sharepoinTony

@info – The practical side of SharePoint

Archive for the ‘SSO’ Category

SSO Tips

Posted by sharepoinTony on August 24, 2010

There are lots of blogs out there talking about the problems people have setting up SSO (Single Sign On) in SharePoint 2007 implementations.  There are also quite a few that run down the steps to do it and state that it is easy.  What is the disconnect between these two “camps” talking about SSO setup?

Well, one thing (IMHO) is that the ease of the process depends on YOUR environment and YOUR knowledge of what SSO is, how it works, and what you plan to do with it.  So my first (and most important) tip is take the time to learn about SSO and what you want to accomplish by using it before you attempt to configure it.

My other tips are:

Enterprise Application Definitions –

  • If you are planning to use Groups, create an Enterprise Application Definition for each group
  • Configuration steps often talk about creating a group for SSO Administrators and SSO Managers, these groups are NOT the groups you want to use here
  • The Account Type selection of Group is used when you want to connect to the data source using the same account for all users in the designated AD group.
    • For example, if you are going against an HR database and you have an AD group for HR managers who are allowed to see data from that source – SSO Enterprise Application Definitions let you map the group to an account with permissions to access that data, and that account will be used for everyone in the HR AD group
  • Things you cannot change it for the Enterprise Application Definition after initial definition:
    • Account Type
    • Authentication
  • Authentication is not clearly described in many places, here are the basics:
    • Select the Windows authentication check box if your clients use Windows authentication when connecting to the external data source (if it is required)
    • Leave the Windows authentication check box unchecked if your data source allows mixed authentication, such as SQL Server does by allowing either SQL or Windows authentication
  • Make sure you login to Central Admin with the “Enterprise Application Definition  Administrator” account when you create your definitions, otherwise you will have problems
  • After you create a definition using the Account Type of Group, don’t forget to update the ‘account information for enterprise application definitions’ – this is where you enter the AD group that you want to map to a specific account for accessing the data source

Configuration –

  • Make your life easier and just create an SSO Administrator account, don’t try to use an existing account.  It can be done, but it also can get confusing
  • If you are in a small environment you should still create the SSO Administrators and Managers AD groups as suggested by Robert Bogue (http://thorprojects.com/blog/archive/2008/08/02/moss-single-sign-on-setup-step-by-step.aspx) – It allows flexibility for you in the future without reconfiguring SSO
  • Follow Roberts steps (link above) for the basic setup
  • Reference links:

http://blogs.msdn.com/b/sharepointdesigner/arcve/2007/08/27/an-introduction-to-single-sign-on-sso-with-data-views.aspx

http://technet.microsoft.com/en-us/library/cc262932(office.12).aspx

Posted in Administration, Install and Configure, SSO, Tips and Tricks | Tagged: , , | 2 Comments »