Deployment Process
The following steps give a high-level overview of secure deployment of Enterprise Single Sign-On. For detailed procedures on the actions to take in SQL Server, see your SQL Server documentation.
On the SQL Server domain controller, use the New Trust Wizard to create a trust with the following properties:
Name: ORCH.com
Direction: Two-way
Sides: This domain only
Outgoing Trust Authentication Level - Local Domain: Selective authentication
Password: Choose a password
Confirm Outgoing Trust: Yes
Confirm Incoming Trust: No
On the ORCH.com domain controller, use the New Trust Wizard to create a trust with the following properties:
Name: SQL.com
Direction: Two-way
Sides: This domain only
Outgoing Trust Authentication Level - Local Domain: Selective authentication
Password: Must be the same as password for ORCH.com
Confirm Outgoing Trust: Yes
Confirm Incoming Trust: No
On the ORCH.com domain controller, set the domain wide trust for Incoming from SQL.COM.
On the SQL.com domain controller, set the domain wide trust for Outgoing from ORCH.COM.
On the ORCH.com domain controller, raise the domain functional level to Windows Server 2008 SP2 or Windows Server 2008 R2.
In the ORCH domain, create the following new users:
ORCH\SSOSvcUser
ORCH\TestAppUser
ORCH\AffAppUser
Add Act as part of the operating system to SSOSvcUser and TestAppUser.
Add Allowed to Authenticate privilege to ORCH\TestAdmin.
Add ORCH\SSOSvcUser to SQL2 in the SQL domain. (This step requires using Advanced View in Active Directory MMC.)
On the SQL2 computer, create the following two new logins:
ORCH\TestAdmin
ORCH\SSOSvcUser
On the SQL2 domain, create two domain global groups:
ORCH\SSOAdminGroup
ORCH\SSOAffAdminGroup
Add Allowed to Authenticate privilege to the ORCH\SSOAdminGroup group.
On the SQL2 database, create the following new login:
- ORCH\SSOAdminGroup
Install the Master Secret Server as follows:
Log on to NTS5 using ORCH\TestAdmin.
Install ESSO, using SQL2 as the Master Secret Server.
Log onto HIS1 using ORCH\TestAdmin, and install Enterprise Single Sign-On. Configure ESSO as SSO join HIS2, using database server name SQL2.
Install the Enterprise Single Sign-On Admin utility on HIS3 using ORCH\TestAdmin.
Add the following users to the following groups:
Add ORCH\TestAppUser to ORCH\SSOAdminGroup
Add ORCH\AffAppUser to ORCH\TestAffUserGroup
Install SQL Server Enterprise Edition on HIS3, and add login ORCH\AffAppUser.
On the HIS1 computer, open a command prompt and use the following commands to set constrain delegation and protocol transition:
setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\SSOSvcUser
setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\TestAppUser
On the ORCH\SSOSvcUser and ORCH\TestAppUser property pages, set the proper delegation for both user accounts by selecting the following options:
Trust this user for delegation to specified services only
Use any authentication protocol
Using ORCH\TestAdmin on the HIS1 computer, perform the following:
Add ORCH\TestAppUser to Remote Desktop User Group
Grant Impersonate after authenticated privilege to ORCH\SSOSvcUser
Grant Impersonate after authenticated privilege to ORCH\TestAppUser
Verify your deployment by logging onto HIS1 using ORCH\TestAppUser and running the following application configuration:
Run LogonExternalUser Test.
<SSO> <application name="TestApp"> <description>An SSO Test Affiliate Application</description> <contact>AffAppUser@ESSOV2.EBiz.Com</contact> <appUserAccount>ORCH\TestAffAdminGroup</appUserAccount> <appAdminAccount>ORCH\TestAffUserGroup</appAdminAccount> <field ordinal="0" label="User ID" masked="no" /> <field ordinal="1" label="Password" masked="yes" /> <flags groupApp="no" configStoreApp="no" allowTickets="no" validateTickets="yes" allowLocalGroups="yes" ticketTimeout="yes" adminGroupSame="no" enableApp="yes" hostInitiatedSSO="yes" validatePassword="yes"/> </application> </SSO>
See Also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for