How to change the Enterprise SSO service account that runs on the master secret server in HIS and BizTalk Server

Applies to: BizTalk Server 2016 EnterpriseBizTalk Server 2013 R2 EnterpriseBizTalk Server 2013 Enterprise More

Introduction


This article describes the steps that you must follow to change the Enterprise Single Sign-On (SSO) service account that is configured to run on the master secret server in Microsoft Host Integration Server and Microsoft BizTalk Server.

More Information


Note You must follow these steps only on the Enterprise SSO server that contains the master secret. To determine the server that contains the master secret, follow these steps:

  1. Open a Command Prompt window. To do this, select Start, type cmd, and then press Enter.
  2. At the command prompt, change to the Enterprise SSO installation folder, and then type ssomanage -displaydb.

    Note By default, the installation folder for the Enterprise SSO service is <Drive>:\Program Files\Common Files\Enterprise Single Sign-On. In this folder name, <Drive> is the disk drive that contains the Enterprise Single Sign-On directory.

To change the Enterprise SSO service account that is configured to run on the master secret server, follow these steps:

  1. Back up the master secret server. To do this, follow these steps:
     
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, change to the Enterprise Single Sign-On installation directory.

      Note By default, the installation directory is <Drive>:\Program Files\Common Files\Enterprise Single Sign-On.
    3. At the command prompt, type ssoconfig -backupsecret BackupFile.

      Note In this command, <BackupFile> is the path of and the name of the file to which the master secret will be backed up. For example, D:\Ssobackup.bak.
    4. Provide a password to help protect this backup file. You will be prompted to confirm the password and to provide a password hint to help you remember this password.

      Important You must save and store the backup file in a security-enhanced location.
  2. At the command prompt, type net stop entsso to stop the SSO service.
  3. In Control Panel, open Administrative Tools, and then double-click Services.
  4. Right-click the Enterprise Single Sign-On service entry, and then select Properties.
  5. On the Log On tab, change the account and the password to the values that you want, and then select OK.

    Note This account must be a member of the SSO Administrators group. If it is not, add the account to the SSO Administrators group.
  6. Start the Enterprise SSO service.

    After you start the Enterprise SSO service, an error message is logged in the application log on the master secret server. This log entry resembles the following:
    The secret could not be loaded from the registry. The service account for the SSO service may have been changed or the secret may be corrupted. Restore the secret from a backup file.
    This error message will be resolved when you restore the master secret.
  7. Restore the master secret. To do this, follow these steps:
     
    1. Click Start, click Run, type cmd, and then select OK.
    2. At the command prompt, change to the Enterprise Single Sign-On installation directory.

      Note By default, the installation directory is Drive:\Program Files\Common Files\Enterprise Single Sign-On.
    3. At the command prompt, type ssoconfig -restoresecret <BackupFile>.

      Note In this command, <BackupFile> represents the path of and the name of the backup file.
    After you restore the master secret, an informational message about the successful restoration is logged in the application log on the master secret server.

References


For information about how to change accounts and passwords for other service accounts in BizTalk Server, see the following BizTalk topic:

How to Change Service Accounts and Passwords