How to fix BizTalk Server 2016 SSO Administration Console with PowerShell

Have you ever noticed that your SSO Administration Console tool doesn’t open in BizTalk Server 2016? Fortunately for Microsoft BizTalk Server team this tool is not heavily used by the customer, nevertheless, this is an existing and valid tool that needs to be working properly.

What is this tool?

You can install the Enterprise Single Sign-On (SSO) Administration component as a stand-alone feature. This is useful if you need to administer the SSO system remotely. The hardware and software requirements are the same as for a typical Enterprise SSO installation.

After you install the administration component, you must use either ssomanage.exe or the SSO Administration MMC snap-in to specify the SSO server that will be used for management. Both processes are included in the procedure that follows.

Of course, with this tool, SSO Administration, you can do more than just configure the SSO server that will be used for management. Using the Enterprise SSO Administration console, administrators can easily manage Affiliate Applications, Mappings, SSO Servers, SSO System and also perform Password Management operations. There are 4 snap-ins for Enterprise SSO that administrators can use.

  • Affiliate Applications – Administrators can use this to perform administrative operations on Affiliate Applications. For each Affiliate Application, mappings can be created and managed. An Affiliate Application can be created by SSO Affiliate Administrators and SSO Administrators. When it is defined, the administrator can optionally specify an Application Administrators account that contains users who can perform administrative operations on that Affiliate Application. In addition, an Application Users account must be specified that contains Windows domain users for whom mappings can be created. Other operations such as enabling or disabling Affiliate Applications, configuring SSO tickets for the Affiliate Application, and enabling or disabling mappings can also be performed by administrators using this snap-in.
  • Password Management – Administrators can use this snap-in to perform administrative operations on Password Synchronization Adapters and Password Filters. Administrative operations need to be performed by the SSO Administrators. A filter rule can also be defined within an Adapter configuration. Once an Adapter or Filter is created, an administrator can associate Affiliate Applications with the Adapter or Filter so that the synchronization and filter rules defined are applied to that application.
  • Servers – Administrators can build a list of SSO Servers to perform certain administrative operations and to view their status. Within an SSO system, an administrator can also perform a discovery process to automatically discover and add all the SSO Servers within the SSO system.
  • System – Administrators can view SSO System level settings. These settings are stored in the centralized SSO Credential Database. Modifying these settings will apply to all SSO Servers that are using this SSO Credential Database. In addition, administrators can manage the Master Secret Server and perform tasks such as generate, backup and restore the secret. The system-level administrative operations can be performed only by the SSO Administrators.

BizTalk Server 2016 SSO Administration Console

However, SSO Administration shortcut that points to the Microsoft.EnterpriseSingleSignOn.StartMMC.exe executable file is not working properly in BizTalk Server 2016.

Cause

The reason why this problem is happening is that with BizTalk Server 2016 there is a bug and the installation wizard doesn’t create all the necessary keys in the Register.

Also, if you look at the properties of the “SSO Administration” shortcut, this is pointing to the Microsoft.EnterpriseSingleSignOn.StartMMC.exe executable file. I don’t know the reason why Microsoft decided to create this strategy but in reality, this executable file is just “an easy way” (or dummy way) to open the “ENTSSO.msc”, normally present in the “C:\Program Files\Common Files\Enterprise Single Sign-On” folder and this executable reads the “ENTSSO.msc” installation path from the Register:

…
key = Registry.LocalMachine.OpenSubKey(@"Software\Microsoft\ENTSSO");
object obj2 = key.GetValue("InstallPath") as string;
…
string str2 = "\"" + str + "\\entsso.msc\"";
ProcessStartInfo startInfo = new ProcessStartInfo("mmc.exe") {
    Arguments = str2
};
Process.Start(startInfo);
…

However, this is the aspect of the keys within BizTalk Server 2016:

BizTalk-Server-2016-ENTSSO-Registry

Solution

The solution is easy, and you have very different ways to do it.

If you want to open the SSO Administration snap-in, you can:

  • Go to the Enterprise Single Sign-On installation folder
    • Normally, “C:\Program Files\Common Files\Enterprise Single Sign-on”
  • And directly execute the “ENTSSO.msc” (double click)

If you want to fix the SSO Administration shortcut to work properly, you can:

  • Open the Register
  • And on the HKWY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO add
    • the following string: InstallPath
    • with the value: C:\Program Files\Common Files\Enterprise Single Sign-On

BizTalk Server 2016: PowerShell to fix the SSO Administration Console

Because in a normal situation there are more keys (strings) present in the Register. I decided to create a simple PowerShell script that you can use to fix all these bugs and put everything working normally again:

... 
Set-ItemProperty -Path $registryPath -Name InstallPath -Value "C:\Program Files\Common Files\Enterprise Single Sign-On\" 
Set-ItemProperty -Path $registryPath -Name ProductCode -Value "{F89B22BC-2768-4237-B300-5CFA52D9AC84}" 
...

THIS POWERSHELL IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.

BizTalk Server 2016: PowerShell to fix SSO Administration ConsoleBizTalk Server 2016: PowerShell to fix the SSO Administration Console (2 KB)
Microsoft | TechNet Gallery

Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

6 thoughts on “How to fix BizTalk Server 2016 SSO Administration Console with PowerShell”

  1. During installation you can run setup another time with extra parameter after the normal SSO installation and it should be added too:

    :\BizTalk Server\Platform\SSO64\Setup.exe /quiet /ADDLOCAL froot

    1. Hi Manish, the SSO Administration doesn’t have the functionality to show Application configurations for that you need to use the SSO Application Configuration snap-in that is a different tool.

Leave a Reply

Your email address will not be published. Required fields are marked *

BizTalk360
BizTalk Server

Over 500+ customers across
30+ countries depend on BizTalk360

Learn More
Serverless360
Azure

Manage and monitor serverless
components effortlessly

Learn More
Atomicscope
Business Users

Monitor your Business Activity in iPaaS
or Hybrid integration solutions

Learn More

Back to Top