Basic Troubleshooting For Enterprise Single-Sign-On (SSO)
Troubleshooting Enterprise Single-Sign-On can be tricky. Below are items that should always be checked.
Quick Checklist:
1) Is there anything in the Application event log from ENTSSO?
2) Is the ENTSSO service installed correctly? Does it start OK? Who is it running as?
3) Where is the SSO database? (ssoconfig -showdb)
4) Which SSO server is being used? (ssomanage -showserver)
5) Check the ENTSSO registry keys (HKLM\Software\Microsoft\ENTSSO)
6) What is the SSO Admin account? (ssomanage –displaydb)
7) Is everything enabled OK? (ssomanage –displaydb)
8) Applications – do they exist? (ssomanage –listapps all)
9) Specific application – looks OK? What accounts? (ssomanage –displayapp)
10) Mappings? (ssomanage –listmappings)
11) Computer Management – check group membership
12) Check COM+ app – “ENTSSO Server”
To use the above commands in the Quick Checklist, you must use the command line tools for SSO.
Typically ENTSSO is installed to –
C:\Program Files\Common Files\Enterprise Single Sign-On
Here is a sample of ssomanage.exe output *** This is the most useful for troubleshooting***
C:\Program Files\Common Files\Enterprise Single Sign-On>ssomanage -displaydb
Using SSO server on this computer
SQL Server : dsiteamsrv
SSO database : SSODB
SSO secret server name : DSITEAMSRV
SSO Admin account : SSO Administrators
SSO Affiliate Admin account : SSO Affiliate Administrators
Size of audit table for deleted ... : 1000
Size of audit table for deleted ... : 1000
Size of audit table for external... : 1000
Ticket timeout (in minutes) : 2
Credential cache timeout (in min... : 60
Global flags -
SSO enabled : Yes
Tickets allowed : No
Allow host initiated SSO : No
Password Sync -
From Windows to adapters : No
From adapters to SSO database (p... : No
From adapters to Windows (full) : No
----------------------------------------------------------------------------------------------
Here is a sample of ssoconfig.exe output *** This is also helpful for troubleshooting***
C:\Program Files\Common Files\Enterprise Single Sign-On>ssoconfig -showdb
SQL Server = dsiteamsrv
SSO database = SSODB
--------------------------------------------------------------------------------------------------------------------------
Here is a list of the ssoconfig and ssomanage commands and what they are used for:
ssoconfig commands -
-setDB : set SQL Server and SSO database names
-showDB : show the SQL Server and SSO database names
-createDB : create SSO database
-upgradeDB : upgrade SSO database
-generateSecret : generate new SSO master secret
-backupSecret : backup current SSO master secret
-restoreSecret : restore SSO master secret
-auditLevel : set SSO server audit level
-setSSL : set SSL encryption
-replayFiles : set directory for replay files
-syncAge : set maximum password age (for password sync)
-remoteLookup : allow remote lookup of credentials
-discover : discover SSO servers
-status : display SSO server status
-allowPS : allow password sync (from PCNS or MIIS)
-reportFilterErrors : report password filter errors (at runtime)
-scp : Service Connection Points (SCP)
ssomanage commands -
Configuration functions -
-server : set SSO server name (for current user)
-serverall : set SSO server name (for all users)
-showserver : show the SSO server name(s)
Administration functions -
-updatedb : update SSO database
-enablesso : enable SSO
-disablesso : disable SSO
-tickets : control SSO ticket behavior
-enable : enable SSO features
-disable : disable SSO features
-displaydb : display current SSO database settings
Application functions -
-listapps : list existing applications
-displayapp : display application information
-createapps : create new applications
-deleteapp : delete an existing application
-updateapps : update existing applications
-enableapp : enable application
-disableapp : disable application
-purgecache : purge the credential cache for an application
Mapping functions -
-listmappings : list mappings for a user
-createmappings : create mappings for users
-deletemappings : delete mappings for users
-enablemapping : enable a single mapping for a user
-disablemapping : disable a single mapping for a user
-deletemapping : delete a single mapping for a user
-setcredentials : set external credentials for a user
Audit Levels
There are two audit level settings – the “positive” audit level, which controls audits of things that succeed, and the “negative” audit level, which controls audits of things that fail.
The possible values for the audit levels are –
0 = off
1 = low
2 = medium
3 = high
The audit levels are controlled with the command –
ssoconfig –auditlevel
For troubleshooting it is best to turn both audit levels to high –
ssoconfig –auditlevel 3 3
If your problem is reproducible, set both the audit levels to high, clear the event log, wait for 1 minute or restart the ENTSSO service (to make sure the ENTSSO service picks up the new audit levels), and try the repro scenario. Take a look in the event log after the repro.
Finally below are some helpful links for Enterprise Single Sign-On.
High Availability for Enterprise Single Sign-On
https://msdn.microsoft.com/en-us/library/aa560674.aspx
High-Availability SSO Installation Options
https://msdn.microsoft.com/en-us/library/aa578263.aspx
Using SSO