Deployment Process
The following steps give a high-level overview of secure deployment of Enterprise Single Sign-On (SSO). For detailed procedures on the actions to take in SQL Server, see the SQL Server documentation.
On the SQL Server domain controller, use the New Trust Wizard to create a trust with the following properties:
Name: ORCH.com
Direction: Two-way
Sides: This domain only
Outgoing Trust Authentication Level - Local Domain: Selective authentication
Password: Choose a password
Confirm Outgoing Trust: Yes
Confirm Incoming Trust: No
On the ORCH.com domain controller, use the New Trust Wizard to create a trust with the following properties:
Name: SQL.com
Direction: Two-way
Sides: This domain only
Outgoing Trust Authentication Level - Local Domain: Selective authentication
Password: Must be the same as password for ORCH.com
Confirm Outgoing Trust: Yes
Confirm Incoming Trust: No
On the ORCH.com domain controller, set the domain-wide trust for Incoming from SQL.COM.
On the SQL.com domain controller, set the domain-wide trust for Outgoing from ORCH.COM.
On the ORCH.com domain controller, raise the domain functional level to Windows Server 2003.
In the ORCH domain, create the following new users:
ORCH\SSOSvcUser
ORCH\TestAppUser
ORCH\AffAppUser
Add Act as part of the operating system to SSOSvcUser and TestAppUser.
Add Allowed to Authenticate privilege to ORCH\TestAdmin.
Add ORCH\SSOSvcUser to SQL2 in the SQL domain. This step requires using Advanced View in Active Directory Microsoft Management Console (MMC).
On the SQL2 computer, create the following two new logons:
ORCH\TestAdmin
ORCH\SSOSvcUser
On the SQL2 domain, create two domain global groups:
ORCH\SSOAdminGroup
ORCH\SSOAffAdminGroup
Add Allowed to Authenticate privilege to the ORCH\SSOAdminGroup group.
On the SQL2 database, create the following new logon:
- ORCH\SSOAdminGroup
Install the master secret server as follows:
Log onto NTS5 using ORCH\TestAdmin.
Install Enterprise SSO, using SQL2 as the master secret server.
Log on to HIS1 using ORCH\TestAdmin, and install Enterprise Single Sign-On. Configure ESSO as SSO join HIS2, using database server name SQL2.
Install the Enterprise Single Sign-On Admin utility on HIS3 using ORCH\TestAdmin.
Add the following users to the following groups:
Add ORCH\TestAppUser to ORCH\SSOAdminGroup
Add ORCH\AffAppUser to ORCH\TestAffUserGroup
Install SQL Server 2000a Enterprise on HIS3, and add logon ORCH\AffAppUser.
On the HIS1 machine, open a command prompt and use the following commands to set constrain delegation and protocol transition:
setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\SSOSvcUser
setspn -A MSSQLSvc/HIS3.ORCH.com:1433 ORCH\TestAppUser
On the ORCH\SSOSvcUser and ORCH\TestAppUser property pages, set the proper delegation for both user accounts by selecting the following options:
Trust this user for delegation to specified services only
Use any authentication protocol
Using ORCH\TestAdmin on the HIS1 computer, perform the following:
Add ORCH\TestAppUser to Remote Desktop User Group.
Grant Impersonate after authenticated privilege to ORCH\SSOSvcUser.
Grant Impersonate after authenticated privilege to ORCH\TestAppUser.
Verify your deployment by logging on to HIS1 using ORCH\TestAppUser and running the following application configuration:
Run LogonExternalUser Test.
<SSO> <application name="TestApp"> <description>An SSO Test Affiliate Application</description> <contact>AffAppUser@ESSOV2.EBiz.Com</contact> <appUserAccount>ORCH\TestAffAdminGroup</appUserAccount> <appAdminAccount>ORCH\TestAffUserGroup</appAdminAccount> <field ordinal="0" label="User ID" masked="no" /> <field ordinal="1" label="Password" masked="yes" /> <flags groupApp="no" configStoreApp="no" allowTickets="no" validateTickets="yes" allowLocalGroups="yes" ticketTimeout="yes" adminGroupSame="no" enableApp="yes" hostInitiatedSSO="yes" validatePassword="yes"/> </application> </SSO>