This post was originally published here
Have you ever noticed that your SSO Administration Console tool doesn’t open in BizTalk Server 2016? Fortunately for Microsoft BizTalk Server team this tool is not heavily used by the customer, nevertheless, this is an existing and valid tool that needs to be working properly.
What is this tool?
You can install the Enterprise Single Sign-On (SSO) Administration component as a stand-alone feature. This is useful if you need to administer the SSO system remotely. The hardware and software requirements are the same as for a typical Enterprise SSO installation.
After you install the administration component, you must use either ssomanage.exe or the SSO Administration MMC snap-in to specify the SSO server that will be used for management. Both processes are included in the procedure that follows.
Of course, with this tool, SSO Administration, you can do more than just configure the SSO server that will be used for management. Using the Enterprise SSO Administration console, administrators can easily manage Affiliate Applications, Mappings, SSO Servers, SSO System and also perform Password Management operations. There are 4 snap-ins for Enterprise SSO that administrators can use.
- Affiliate Applications – Administrators can use this to perform administrative operations on Affiliate Applications. For each Affiliate Application, mappings can be created and managed. An Affiliate Application can be created by SSO Affiliate Administrators and SSO Administrators. When it is defined, the administrator can optionally specify an Application Administrators account that contains users who can perform administrative operations on that Affiliate Application. In addition, an Application Users account must be specified that contains Windows domain users for whom mappings can be created. Other operations such as enabling or disabling Affiliate Applications, configuring SSO tickets for the Affiliate Application, and enabling or disabling mappings can also be performed by administrators using this snap-in.
- Password Management – Administrators can use this snap-in to perform administrative operations on Password Synchronization Adapters and Password Filters. Administrative operations need to be performed by the SSO Administrators. A filter rule can also be defined within an Adapter configuration. Once an Adapter or Filter is created, an administrator can associate Affiliate Applications with the Adapter or Filter so that the synchronization and filter rules defined are applied to that application.
- Servers – Administrators can build a list of SSO Servers to perform certain administrative operations and to view their status. Within an SSO system, an administrator can also perform a discovery process to automatically discover and add all the SSO Servers within the SSO system.
- System – Administrators can view SSO System level settings. These settings are stored in the centralized SSO Credential Database. Modifying these settings will apply to all SSO Servers that are using this SSO Credential Database. In addition, administrators can manage the Master Secret Server and perform tasks such as generate, backup and restore the secret. The system-level administrative operations can be performed only by the SSO Administrators.
However, SSO Administration shortcut that points to the Microsoft.EnterpriseSingleSignOn.StartMMC.exe executable file is not working properly in BizTalk Server 2016.
Cause
The reason why this problem is happening is that with BizTalk Server 2016 there is a bug and the installation wizard doesn’t create all the necessary keys in the Register.
Also, if you look at the properties of the “SSO Administration” shortcut, this is pointing to the Microsoft.EnterpriseSingleSignOn.StartMMC.exe executable file. I don’t know the reason why Microsoft decided to create this strategy but in reality, this executable file is just “an easy way” (or dummy way) to open the “ENTSSO.msc”, normally present in the “C:Program FilesCommon FilesEnterprise Single Sign-On” folder and this executable reads the “ENTSSO.msc” installation path from the Register:
…
key = Registry.LocalMachine.OpenSubKey(@"SoftwareMicrosoftENTSSO");
object obj2 = key.GetValue("InstallPath") as string;
…
string str2 = """ + str + "entsso.msc"";
ProcessStartInfo startInfo = new ProcessStartInfo("mmc.exe") {
Arguments = str2
};
Process.Start(startInfo);
…
However, this is the aspect of the keys within BizTalk Server 2016:
Solution
The solution is easy, and you have very different ways to do it.
If you want to open the SSO Administration snap-in, you can:
- Go to the Enterprise Single Sign-On installation folder
- Normally, “C:Program FilesCommon FilesEnterprise Single Sign-on”
- And directly execute the “ENTSSO.msc” (double click)
If you want to fix the SSO Administration shortcut to work properly, you can:
- Open the Register
- And on the HKWY_LOCAL_MACHINESOFTWAREMicrosoftENTSSO add
- the following string: InstallPath
- with the value: C:Program FilesCommon FilesEnterprise Single Sign-On
BizTalk Server 2016: PowerShell to fix the SSO Administration Console
Because in a normal situation there are more keys (strings) present in the Register. I decided to create a simple PowerShell script that you can use to fix all these bugs and put everything working normally again:
...
Set-ItemProperty -Path $registryPath -Name InstallPath -Value "C:Program FilesCommon FilesEnterprise Single Sign-On"
Set-ItemProperty -Path $registryPath -Name ProductCode -Value "{F89B22BC-2768-4237-B300-5CFA52D9AC84}"
...
THIS POWERSHELL IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.
BizTalk Server 2016: PowerShell to fix the SSO Administration Console (2 KB)
Microsoft | TechNet Gallery
