

Un début de réponse :
--------------------------------------------------
Some feedback from the product team about the error you list with SSO:

In order to configure SSO, you have to:

1)Change the run-as user for the SSO ('Microsoft Single Sign-on') service to
run-as a user who is a member of the sso admin group that you choose. If
this user is not a member of the local admin group, then you have to make
this user a member of the local STS_WPG group.
2)The user that configures SSO, must be a local admin and must be a member
of the sso admin group that you choose.
3)The sso admin group that you choose must be a global domain group (not a
DL).

Please look over the user documentation (and readme) that was shipped with
both beta1 and beta2 on additional information on how to configure SSO.
----------------------------------------------------
About single sign-on
Single sign-on allows you to store and map account credentials. This
prevents users from having to sign on again when portal-based applications
retrieve information from business applications, such as third-party
enterprise resource planning and customer relations management (CRM)
systems.

By using single sign-on, you can centralize information from multiple
back-end applications through a single portal that uses application
definitions. By using application definitions, you can minimize and automate
the sign-on process to these applications in a more secure environment. In
addition, SharePoint Portal Server provides an easy interface for developers
to create and extend this feature.

To implement single sign on, you must complete the following tasks:

1.. Configure the single sign-on service
2.. Create an encryption key
3.. Add a new application definition
4.. Configure account credentials
------------------------------------------------------
Specifying Settings for Single Sign-On and Application Definitions
Before you can use single sign-on with application definitions, you must
specify an account, a database, and time out settings.

The user who runs the single sign-on service on the Web servers and the job
server must be a member of the local Administrators group on the computer
running Microsoft SQL Server where the configuration database for SharePoint
Portal Server "v2.0" Beta 2 is stored, or the user must have at least the
following rights on the configuration database:

a.. 'db_owner'
b.. 'public'

Note On a single server deployment, if the single sign-on service runs
under a user who is a member of the local Administrators group, you should
not do the previous step. However, for security reasons you may not want to
run the service under a local Administrators account.

If the job server is different from the computer running SQL Server where
the configuration database is stored, the user who configures single sign-on
must be a member of the local Administrators group on the computer running
SQL Server.

The user who configures single sign-on must have the following permissions
on the computer running SQL Server where the single sign-on database is
created. The single sign-on database is created under the identity of the
user who is configuring single sign-on, rather than a Runas user on the
server:

1.. Give the single sign-on configuration user the following server roles:
a.. System Administrators
b.. Security Administrators
c.. Database Creators
2.. Give the single sign-on configuration user 'public' access on the
following databases:
a.. master
b.. msdb
3.. Give the single sign-on configuration user 'db_owner' access on the
following database:
a.. msdb

Note If the computer running SQL Server where the single sign-on database
is created is also the job server, then the previous steps are not
necessary.

Important You cannot configure single sign-on or manage theencryption key
remotely. To configure single sign-on or manage the encryption key, go to
the computer running as the job server and specify these settings locally.

Specify settings for single sign-on and application definitions
1.. Before you can specify the settings for single sign-on and application
definitions, the Microsoft Single Sign-on Service (MSSSO) must be running,
and the logon account must be a member of the local Administrators group or
a member of the STS_WPG local group. The account under which the service is
running must also be a member of the account that you specify as the account
for single sign-on when you configure single sign-on and application
definitions later in this section. To ensure this, do the following:
1.. Click Start, point to Administrative Tools, and then click Services.
2.. On the Services management console, double-click Microsoft Single
Sign-on Service, and then click the Log On tab.
3.. Ensure that This account is clicked and that the account entered is
a member of the local Administrators group or a member of the STS_WPG local
group, and that the account entered is a member of the account that you
specify as the account for single sign-on when you configure single sign-on
and application definitions later in this section.
4.. Click OK.
5.. Right-click Microsoft Single Sign-on Service, and then click
Restart.
2.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
-or-

Click Start, point to All Programs, point to SharePoint Portal Server, and
then click SharePoint Portal Server Single Sign-On Administration.

3.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage server settings for Single
Sign-on and enterprise application definitions.
4.. On the Manage Server Settings for Single Sign-on and Enterprise
Application Definition page, in the Single Sign-on Settings section, in the
Account name for Single Sign-on box, type the name of the group or user
account that can set up and manage the single sign-on service.
a.. Important The account can be a group account or an individual user
account. It cannot be a local domain group or a distribution list.

b.. The format of the account is DOMAINgroup_name or DOMAINuser_name.
5.. In the Enterprise Application Definition Settings section, in the
Account name for enterprise application definitions box, type the name of
the group or user account that can set up and manage application
definitions.
a.. Important The account can be a group account or an individual user
account. It cannot be a local domain group or a distribution list.

b.. The format of the account is DOMAINgroup_name or DOMAINuser_name.
6.. In the Database Settings section, do the following:
1.. In the Server name box, type the name of the database server that
stores the settings and account information for single sign-on.
2.. In the Database name box, type the name of the single sign-on
database.
7.. In the Time Out Settings section, do the following:
1.. In the Ticket time out box, type the number of minutes to wait
before allowing a ticket to time out.
2.. In the Purge audit log records older than box, type the number of
days to hold records in the audit log before deleting.
8.. Click OK.
9.. If a message box appears stating that you have reconfigured single
sign-on, click OK.
----------------------------------------------------------------------------

Creating the Encryption Key
The encryption keyused as part of the encryption process for credentials
used with single-sign on. The key helps to decrypt encrypted credentials
stored in the single sign-on.

The first time you configure single sign-on and application definitions on
the Manage Server Settings for Single Sign-on and Enterprise Application
Definitions page, the encryption key is created automatically.

You can regenerate the key if the previous credentials are compromised or if
you have a policy to change the key after a certain number of days.

When you create an encryption key, you can choose to re-encrypt the existing
credentials with the new key. When you re-encrypt the Microsoft Single
Sign-on Service (SSOSrv) credential store, events are logged in the
Microsoft Windows Server 2003 application event log. Once re-encryption is
initiated, you can monitor the application event log to verify that the
credential store has been re-encrypted. Event ID 1032 is recorded in the
application event log when re-encryption is started. Even ID 1033 is
recorded in the application event log when re-encryption has ended. If there
are any failures during re-encryption, an event is recorded in the log.

If the job server is restarted or SSOSrv is stopped during the re-encryption
process, the re-encryption is preempted and finishes prematurely. Some
credentials might not be re-encrypted. During re-encryption, the single
sign-on feature can be used, but there is a possibility that a user's
credentials cannot be decrypted because the re-encryption process is not
complete.

Recommendation It is recommended that you change or restore the encryption
key during non-peak periods.

Important You cannot manage the encryption key remotely. To manage the
encryption key, go to the computer running as the job server and specify
these settings locally.

Create the encryption key
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
-or-

Click Start, point to All Programs, point to SharePoint Portal Server, and
then click SharePoint Portal Server Single Sign-On Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage encryption key.
3.. On the Manage Encryption Key page, click Create New Encryption Key.
4.. On the Create New Encryption Key page, to re-encrypt the credentials
for the single sign-on database, select the Re-encrypt all credentials by
using the new encryption key check box, and then click OK.
Important This is a long-running operation. If you do not re-encrypt the
existing credentials with the new encryption key, users must re-type their
credentials and administrators for application definitions must re-type
group credentials.

5.. Click OK.
After the key is created, you should back it up. For information about
backing up the encryption key,

----------------------------------------------------------------------------

Backing Up the Encryption Key
After creating the base system key, you should back it up. You must back up
the key to a 3.5-inch floppy disk.

Security Recommendations for Storing the Backup Copy of the Base System Key
You should lock up the backup disk for the base system key in a safe place.

The base system key is the encryption key that is used as part of the
encryption process for each of the credentials. Because it is the key that
decrypts the encrypted credentials stored in the database, the backup copy
of the key should not be stored with the backup copy of the database. If a
user obtains a copy of both the database and the key, the user names and
passwords could be compromised.

Important You cannot manage the base system key remotely. To manage the
base system key, go to the computer running as the job server and specify
these settings locally.

Back up the base system key
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
Alternatively, click Start, point to All Programs, point to SharePoint
Portal Server, and then click SharePoint Portal Server Single Sign-On
Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage base system key.
3.. Insert a 3.5-inch disk into a disk drive on the computer running as
the job server.
4.. On the Manage Base System Key page, in the Base System Key Backup
section, in the Drive list, click the letter of the disk drive, and then
click Back Up to back up the base system key.
5.. In the completion message box that appears, click OK.
6.. Remove the 3.5-inch disk from the disk drive.
----------------------------------------------------------------------------

Managing Account Information for an Application Definition
You can update or delete account information for a single application
definition, or you can remove an account from all application definitions.

Manage account information for an application definition
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
Alternatively, click Start, point to All Programs, point to SharePoint
Portal Server, and then click SharePoint Portal Server Single Sign-On
Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Application Settings section, click Manage account information for an
enterprise application definition.
3.. On the Manage Account Information for an Enterprise Application
Definition page, in the Account Information section, do the following:
1.. In the Enterprise Application Definition list, select the name of
the application definition.
2.. In the Account name or Group account name box, type the account name
to modify.
If you created the application definition to use an individual account,
the Account name box is displayed. If you created the application definition
to use a group account, the Group account name box is displayed.

--------------------------------------------------------------

Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= Si nous avons chacun un objet et que nous les échangeons, nous avons chacun
un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons chacun
deux idées.
Proverbe chinois.
===================
Thibaut Forgeot d'Arc wrote:

bonjour Erol,
je suis en beta 2 TR française
valider le SSO permet de l'utiliser, après, il faut coder pour
l'exploiter.

"EROL MVP SPS" wrote in message
news:
Bonjour Thibaut,

Vous étes en Bêta 2 TR FR ou Anglaise ?
La fonction Enable a single-sign-on n'est-elle pas suffisante ?
--
Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= >> Si nous avons chacun un objet et que nous les échangeons, nous avons
chacun un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons
chacun deux idées.
Proverbe chinois.
=================== >> Thibaut Forgeot d'Arc wrote:
quelqu'un a-t-il une solution pour utiliser le SSO avec du code aspx
(sans avoir à développer une webpart ou un composant en C# ou
vb.NET) ? merci

Bonjour,

Un début de réponse :
--------------------------------------------------
Some feedback from the product team about the error you list with SSO:

In order to configure SSO, you have to:

1)Change the run-as user for the SSO ('Microsoft Single Sign-on') service to
run-as a user who is a member of the sso admin group that you choose. If
this user is not a member of the local admin group, then you have to make
this user a member of the local STS_WPG group.
2)The user that configures SSO, must be a local admin and must be a member
of the sso admin group that you choose.
3)The sso admin group that you choose must be a global domain group (not a
DL).

Please look over the user documentation (and readme) that was shipped with
both beta1 and beta2 on additional information on how to configure SSO.
----------------------------------------------------
About single sign-on
Single sign-on allows you to store and map account credentials. This
prevents users from having to sign on again when portal-based applications
retrieve information from business applications, such as third-party
enterprise resource planning and customer relations management (CRM)
systems.

By using single sign-on, you can centralize information from multiple
back-end applications through a single portal that uses application
definitions. By using application definitions, you can minimize and automate
the sign-on process to these applications in a more secure environment. In
addition, SharePoint Portal Server provides an easy interface for developers
to create and extend this feature.

To implement single sign on, you must complete the following tasks:

1.. Configure the single sign-on service
2.. Create an encryption key
3.. Add a new application definition
4.. Configure account credentials
------------------------------------------------------
Specifying Settings for Single Sign-On and Application Definitions
Before you can use single sign-on with application definitions, you must
specify an account, a database, and time out settings.

The user who runs the single sign-on service on the Web servers and the job
server must be a member of the local Administrators group on the computer
running Microsoft SQL Server where the configuration database for SharePoint
Portal Server "v2.0" Beta 2 is stored, or the user must have at least the
following rights on the configuration database:

a.. 'db_owner'
b.. 'public'

Note On a single server deployment, if the single sign-on service runs
under a user who is a member of the local Administrators group, you should
not do the previous step. However, for security reasons you may not want to
run the service under a local Administrators account.

If the job server is different from the computer running SQL Server where
the configuration database is stored, the user who configures single sign-on
must be a member of the local Administrators group on the computer running
SQL Server.

The user who configures single sign-on must have the following permissions
on the computer running SQL Server where the single sign-on database is
created. The single sign-on database is created under the identity of the
user who is configuring single sign-on, rather than a Runas user on the
server:

1.. Give the single sign-on configuration user the following server roles:
a.. System Administrators
b.. Security Administrators
c.. Database Creators
2.. Give the single sign-on configuration user 'public' access on the
following databases:
a.. master
b.. msdb
3.. Give the single sign-on configuration user 'db_owner' access on the
following database:
a.. msdb

Note If the computer running SQL Server where the single sign-on database
is created is also the job server, then the previous steps are not
necessary.

Important You cannot configure single sign-on or manage theencryption key
remotely. To configure single sign-on or manage the encryption key, go to
the computer running as the job server and specify these settings locally.

Specify settings for single sign-on and application definitions
1.. Before you can specify the settings for single sign-on and application
definitions, the Microsoft Single Sign-on Service (MSSSO) must be running,
and the logon account must be a member of the local Administrators group or
a member of the STS_WPG local group. The account under which the service is
running must also be a member of the account that you specify as the account
for single sign-on when you configure single sign-on and application
definitions later in this section. To ensure this, do the following:
1.. Click Start, point to Administrative Tools, and then click Services.
2.. On the Services management console, double-click Microsoft Single
Sign-on Service, and then click the Log On tab.
3.. Ensure that This account is clicked and that the account entered is
a member of the local Administrators group or a member of the STS_WPG local
group, and that the account entered is a member of the account that you
specify as the account for single sign-on when you configure single sign-on
and application definitions later in this section.
4.. Click OK.
5.. Right-click Microsoft Single Sign-on Service, and then click
Restart.
2.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
-or-

Click Start, point to All Programs, point to SharePoint Portal Server, and
then click SharePoint Portal Server Single Sign-On Administration.

3.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage server settings for Single
Sign-on and enterprise application definitions.
4.. On the Manage Server Settings for Single Sign-on and Enterprise
Application Definition page, in the Single Sign-on Settings section, in the
Account name for Single Sign-on box, type the name of the group or user
account that can set up and manage the single sign-on service.
a.. Important The account can be a group account or an individual user
account. It cannot be a local domain group or a distribution list.

b.. The format of the account is DOMAINgroup_name or DOMAINuser_name.
5.. In the Enterprise Application Definition Settings section, in the
Account name for enterprise application definitions box, type the name of
the group or user account that can set up and manage application
definitions.
a.. Important The account can be a group account or an individual user
account. It cannot be a local domain group or a distribution list.

b.. The format of the account is DOMAINgroup_name or DOMAINuser_name.
6.. In the Database Settings section, do the following:
1.. In the Server name box, type the name of the database server that
stores the settings and account information for single sign-on.
2.. In the Database name box, type the name of the single sign-on
database.
7.. In the Time Out Settings section, do the following:
1.. In the Ticket time out box, type the number of minutes to wait
before allowing a ticket to time out.
2.. In the Purge audit log records older than box, type the number of
days to hold records in the audit log before deleting.
8.. Click OK.
9.. If a message box appears stating that you have reconfigured single
sign-on, click OK.
----------------------------------------------------------------------------

Creating the Encryption Key
The encryption keyused as part of the encryption process for credentials
used with single-sign on. The key helps to decrypt encrypted credentials
stored in the single sign-on.

The first time you configure single sign-on and application definitions on
the Manage Server Settings for Single Sign-on and Enterprise Application
Definitions page, the encryption key is created automatically.

You can regenerate the key if the previous credentials are compromised or if
you have a policy to change the key after a certain number of days.

When you create an encryption key, you can choose to re-encrypt the existing
credentials with the new key. When you re-encrypt the Microsoft Single
Sign-on Service (SSOSrv) credential store, events are logged in the
Microsoft Windows Server 2003 application event log. Once re-encryption is
initiated, you can monitor the application event log to verify that the
credential store has been re-encrypted. Event ID 1032 is recorded in the
application event log when re-encryption is started. Even ID 1033 is
recorded in the application event log when re-encryption has ended. If there
are any failures during re-encryption, an event is recorded in the log.

If the job server is restarted or SSOSrv is stopped during the re-encryption
process, the re-encryption is preempted and finishes prematurely. Some
credentials might not be re-encrypted. During re-encryption, the single
sign-on feature can be used, but there is a possibility that a user's
credentials cannot be decrypted because the re-encryption process is not
complete.

Recommendation It is recommended that you change or restore the encryption
key during non-peak periods.

Important You cannot manage the encryption key remotely. To manage the
encryption key, go to the computer running as the job server and specify
these settings locally.

Create the encryption key
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
-or-

Click Start, point to All Programs, point to SharePoint Portal Server, and
then click SharePoint Portal Server Single Sign-On Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage encryption key.
3.. On the Manage Encryption Key page, click Create New Encryption Key.
4.. On the Create New Encryption Key page, to re-encrypt the credentials
for the single sign-on database, select the Re-encrypt all credentials by
using the new encryption key check box, and then click OK.
Important This is a long-running operation. If you do not re-encrypt the
existing credentials with the new encryption key, users must re-type their
credentials and administrators for application definitions must re-type
group credentials.

5.. Click OK.
After the key is created, you should back it up. For information about
backing up the encryption key,

----------------------------------------------------------------------------

Backing Up the Encryption Key
After creating the base system key, you should back it up. You must back up
the key to a 3.5-inch floppy disk.

Security Recommendations for Storing the Backup Copy of the Base System Key
You should lock up the backup disk for the base system key in a safe place.

The base system key is the encryption key that is used as part of the
encryption process for each of the credentials. Because it is the key that
decrypts the encrypted credentials stored in the database, the backup copy
of the key should not be stored with the backup copy of the database. If a
user obtains a copy of both the database and the key, the user names and
passwords could be compromised.

Important You cannot manage the base system key remotely. To manage the
base system key, go to the computer running as the job server and specify
these settings locally.

Back up the base system key
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
Alternatively, click Start, point to All Programs, point to SharePoint
Portal Server, and then click SharePoint Portal Server Single Sign-On
Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage base system key.
3.. Insert a 3.5-inch disk into a disk drive on the computer running as
the job server.
4.. On the Manage Base System Key page, in the Base System Key Backup
section, in the Drive list, click the letter of the disk drive, and then
click Back Up to back up the base system key.
5.. In the completion message box that appears, click OK.
6.. Remove the 3.5-inch disk from the disk drive.
----------------------------------------------------------------------------

Managing Account Information for an Application Definition
You can update or delete account information for a single application
definition, or you can remove an account from all application definitions.

Manage account information for an application definition
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
Alternatively, click Start, point to All Programs, point to SharePoint
Portal Server, and then click SharePoint Portal Server Single Sign-On
Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Application Settings section, click Manage account information for an
enterprise application definition.
3.. On the Manage Account Information for an Enterprise Application
Definition page, in the Account Information section, do the following:
1.. In the Enterprise Application Definition list, select the name of
the application definition.
2.. In the Account name or Group account name box, type the account name
to modify.
If you created the application definition to use an individual account,
the Account name box is displayed. If you created the application definition
to use a group account, the Group account name box is displayed.

--------------------------------------------------------------

Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= Si nous avons chacun un objet et que nous les échangeons, nous avons chacun
un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons chacun
deux idées.
Proverbe chinois.
===================
Thibaut Forgeot d'Arc wrote:

bonjour Erol,
je suis en beta 2 TR française
valider le SSO permet de l'utiliser, après, il faut coder pour
l'exploiter.

"EROL MVP SPS" <egiraudy@msn.com> wrote in message
news:eZdBNAqUDHA.1744@TK2MSFTNGP12.phx.gbl...

Bonjour Thibaut,

Vous étes en Bêta 2 TR FR ou Anglaise ?
La fonction Enable a single-sign-on n'est-elle pas suffisante ?
--
Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= >> Si nous avons chacun un objet et que nous les échangeons, nous avons
chacun un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons
chacun deux idées.
Proverbe chinois.
=================== >> Thibaut Forgeot d'Arc wrote:

quelqu'un a-t-il une solution pour utiliser le SSO avec du code aspx
(sans avoir à développer une webpart ou un composant en C# ou
vb.NET) ? merci

Vous avez filtré cet utilisateur ! Consultez son message

Bonjour,

Un début de réponse :
--------------------------------------------------
Some feedback from the product team about the error you list with SSO:

In order to configure SSO, you have to:

1)Change the run-as user for the SSO ('Microsoft Single Sign-on') service to
run-as a user who is a member of the sso admin group that you choose. If
this user is not a member of the local admin group, then you have to make
this user a member of the local STS_WPG group.
2)The user that configures SSO, must be a local admin and must be a member
of the sso admin group that you choose.
3)The sso admin group that you choose must be a global domain group (not a
DL).

Please look over the user documentation (and readme) that was shipped with
both beta1 and beta2 on additional information on how to configure SSO.
----------------------------------------------------
About single sign-on
Single sign-on allows you to store and map account credentials. This
prevents users from having to sign on again when portal-based applications
retrieve information from business applications, such as third-party
enterprise resource planning and customer relations management (CRM)
systems.

By using single sign-on, you can centralize information from multiple
back-end applications through a single portal that uses application
definitions. By using application definitions, you can minimize and automate
the sign-on process to these applications in a more secure environment. In
addition, SharePoint Portal Server provides an easy interface for developers
to create and extend this feature.

To implement single sign on, you must complete the following tasks:

1.. Configure the single sign-on service
2.. Create an encryption key
3.. Add a new application definition
4.. Configure account credentials
------------------------------------------------------
Specifying Settings for Single Sign-On and Application Definitions
Before you can use single sign-on with application definitions, you must
specify an account, a database, and time out settings.

The user who runs the single sign-on service on the Web servers and the job
server must be a member of the local Administrators group on the computer
running Microsoft SQL Server where the configuration database for SharePoint
Portal Server "v2.0" Beta 2 is stored, or the user must have at least the
following rights on the configuration database:

a.. 'db_owner'
b.. 'public'

Note On a single server deployment, if the single sign-on service runs
under a user who is a member of the local Administrators group, you should
not do the previous step. However, for security reasons you may not want to
run the service under a local Administrators account.

If the job server is different from the computer running SQL Server where
the configuration database is stored, the user who configures single sign-on
must be a member of the local Administrators group on the computer running
SQL Server.

The user who configures single sign-on must have the following permissions
on the computer running SQL Server where the single sign-on database is
created. The single sign-on database is created under the identity of the
user who is configuring single sign-on, rather than a Runas user on the
server:

1.. Give the single sign-on configuration user the following server roles:
a.. System Administrators
b.. Security Administrators
c.. Database Creators
2.. Give the single sign-on configuration user 'public' access on the
following databases:
a.. master
b.. msdb
3.. Give the single sign-on configuration user 'db_owner' access on the
following database:
a.. msdb

Note If the computer running SQL Server where the single sign-on database
is created is also the job server, then the previous steps are not
necessary.

Important You cannot configure single sign-on or manage theencryption key
remotely. To configure single sign-on or manage the encryption key, go to
the computer running as the job server and specify these settings locally.

Specify settings for single sign-on and application definitions
1.. Before you can specify the settings for single sign-on and application
definitions, the Microsoft Single Sign-on Service (MSSSO) must be running,
and the logon account must be a member of the local Administrators group or
a member of the STS_WPG local group. The account under which the service is
running must also be a member of the account that you specify as the account
for single sign-on when you configure single sign-on and application
definitions later in this section. To ensure this, do the following:
1.. Click Start, point to Administrative Tools, and then click Services.
2.. On the Services management console, double-click Microsoft Single
Sign-on Service, and then click the Log On tab.
3.. Ensure that This account is clicked and that the account entered is
a member of the local Administrators group or a member of the STS_WPG local
group, and that the account entered is a member of the account that you
specify as the account for single sign-on when you configure single sign-on
and application definitions later in this section.
4.. Click OK.
5.. Right-click Microsoft Single Sign-on Service, and then click
Restart.
2.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
-or-

Click Start, point to All Programs, point to SharePoint Portal Server, and
then click SharePoint Portal Server Single Sign-On Administration.

3.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage server settings for Single
Sign-on and enterprise application definitions.
4.. On the Manage Server Settings for Single Sign-on and Enterprise
Application Definition page, in the Single Sign-on Settings section, in the
Account name for Single Sign-on box, type the name of the group or user
account that can set up and manage the single sign-on service.
a.. Important The account can be a group account or an individual user
account. It cannot be a local domain group or a distribution list.

b.. The format of the account is DOMAINgroup_name or DOMAINuser_name.
5.. In the Enterprise Application Definition Settings section, in the
Account name for enterprise application definitions box, type the name of
the group or user account that can set up and manage application
definitions.
a.. Important The account can be a group account or an individual user
account. It cannot be a local domain group or a distribution list.

b.. The format of the account is DOMAINgroup_name or DOMAINuser_name.
6.. In the Database Settings section, do the following:
1.. In the Server name box, type the name of the database server that
stores the settings and account information for single sign-on.
2.. In the Database name box, type the name of the single sign-on
database.
7.. In the Time Out Settings section, do the following:
1.. In the Ticket time out box, type the number of minutes to wait
before allowing a ticket to time out.
2.. In the Purge audit log records older than box, type the number of
days to hold records in the audit log before deleting.
8.. Click OK.
9.. If a message box appears stating that you have reconfigured single
sign-on, click OK.
----------------------------------------------------------------------------

Creating the Encryption Key
The encryption keyused as part of the encryption process for credentials
used with single-sign on. The key helps to decrypt encrypted credentials
stored in the single sign-on.

The first time you configure single sign-on and application definitions on
the Manage Server Settings for Single Sign-on and Enterprise Application
Definitions page, the encryption key is created automatically.

You can regenerate the key if the previous credentials are compromised or if
you have a policy to change the key after a certain number of days.

When you create an encryption key, you can choose to re-encrypt the existing
credentials with the new key. When you re-encrypt the Microsoft Single
Sign-on Service (SSOSrv) credential store, events are logged in the
Microsoft Windows Server 2003 application event log. Once re-encryption is
initiated, you can monitor the application event log to verify that the
credential store has been re-encrypted. Event ID 1032 is recorded in the
application event log when re-encryption is started. Even ID 1033 is
recorded in the application event log when re-encryption has ended. If there
are any failures during re-encryption, an event is recorded in the log.

If the job server is restarted or SSOSrv is stopped during the re-encryption
process, the re-encryption is preempted and finishes prematurely. Some
credentials might not be re-encrypted. During re-encryption, the single
sign-on feature can be used, but there is a possibility that a user's
credentials cannot be decrypted because the re-encryption process is not
complete.

Recommendation It is recommended that you change or restore the encryption
key during non-peak periods.

Important You cannot manage the encryption key remotely. To manage the
encryption key, go to the computer running as the job server and specify
these settings locally.

Create the encryption key
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
-or-

Click Start, point to All Programs, point to SharePoint Portal Server, and
then click SharePoint Portal Server Single Sign-On Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage encryption key.
3.. On the Manage Encryption Key page, click Create New Encryption Key.
4.. On the Create New Encryption Key page, to re-encrypt the credentials
for the single sign-on database, select the Re-encrypt all credentials by
using the new encryption key check box, and then click OK.
Important This is a long-running operation. If you do not re-encrypt the
existing credentials with the new encryption key, users must re-type their
credentials and administrators for application definitions must re-type
group credentials.

5.. Click OK.
After the key is created, you should back it up. For information about
backing up the encryption key,

----------------------------------------------------------------------------

Backing Up the Encryption Key
After creating the base system key, you should back it up. You must back up
the key to a 3.5-inch floppy disk.

Security Recommendations for Storing the Backup Copy of the Base System Key
You should lock up the backup disk for the base system key in a safe place.

The base system key is the encryption key that is used as part of the
encryption process for each of the credentials. Because it is the key that
decrypts the encrypted credentials stored in the database, the backup copy
of the key should not be stored with the backup copy of the database. If a
user obtains a copy of both the database and the key, the user names and
passwords could be compromised.

Important You cannot manage the base system key remotely. To manage the
base system key, go to the computer running as the job server and specify
these settings locally.

Back up the base system key
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
Alternatively, click Start, point to All Programs, point to SharePoint
Portal Server, and then click SharePoint Portal Server Single Sign-On
Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Server Settings section, click Manage base system key.
3.. Insert a 3.5-inch disk into a disk drive on the computer running as
the job server.
4.. On the Manage Base System Key page, in the Base System Key Backup
section, in the Drive list, click the letter of the disk drive, and then
click Back Up to back up the base system key.
5.. In the completion message box that appears, click OK.
6.. Remove the 3.5-inch disk from the disk drive.
----------------------------------------------------------------------------

Managing Account Information for an Application Definition
You can update or delete account information for a single application
definition, or you can remove an account from all application definitions.

Manage account information for an application definition
1.. On the SharePoint Portal Server Central Administration for Server
server_name page, in the Component Configuration section, click Configure
the Single Sign-on component and manage enterprise application definitions
for portals.
Alternatively, click Start, point to All Programs, point to SharePoint
Portal Server, and then click SharePoint Portal Server Single Sign-On
Administration.

2.. On the Manage Settings for Single Sign-On for Server server_name page,
in the Application Settings section, click Manage account information for an
enterprise application definition.
3.. On the Manage Account Information for an Enterprise Application
Definition page, in the Account Information section, do the following:
1.. In the Enterprise Application Definition list, select the name of
the application definition.
2.. In the Account name or Group account name box, type the account name
to modify.
If you created the application definition to use an individual account,
the Account name box is displayed. If you created the application definition
to use a group account, the Group account name box is displayed.

--------------------------------------------------------------

Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= Si nous avons chacun un objet et que nous les échangeons, nous avons chacun
un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons chacun
deux idées.
Proverbe chinois.
===================
Thibaut Forgeot d'Arc wrote:

bonjour Erol,
je suis en beta 2 TR française
valider le SSO permet de l'utiliser, après, il faut coder pour
l'exploiter.

"EROL MVP SPS" wrote in message
news:
Bonjour Thibaut,

Vous étes en Bêta 2 TR FR ou Anglaise ?
La fonction Enable a single-sign-on n'est-elle pas suffisante ?
--
Allez sur mon site je l'ai refait et largement développé,
voir la rubrique SPS v 2.0 et sur le Tech-Ed 2003.

@bientôt sur les news de SharePoint.

Bonne fin de semaine.

EROL
MVP SharePoint Microsoft France.
http://perso.wanadoo.fr/erolsps/
http://www.laboratoire-microsoft.org/articles/teched_2003/
============================= >> Si nous avons chacun un objet et que nous les échangeons, nous avons
chacun un objet.
Si nous avons chacun une idée et que nous les échangeons, nous avons
chacun deux idées.
Proverbe chinois.
=================== >> Thibaut Forgeot d'Arc wrote:
quelqu'un a-t-il une solution pour utiliser le SSO avec du code aspx
(sans avoir à développer une webpart ou un composant en C# ou
vb.NET) ? merci

SSO

3 réponses

Veuillez sélectionner un problème