|
Home > Archive > BizTalk Server > April 2006 > ENT SSO Problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| josh.jdogg@gmail.com 2006-04-27, 7:25 am |
| I have written an application that makes use of the ticketing feature
of ENTSSO. I have been able to successfully get a ticket issued but i
am having some difficulty in redeeming the ticket for certain accounts.
Some accouts can successfully redeem the ticket where as others cannot
reddem with the following errors in the eventlog.
Event Type: Warning
Event Source: ENTSSO
Event Category: Enterprise Single Sign-On
Event ID: 10536
Date: 4/20/2006
Time: 10:57:14 AM
User: N/A
Computer: JOSH
Description:
SSO AUDIT
Function: RedeemTicket (ELAB\VCAdmin)
Tracking ID: d8e7b6ff-842c-456b-b87f-d0c85b1d29cc
Client Computer: josh.ELAB (SSOConfig.exe:3352)
Client User: ELAB\VCAdmin
Application Name: cce5ebce-96a7-4aec-9928-300b467c4030
Error Code: 0x8007054B, The specified domain either does not exist or
could not be contacted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 4/20/2006
Time: 10:56:28 AM
User: NT AUTHORITY\SYSTEM
Computer: JOSH
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: JOSH
Status code: 0xC000040A
Substatus code: 0x0
Caller User Name: btu
Caller Domain: ELAB
Caller Logon ID: (0x0,0x4EEF61)
Caller Process ID: 756
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Here is the setup of the system. ENTSSO is setup to run under the 'btu'
domain account that is in all the BizTalk and SSO groups. The mchine it
is running on is a wink2003 machine. the 'btu' account is a local admin
on the machine. One of the accounts that the problem occurs on is also
a memeber of the Biztalk groups and SSO groups. Ive also made this
account a local administrator on the machine SSO is running on. The
only account that i have been able to get to work at this point is the
domain adminstrator account. I have done a little research and the
problem seems to be somewhere in kerberos but im not sure exactly
where. Is there anyone who can help with the security configuation of
SSO so that i can use the redeemticket method? I have read the
documention on the MSDN site about the SSOTicket interface and the only
security requirement it stated was the user must be a memeber of the
SSO affiliate app, sso admin, or application admin groups. The users
are a member of all of these. Any help would be greatly appreciated!
Thanks in advance
Josh
| |
| Lucas R. Vogel 2006-04-27, 7:25 am |
| Richard Seroter has some good blog posts about SSO application management - I
would suggest trying some of his steps and suggestions at
http://blogs.msdn.com/richardbpi/ar.../09/449531.aspx and
http://blogs.msdn.com/richardbpi/ar.../19/440645.aspx .
Hope this helps!
Lucas
--
===========
Lucas R. Vogel
"josh.jdogg@gmail.com" wrote:
> I have written an application that makes use of the ticketing feature
> of ENTSSO. I have been able to successfully get a ticket issued but i
> am having some difficulty in redeeming the ticket for certain accounts.
> Some accouts can successfully redeem the ticket where as others cannot
> reddem with the following errors in the eventlog.
>
> Event Type: Warning
> Event Source: ENTSSO
> Event Category: Enterprise Single Sign-On
> Event ID: 10536
> Date: 4/20/2006
> Time: 10:57:14 AM
> User: N/A
> Computer: JOSH
> Description:
> SSO AUDIT
> Function: RedeemTicket (ELAB\VCAdmin)
> Tracking ID: d8e7b6ff-842c-456b-b87f-d0c85b1d29cc
> Client Computer: josh.ELAB (SSOConfig.exe:3352)
> Client User: ELAB\VCAdmin
> Application Name: cce5ebce-96a7-4aec-9928-300b467c4030
> Error Code: 0x8007054B, The specified domain either does not exist or
> could not be contacted.
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 537
> Date: 4/20/2006
> Time: 10:56:28 AM
> User: NT AUTHORITY\SYSTEM
> Computer: JOSH
> Description:
> Logon Failure:
> Reason: An error occurred during logon
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Authz
> Authentication Package: Kerberos
> Workstation Name: JOSH
> Status code: 0xC000040A
> Substatus code: 0x0
> Caller User Name: btu
> Caller Domain: ELAB
> Caller Logon ID: (0x0,0x4EEF61)
> Caller Process ID: 756
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Here is the setup of the system. ENTSSO is setup to run under the 'btu'
> domain account that is in all the BizTalk and SSO groups. The mchine it
> is running on is a wink2003 machine. the 'btu' account is a local admin
> on the machine. One of the accounts that the problem occurs on is also
> a memeber of the Biztalk groups and SSO groups. Ive also made this
> account a local administrator on the machine SSO is running on. The
> only account that i have been able to get to work at this point is the
> domain adminstrator account. I have done a little research and the
> problem seems to be somewhere in kerberos but im not sure exactly
> where. Is there anyone who can help with the security configuation of
> SSO so that i can use the redeemticket method? I have read the
> documention on the MSDN site about the SSOTicket interface and the only
> security requirement it stated was the user must be a memeber of the
> SSO affiliate app, sso admin, or application admin groups. The users
> are a member of all of these. Any help would be greatly appreciated!
> Thanks in advance
> Josh
>
>
| |
| josh.jdogg@gmail.com 2006-04-27, 7:25 am |
| Thanks for the infromation! I will try this and let everyone what I
find.
Josh
| |
| josh.jdogg@gmail.com 2006-04-27, 7:25 am |
| Thank you so much for the link. The information in the first link fixed
the problem. Basically the problem seemed to be that i needed to set
the Biztalk Admin group to be a memeber of the SSO groups. Also i
added the SSO service account to the Allow act as OS privlidge on the
domain controller.
Thanks again for the info.
josh
|
|
|
|
|