Hi,

We've got a fairly complicated architecture setup, and we're having a
problem with setting up the single sign on service for biztalk.

We have a biztalk server, and two database servers - which are clustered.

The biztalk server is BZT01

The database servers are DB01A and DB01B (DB01B is the active node, and
DB02V is the virtual server for the cluster).

We've successfully installed sso onto the virtual server (using an RDC
connection to DB01B), and this is up and running. We then clustered the sso
service.

However, when we come to back up the master secret (using the ssoconfig
tool), we get the error:

"ERROR: Secrets can only be backed up on the master secret server."

"ERROR: 0xC0002A0E: This function can only be performed on the master secret
server."

If we run 'ssoconfig -showdb' the results are:

"SQL Server = DBS02V"

"SSO database = SSODB"

as expected.

Is it possible to backup a master secret from a master secret server that is
installed on a virtual server?

Thanks!

[ Post a follow-up to this message ]

Please refer to the online documentation for clustering the SSO Service.
Here is a snittet from the documentation:[vbcol=seagreen] 
Best Practices for Clustering the Master Secret Server

Backing Up the SSO Master Secret Key.
We strongly recommend that you follow the best practices listed in this
topic to synchronize the master secret manually and cluster Enterprise
Single-Sign-On services successfully.

Before You Begin
Before you start configuring SSO in a cluster environment, it is
recommended that you understand how clustering works. For more information,
see the Microsoft Cluster Server (MSCS) guidelines to set up an active and
passive cluster node.

You must be an SSO administrator to perform this procedure.

Guidelines for Setting up Your Cluster
Perform a custom installation to install the master secret server on the
first node (active) of the cluster. For example, you could install it on
computer ClusterNode1. For more information, see Performing a Custom
Installation .
In the Configuration Wizard, on the Configuration Questions page, in the Is
this the master secret server drop down list, select Yes, and then click
Next. For more information, see Using the Configuration Wizard.
Specify the service account credentials for SSO service. This must be a
member of the SSO Administrators group account.
Specify the location of the SQL Server and SSO Credential database (SSODB).
Back up the master secret on the active node. For more information about
backing up the secret key, see Backing Up the SSO Master Secret Key.
Perform a custom installation to install the master secret server on the
second node of the cluster (ClusterNode2). Configure Enterprise SSO Server
on the second node of the cluster using the Configuration Wizard. However,
as this is not the initial installation of the master secret server, in the
Configuration Wizard, on the Configuration Questions page, in the Is this
the master secret server drop down list, select No, and then click Next.
From the command line, type net stop entsso to stop the SSO service.
Once you have installed and configured SSO on both the active and passive
cluster nodes and stopped the SSO service, change the master secret server
name in the SSO credential database to the cluster name (for example
MSS_CLUSTER). You would change the name from ClusterNode1 to MSS_CLUSTER.
Open the text editor of your choice. Cut and paste the following code into
an .xml file (for example: MSS CLUSTER.xml) and save the file:
<sso>
<globalInfo>
<secretServer>MSS_CLUSTER</secretServer>
</globalInfo>
</sso>
At the command line, navigate to the Enterprise Single Sign-On installation
directory. The default installation directory is Program Files\Common
Files\Enterprise Single Sign-On. Type ssomanage -updatedb <name of the .xml
file in the step above> to update the master secret server name in
database.
If runtime errors appear, ignore them for now. The Microsoft Distributed
Transaction Coordinator (DTC) is detecting an internal inconsistency. It
was not configured to run on a cluster, therefore it is unable to start. To
resolve this error condition, configure the DTC to run on a cluster with
comclust -a on both machines, and then restart the DTC.
Configure the service and resource parameters for the cluster. Create an
ENTSSO service resource and make it a generic service. Make each node of
the cluster a possible owner and in the Cluster Properties dialog box,
check the Security tab to ensure that the user under which the application
is running has sufficient permissions (not a local administrator) to access
the cluster. Add users as appropriate. No registry replication information
is required.
Move the cluster group from the first to the second node using the Cluster
Administrator.
Restore the secret key on the second node. At the command line, navigate to
the Enterprise Single Sign-On installation directory. The default
installation directory is C:\Program Files\Common Files\Enterprise Single
Sign-On. Type ssoconfig -restoresecret <restore filename>, where <restore
filename> is the path and name of the back up file which contains the
master secret. .[vbcol=seagreen] 

Thanks,
MRoze

This posting is provided "AS IS" with no warranties, and confers no rights.
EBusiness Server Team

[vbcol=seagreen] 
sso[vbcol=seagreen] 
secret[vbcol=seagreen] 
is[vbcol=seagreen] 

[ Post a follow-up to this message ]

Closing as no response from user.

Thanks,
MRoze

This posting is provided "AS IS" with no warranties, and confers no rights.
EBusiness Server Team

[vbcol=seagreen] 
information,[vbcol=seagreen] 
and[vbcol=seagreen] 
Is[vbcol=seagreen] 
(SSODB).[vbcol=seagreen] 
Server[vbcol=seagreen] 
However,[vbcol=seagreen] 
the[vbcol=seagreen] 
server[vbcol=seagreen] 
into[vbcol=seagreen] 
installation[vbcol=seagreen] 
.xml[vbcol=seagreen] 
To[vbcol=seagreen] 
application[vbcol=seagreen] 
access[vbcol=seagreen] 
information[vbcol=seagreen] 
Cluster[vbcol=seagreen] 
to[vbcol=seagreen] 
rights.[vbcol=seagreen] 
clustered.[vbcol=seagreen] 
that[vbcol=seagreen] 

[ Post a follow-up to this message ]