Revision #24

You are currently reviewing an older revision of this page.
Go to current version


Enterprise Single Sign-On (ESSO) is an important component of BizTalk Server. ESSO is responsible for securely storing critical information such as secure configuration properties  for the BizTalk adapters. On each computer where BizTalk runtime is installed the ESSO is present. Typically ENTSSO is installed to: C:\Program Files\Common Files\Enterprise Single Sign-On. This article will provide you with the necessary information on ESSO, how to manage and troubleshoot it.

Managing Enterprise Single Sign-On

You can manage the ESSO using two command line tools:
  • SSOManage
  • SSOConfig

These tools can be found in the directory C:\Program Files\Common Files\Enterprise Single Sign-On.


SSOConfig Commandline commands:

 -setDB  set SQL Server and SSO database names
 -showDB  show the SQL Server and SSO database names
 -createDB  create SSO database
 -upgradeDB  upgrade SSO database
 -generateSecret  generate new SSO master secret
 -backupSecret  backup current SSO master secret
 restore SSO master secret
 -auditLevel  set SSO server audit level (see below)
 -setSSL  set SSL encryption
 -replayFiles  set directory for replay files
 -syncAge  set maximum password age (for password sync)
 allow remote lookup of credentials
 -discover  discover SSO servers
 -status  display SSO server status
 -allowPS  allow password sync (from PCNS or MIIS)
 -reportFilterErrors  report password filter errors (at runtime)
 -scp  Service Connection Points (SCP)


Audit Level

There are two audit level settings – the “positive” audit level, which controls audits of things that succeed, and the “negative” audit level, which controls audits of things that fail. The possible values for the audit levels are:

  • 0 = off
  • 1 = low
  • 2 = medium
  • 3 = high
ssoconfig -auditlevel
Reports the current audit level

ssoconfig -auditlevel 0 3
Does not report successes; reports high/verbose for failures

ssoconfig -auditlevel 1 1
Reports low for both successes and failures


SSOMange Commandline commands:

Configuration functions

 -server  set SSO server name (for current user)
 -serverall set SSO server name (for all users)
 -showserver show the SSO server name(s)


Administration functions

 Command Description
 -updatedb  update SSO database
 -enablesso  enable SSO
 -disablesso  disable SSO
 -tickets  control SSO ticket behavior
 -enable  enable SSO features
 -disable  disable SSO features
 -displaydb  display current SSO database settings

Application functions

 Command Description
 -listapps  list existing applications
 -displayapp  display application information
 -createapps  create new applications
 -deleteapp  delete an existing application
 -updateapps  update existing applications
 -enableapp  enable application
 -disableapp  disable application
 -purgecache  purge the credential cache for an application

Mapping functions

 -listmappings  list mappings for a user
 -createmappings  create mappings for users
 -deletemappings  delete mappings for users
 -enablemapping  enable a single mapping for a user
 -disablemapping  disable a single mapping for a user
 -deletemapping  delete a single mapping for a user
 -setcredentials  set external credentials for a user


There is a document that can aid you in troubleshooting BizTalk Server 2010 Setup and MSDN page Troubleshooting Enterprise Single Sign-On. For troubleshooting it is best to turn both audit levels to high:  ssoconfig –auditlevel 3 3.

In case your problem is reproducible, set both the audit levels to high, clear the event log, wait for 1 minute or restart the ENTSSO service (to make sure the ENTSSO service picks up the new audit levels), and try the repro scenario. Take a look in the event log after the reproduction of the problem.

See Also

Another important place to find a huge amount of BizTalk related articles is the TechNet Wiki itself. The best entry point is BizTalk Server Resources on the TechNet Wiki.

Read suggested related topics:

Revert to this revision