Before you install the Single Sign-on Service, ensure that the appropriate accounts and components are available to support the service. Also, because the service uses secure HTTP (HTTPS), the service requires a server authentication certificate for Secure Sockets Layer (SSL) communication with the console and plug-in.
Obtain a server authentication certificate for SSL communication from a certificate authority (CA) or, if you have an existing public key infrastructure (PKI), download your own certificate to the server running the service.
If users are experiencing SSL failures, it is most likely because the server certificate is not trusted. Refer to the Microsoft Web site for instructions about extracting and deploying CA root certificates.
The signing and validation certificates created during Single Sign-on installation are not related to the SSL certificate.
The Single Sign-on Service can require up to three system account types to read and write data as it operates in your environment. The number and type of accounts required depend on the service modules you use. The table shows the accounts required by each module of the service. In cases where different modules require the same type of account, you can use the same account for multiple modules or you can specify different customized accounts for each module.
On the server running the Single Sign-on Service, use the existing Network Service or Local Service accounts
You cannot specify a local user account as the service account in this version of Single Sign-on. You can specify the built-in Local Service account.
If you choose to create a domain account as the service account, you must register a service principal name for this domain account and the service computer in Active Directory by using the setspn.exe utility. if using a domain user account, the account should be assigned "Logon as services" rights. The computer running the service needs to be trusted for delegation.
See the Microsoft Web site for more information about service principal names.
On the server running the Single Sign-on Service, create a domain administrator account with the following settings, to be used for data proxy communication with the service.
The account requires read and write access to the central store. The account requirements depend on the central store type you are implementing.
|Central Store Type||Account Description|
|NTFS Network Share||The account:
|Active Directory||The account:
If you are using the Self-Service Password Reset or Self-Service Account Unlock features of the Account Self-Service Module, use an account that is a member of the domain administrators group.
The user installing the Single Sign-on Service and running the Service Configuration wizard must be a member of the domain (a Domain User) and a member of the local Administrators group on the service computer (add a domain user account to the local Administrators group).
The user installing the Single Sign-on console component, performing a discovery and configuration operation, and using the console component must be a domain administrator and a member of the local Administrators group on the console computer. This user account must have read and write access to the central store. A non-administrator user account can be assigned the right to manage the console component and its related functions through Active Directory delegation or constrained delegation.
The user installing the Single Sign-on Plug-in must be a member of the domain (a domain user) and a member of the local Administrators group on the user device. The user installing the plug-in must be a member of the domain (a domain user) and a member of the local Administrators group on the user device. The user running the plug-in must be a member of the domain (a domain user).