Configuring SSO via STSADM

I can’t actually take credit for this particular command – in fact I’ve never configured SSO so I personally don’t know much about it. I got the code from Stef van Hooijdonk who graciously provided the code he produced.

I made a few minor changes to Stef’s code just to bring it in line with the rest of my code but otherwise it’s as was provided to me – as such I’m not really prepared to support this command as I didn’t personally create it but it’s really straightforward. One word of caution – the code uses a class which has been flagged as being meant for internal use only and not for use in custom code – specifically the Microsoft.SharePoint.Portal.SignleSignon.Configuration class. Here’s the code:

  1#if MOSS
  2using System;
  3using System.Collections.Specialized;
  4using System.Text;
  5using Lapointe.SharePoint.STSADM.Commands.OperationHelpers;
  6using Lapointe.SharePoint.STSADM.Commands.SPValidators;
  7using Microsoft.SharePoint.Portal.SingleSignon;
  8using System.Diagnostics;
  9 
 10namespace Lapointe.SharePoint.STSADM.Commands.Security
 11{
 12    public class ConfigureSso : SPOperation
 13    {
 14        /// <summary>
 15        /// Initializes a new instance of the <see cref="ConfigureSso"/> class.
 16        /// </summary>
 17        public ConfigureSso()
 18        {
 19            SPParamCollection parameters = new SPParamCollection();
 20            parameters.Add(new SPParam("adminaccount", "admin", true, string.Empty, new SPNonEmptyValidator()));
 21            parameters.Add(new SPParam("enterpriseapplicationaccount", "eaa", true, string.Empty, new SPNonEmptyValidator()));
 22            parameters.Add(new SPParam("sqlserver", "sql", true, string.Empty, new SPNonEmptyValidator()));
 23            parameters.Add(new SPParam("database", "db", true, string.Empty, new SPNonEmptyValidator()));
 24            parameters.Add(new SPParam("tickettimeout", "tick", false, "2", new SPIntRangeValidator(1, 60), "Please specify minutes between 1 and 60"));
 25            parameters.Add(new SPParam("auditlogs", "logs", false, "10", new SPIntRangeValidator(1, 90), "Please specify days between 1 and 90."));
 26 
 27            StringBuilder sb = new StringBuilder();
 28            sb.Append("\r\n\r\nConfigure the SSO Service in the Farm. \r\n\r\nParameters:");
 29            sb.Append("\r\n\t-admin <admin account or group that will admininster the SSO Service>");
 30            sb.Append("\r\n\t-eaa <admin account or group that will administer the enterprise applications>");
 31            sb.Append("\r\n\t-sql <sql server for the SSO Database>");
 32            sb.Append("\r\n\t-db <database name for the SSO Storage>");
 33            sb.Append("\r\n\t[-tick] <minutes a sso ticket is valid, defaults to 2>");
 34            sb.Append("\r\n\t[-logs] <days to keep logs, defaults to 10>");
 35 
 36            Init(parameters, sb.ToString());
 37        }
 38 
 39        #region ISPStsadmCommand Members
 40 
 41        /// <summary>
 42        /// Gets the help message.
 43        /// </summary>
 44        /// <param name="command">The command.</param>
 45        /// <returns></returns>
 46        public override string GetHelpMessage(string command)
 47        {
 48            return HelpMessage;
 49        }
 50 
 51        /// <summary>
 52        /// Runs the specified command.
 53        /// </summary>
 54        /// <param name="command">The command.</param>
 55        /// <param name="keyValues">The key values.</param>
 56        /// <param name="output">The output.</param>
 57        /// <returns></returns>
 58        public override int Execute(string command, StringDictionary keyValues, out string output)
 59        {
 60            output = string.Empty;
 61 
 62            string adminAccount = Params["adminaccount"].Value;
 63            string eaDefAccount = Params["eaa"].Value;
 64            string sqlServer = Params["sqlserver"].Value;
 65            string database = Params["database"].Value;
 66 
 67            uint ticketTimeout = 2;
 68            if (Params["tickettimeout"].UserTypedIn)
 69                ticketTimeout = uint.Parse(Params["tickettimeout"].Value);
 70 
 71            uint auditLogs = 10;
 72            if (Params["auditlogs"].UserTypedIn)
 73                auditLogs = uint.Parse(Params["auditlogs"].Value);
 74 
 75            Configure(adminAccount, eaDefAccount, sqlServer, database, ticketTimeout, auditLogs);
 76 
 77            return OUTPUT_SUCCESS;
 78        }
 79 
 80        #endregion
 81 
 82        /// <summary>
 83        /// Configures the SSO settings.
 84        /// </summary>
 85        /// <param name="adminAccount">The admin account.</param>
 86        /// <param name="eaDefAccount">The ea def account.</param>
 87        /// <param name="sqlServer">The SQL server.</param>
 88        /// <param name="database">The database.</param>
 89        /// <param name="ticketTimeout">The ticket timeout.</param>
 90        /// <param name="auditLogs">The audit logs.</param>
 91        private static void Configure(string adminAccount, string eaDefAccount, string sqlServer, string database, uint ticketTimeout, uint auditLogs)
 92        {
 93            try
 94            {
 95                Log("Connecting to {0}", sqlServer);
 96                Configuration.ConfigureSecretServer(
 97                    adminAccount,
 98                    eaDefAccount,
 99                    sqlServer,
100                    database,
101                    ticketTimeout,
102                    auditLogs);
103                Log("SSO Configured succesfull.");
104            }
105            catch (Exception exc)
106            {
107                if (exc.Message.Contains("-2147023143"))
108                    Log("Error occured in setting the SSO Server settings. Is the SSOService configured to run as a domain account?", EventLogEntryType.Error);
109                throw;
110            }
111 
112            Log("Generating MasterSecret..");
113            Configuration.GenerateMasterSecret(false);
114            Log("Master Secret Key set.");
115        }
116 
117    }
118}
119#endif

The help for the command is shown below:

C:\>stsadm -help gl-configuresso

stsadm -o gl-configuresso

Configure the SSO Service in the Farm.

Parameters:
        -admin <admin account or group that will administer the SSO Service>
        -eaa <admin account or group that will administer the enterprise applications>
        -sql <sql server for the SSO Database>
        -db <database name for the SSO Storage>
        [-tick] <minutes a sso ticket is valid, defaults to 2>
        [-logs] <days to keep logs, defaults to 10>

The following table summarizes the command and its various parameters:

Command Name	Availability	Build Date
gl-configuresso	MOSS 2007	Released: 4/17/2009

Parameter Name	Short Form	Required	Description	Example Usage
adminaccount	admin	Yes	Admin account or group that will administer the SSO service.	`-adminaccount domain\spadmin`, `-admin domain\spadmin`
enterpriseapplicationaccount	eaa	Yes	Admin account or group that will administer the enterprise application.	`-enterpriseapplicationaccount domain\spadmin`, `-eaa domain\spadmin`
sqlserver	sql	Yes	SQL Server name for the SSO database.	`-sqlserver sql1`, `-sql sql1`
database	db	Yes	Database name for the SSO storage.	`-database SSODB`, `-db SSODB`
tickettimeout	tick	No	Minutes an SSO ticket is valid, defaults to 2.	`-tickettimeout 2`, `-tick 2`
auditlogs	logs	No	Day to keep logs, defaults to 10.	`-auditlogs 10`, `-logs 10`

The following is an example of how to configure SSO:

stsadm -o gl-configuresso –adminaccount domain\spadmin –enterpriseapplicationaccount domain\spadmin –sqlserver sql1 –database ssodb –tickettimeout 2 –auditlogs 10