Extending Windows SSO to Enterprises
Streamline and integrate non-Windows platforms and applications
November 21, 2004
Microsoft BizTalk Server 2004 is the most recent version of Microsoft's enterprise applications integration (EAI) and business process integration server software. BizTalk Server 2004 helps enterprises integrate systems, employees, and partners so that they can automate and orchestrate interactions. Host Integration Server 2004 (HIS 2004) is the most recent version of Microsoft's mainframe gateway server software. (Microsoft called earlier HIS versions SNA Server.) HIS 2004 lets enterprises integrate mission-critical, host-based Microsoft .NET applications, data sources, messaging, and security systems and use IBM mainframe and midrange data and applications across distributed environments.
BizTalk and HIS now fea-ture Enterprise Single Sign-On . ENTSSO extends the Windows platform's built-in SSO functionality to include other OSs (e.g., Linux, UNIX) and mainframe and legacy enterprise applications such as enterprise resource planning (ERP) software (e.g., SAP). Architecturally, ENTSSO is an excellent example of a server-side, credential-caching automated SSO solution. Like BizTalk and HIS, EN-TSSO is a valuable service for enterprises that have heterogeneous IT infrastructures and want to streamline and integrate the Windows-rooted portions of their infrastructures and applications with other legacy systems and applications.
ENTSSO Architecture
The ENTSSO architecture, which Figure 1, page 11, shows, is built around a module that maps a user's Windows account to one or more non-Windows accounts and their corresponding credentials. These credentials are necessary for SSO to occur when users access mainframe- or other non-Windows applications or platforms (called affiliate applications).
The ENTSSO credential mappings are securely stored in a Microsoft SQL Server database. You can use ssoconfig.exe and ssomanage.exe, a set of command-line administration utilities, to configure them. On the server side, you install the ENTSSO administration tools as part of the ENTSSO service installation. On the client side, you use ssoclient.msi or ssoclientinstall.exe to install the tools as part of the ENTSSO client software installation. You can also remotely administer credential mappings and other ENTSSO configuration parameters. Because ENTSSO doesn't have an administration GUI, you must perform all ENTSSO administration and configuration tasks from the command line, as Figure 2 shows.
You can trigger credential-mapping lookups by using BizTalk-rooted application adapters (for Windows-initiated lookups) or HIS-rooted data providers (for Windows- or host-initiated lookups). The first scenario is linked to a Windows-initiated SSO sequence. The second scenario can be linked to either a Windows- or host-initiated SSO sequence. Windows-initiated SSO means that users who log on to a Windows environment can use SSO when they access non-Windows resources. Host-initiated SSO means that users who log on to a non-Windows environment (e.g., a mainframe application) can use SSO when they access Windows resources. Host-initiated SSO is a unique feature of HIS.
ENTSSO supports four account-mapping mechanisms:
A Windows individual mapping defines a one-to-one relationship between Windows and non-Windows accounts. A user or administrator can manage this mapping.
A Windows group mapping defines a many-to-one relationship between Windows and non-Windows accounts. All Windows users use the same non-Windows account to access the back-end system. Only administrators can manage this mapping.
A host individual mapping is an HIS-specific mapping that's available only for host-initiated SSO and defines a one-to-one relationship between non-Windows and Windows accounts. A user or administrator can manage this mapping.
A host group mapping is an HIS-specific mapping that's available only for host-initiated SSO and defines a many-to-one relationship between non-Windows and Windows accounts. Only administrators can manage this mapping.
To securely store the legacy credentials in the SQL Server database, ENTSSO uses a 128-bit symmetric encryption key called the master secret to encrypt and decrypt passwords. The master secret is securely stored on a dedicated master secret server, which is a special ENTSSO server that multiple ENTSSO servers can share.
The ENTSSO installation program creates an SSO database (SSODB) in the SQL Server database. The SSODB holds 11 ENTSSO-specific tables, including the SSOX_IndividualMapping table, which stores the Windows domain name, Windows account name, external application name, and external account name, and the SSOX_ExternalCredentials table, which stores the external application name, external account name, and encrypted external credentials. You use the master key to encrypt these credentials.
A typical ENTSSO setup consists of multiple ENTSSO servers (one for each application server that hosts a BizTalk adapter or HIS data provider), one ENTSSO master secret server, and one SQL Server machine that hosts the ENTSSO database. Every time an ENTSSO server decrypts or encrypts SSO data from the ENTSSO database, the server retrieves the master secret from the master secret server via a secure remote procedure call (RPC). For fault-tolerance purposes, you can cluster the SQL Server machine and the ENTSSO master secret server.
ENTSSO Packaging and Installation
BizTalk Server 2004 and HIS 2004 ship with ENTSSO server and client software. You can use the BizTalk installation program or the HIS installation program to install and configure the ENTSSO server. (Figure 3 shows the BizTalk installation wizard.) To install the client-side software, you can use the ssoclientinstall.exe program for BizTalk or the ssoclient.msi program for HIS.
BizTalk and HIS have long lists of preinstallation requirements. You'll find the detailed requirements at http://www.microsoft.com/biztalk/evaluation/sysreqs/default_2004.asp (for BizTalk) and http://www.microsoft.com/hiserver/evaluation/sysreqs/ default_2004.asp (for HIS).
As I mentioned earlier, only HIS supports host-initiated SSO scenarios. HIS also supports other capabilities that BizTalk doesn't. For example, HIS supports bidirectional password synchronization between Windows and non-Windows environments. HIS ENTSSO also includes password-synchronization interfaces and the Password Change Notification Service (PCNS).
ENTSSO Examples
Let's look at a couple of examples of Windows-initiated SSO and host-initiated SSO in an ENTSSO environment. The first example uses BizTalk ENTSSO; the second example uses HIS ENTSSO.
In the Windows-initiated SSO sequence that Figure 4 shows, a user who's logged on to a Windows environment uses a front-end Web server that interacts with a BizTalk server. The BizTalk server ac-cesses the SAP data that an SAP ERP application hosts. In this example, the user, the front-end Web server, the BizTalk server and the SAP server exchange the following messages:
1.The user accesses the Web application, which includes code that uses a BizTalk HTTP adapter to drop a data request into the BizTalk MessageBox. The MessageBox is a key part of BizTalk Orchestration Services, an advanced application messaging and workflow solution.
2.The BizTalk HTTP adapter impersonates the user and requests an ENTSSO ticket from the ENTSSO server. Tickets are an ENTSSO concept (not to be confused with Kerberos or other tickets) that lets BizTalk components exchange user identities and request user credentials from the ENTSSO server.
3.The BizTalk HTTP adapter on the Web server drops the data request and the ENTSSO ticket into the BizTalk MessageBox.
4.While the request is in the MessageBox, the BizTalk Orchestration Services transform the request into a mainframe data request.
5.The BizTalk SAP adapter, a specialized BizTalk adapter that understands SAP messaging protocols, retrieves the SAP data request and the ENTSSO ticket from the BizTalk MessageBox.
6.The BizTalk SAP adapter uses the ENTSSO ticket to request the user's SAP credentials from ENTSSO. These credentials are encrypted; to decrypt them, the ENTSSO service must first communicate with the ENTSSO master secret server.
7.The BizTalk SAP adapter uses the user's SAP credentials to access the SAP ERP application.
In the host-initiated SSO sequence that Figure 5 shows, a user who's logged on to a mainframe uses a mainframe application that interacts with a Windows-rooted SQL Server database. In this example, the user, mainframe, mainframe application, SQL Server database, and HIS server exchange the following messages:
1.The user logs on to the mainframe to use the mainframe application.
2.To access the SQL Server database, the mainframe application calls on the HIS Transaction Integrator.
3.The HIS Transaction Integrator calls on ENTSSO to obtain the user's Windows account name.
4.ENTSSO calls on a Windows domain controller (DC) to obtain a Windows access token for the user via the Kerberos delegation and protocol transition feature (which Microsoft introduced in Windows Server 2003). The ENTSSO service forwards the access token to the HIS Transaction Integrator.
5.The HIS Transaction Integrator uses Integrated Windows authentication and the user's access token to access the SQL Server database on the user's behalf.
Additional Features and Weaknesses
In an ENTSSO environment, password synchronization is a valuable feature. It ensures that user passwords on different platforms are in sync and automates the distribution of user- or administrator-initiated password updates. To find out more about this feature, see the Web-exclusive sidebar, "HIS ENTSSO Password Synchronization," http://www.windowsitpro.com, InstantDoc ID 44408.
ENTSSO is a valuable service for extending the Windows platform's integrated SSO capabilities to non-Windows applications and platforms. The service is relatively new, however. Microsoft needs to do some work on the documentation side. ENTSSO use cases and deployment scenarios would be a nice addition to the service. ENTSSO would also benefit from a comprehensive administration GUI.
About the Author
You May Also Like