Single Sign On Madness

I'm working on some things with BizTalk Enterprise Single Sign On, and, I am about to light myself on fire. Ok not really, but close. We're making some SSO management improvements moving forward, which is good given my clumsiness with the command line tools.

I'm building something that I'll turn into a post, but for now, a few notes to myself and others. Make sure that the BizTalk host for both processing and receiving is set to "trusted" and utilizing a different service account then the non-trusted hosts. I got that all working fine, but I did waste some time figuring out which other permissions I had to grant my new trusted service account. Specifically, make sure that you have things running in the appropriate application pools in IIS if you are using SOAP or HTTP for sending/receiving in an SSO scenario (e.g. not the Sharepoint app pool). I swear, 90% of my problems so far are permissions related. I got everything from IssueTicket access denied to make sure isolated adapter runs under an account that has access to the BizTalk databases to I hate you, stop submitted beat files to BizTalk. Rough times.

Also, if you get the error "Tickets are not enabled for the SSO system" it's because you are a monkey and forgot to run the ssomanage -tickets <allowed yes|no> <validate yes|no> command.

Last note. The paper we have, Single Sign-on Services for Microsoft Enterprise Application Integration Solutions located in the Microsoft.com BizTalk white papers section is a really, really good explanation of SSO concepts and practice. Without it, I'd probably be covered in lighter fluid right now.