BizTalk: Enterprise Single Sign-On Service

BizTalk: Enterprise Single Sign-On Service

Basic Terminology

Enterprise Single Sign-On Service: A service that communicates directly with the master secret. It is installed with a startup type of Automatic on every BizTalk Server computer in the Group.

Master secret: A registry key that is encrypted. When the Enterprise Single Sign-On (SSO) service is configured during a basic configuration, a backup of the master secret is automatically created in C:\Program Files\Common Files\Enterprise Single Sign-On, and is assigned a password. During a custom configuration, you are asked to specify a password and location for the backup file.

The master secret is only active on one server in the BizTalk group. This is considered the master secret server. The master secret is also responsible for all interaction with the Single Sign-On (SSO) database.

Single Sign-On database (SSODB): This is a database that stores everything related to SSO, including BizTalk artifacts such as receive locations and receive handlers, SSO configuration data such as affiliate applications and ticket timeout value, account information, and account mappings.

Common Issues

  • The password of the master secret password is unknown. There is not anything that can be done to restore the master secret without the password. If the password is unknown and you must restore the master secret, unconfiguring and reconfiguring BizTalk is the only option.
  • Do not change the Enterprise Single Sign-On (SSO) service account. If you must do it, follow the steps in KB article 884205.
  • The BizTalk service has a dependency on the Enterprise Single Sign-On (SSO) service. Sometimes, the SSO service takes a while to start and may appear to hang. This behavior causes the BizTalk Service to time out during startup. To avoid this timeout, change the service account type to Automatic (Delayed Start), as described in KB article 942284.
  • For specific steps on how to cluster the master secret, see How to Cluster the Master Secret Server.

    During this process, you must change the name of the master secret server to be the actual network name (also known as the virtual server name) by creating an XML file. For example, if the network name (also known as the virtual server name) is BizCluster01, then your XML file looks like the following.

    To confirm the network name, open Cluster Administrator, and then open the properties of the BizTalk network name resource. Within these properties, the actual network name is listed. Copy this value, and put it in the XML file.

    How to Create a Cluster Group with a Disk, IP Address, and Name Resource

  • The master secret can be moved from BizTalkServerA to BizTalkServerB or to a cluster. For specific steps on how to accomplish both tasks, see How to Move the Master Secret Server.


SSO logs errors and events to the Application event log. It also has different levels of error information. When you are troubleshooting an SSO issue, enable high auditing by using ssoconfig.exe:

  1. Open a command window, and then go to C:\Program Files\Common Files\Enterprise Single Sign-On.
  2. Type ssoconfig -auditlevel 3 3 and then press Enter.
  3. Reproduce the issue, and then check the Application event log for any errors.
  4. Type ssoconfig –auditlevel 0 1. This command returns the system to the default audit level. This prevents run-time performance from being affected, and avoids rapid database growth due to verbose audit.

For more information, including some known issues, see Troubleshooting Enterprise Single Sign-On.

Tips and Best Practices

  • Back up the master secret often. Know the location of the backup and the password. We strongly recommend that multiple BizTalk administrators know the location and password.
  • The SSO service can be repaired via Add/Remove Programs. This might require restoring the master secret.
  • SSO Administration can be used for common tasks, including backing up and restoring the master secret, changing the master secret to another server, adding users/groups to administer SSO, and getting the name of the master secret server.

See Also

Read suggested related topics:

Another important place to find a huge amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on the TechNet Wiki.
Leave a Comment
  • Please add 1 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Page 1 of 1 (4 items)