How to fix BizTalk Server 2016 SSO Administration Console with PowerShell

Have you ever noticed that your SSO Administration Console tool doesn’t open in BizTalk Server 2016? Fortunately for Microsoft BizTalk Server team this tool is not heavily used by the customer, nevertheless, this is an existing and valid tool that needs to be working properly.

What is this tool?

You can install the Enterprise Single Sign-On (SSO) Administration component as a stand-alone feature. This is useful if you need to administer the SSO system remotely. The hardware and software requirements are the same as for a typical Enterprise SSO installation.

After you install the administration component, you must use either ssomanage.exe or the SSO Administration MMC snap-in to specify the SSO server that will be used for management. Both processes are included in the procedure that follows.

Of course, with this tool, SSO Administration, you can do more than just configure the SSO server that will be used for management. Using the Enterprise SSO Administration console, administrators can easily manage Affiliate Applications, Mappings, SSO Servers, SSO System and also perform Password Management operations. There are 4 snap-ins for Enterprise SSO that administrators can use.

  • Affiliate Applications – Administrators can use this to perform administrative operations on Affiliate Applications. For each Affiliate Application, mappings can be created and managed. An Affiliate Application can be created by SSO Affiliate Administrators and SSO Administrators. When it is defined, the administrator can optionally specify an Application Administrators account that contains users who can perform administrative operations on that Affiliate Application. In addition, an Application Users account must be specified that contains Windows domain users for whom mappings can be created. Other operations such as enabling or disabling Affiliate Applications, configuring SSO tickets for the Affiliate Application, and enabling or disabling mappings can also be performed by administrators using this snap-in.
  • Password Management – Administrators can use this snap-in to perform administrative operations on Password Synchronization Adapters and Password Filters. Administrative operations need to be performed by the SSO Administrators. A filter rule can also be defined within an Adapter configuration. Once an Adapter or Filter is created, an administrator can associate Affiliate Applications with the Adapter or Filter so that the synchronization and filter rules defined are applied to that application.
  • Servers – Administrators can build a list of SSO Servers to perform certain administrative operations and to view their status. Within an SSO system, an administrator can also perform a discovery process to automatically discover and add all the SSO Servers within the SSO system.
  • System – Administrators can view SSO System level settings. These settings are stored in the centralized SSO Credential Database. Modifying these settings will apply to all SSO Servers that are using this SSO Credential Database. In addition, administrators can manage the Master Secret Server and perform tasks such as generate, backup and restore the secret. The system-level administrative operations can be performed only by the SSO Administrators.
BizTalk Server 2016 SSO Administration Console

However, SSO Administration shortcut that points to the Microsoft.EnterpriseSingleSignOn.StartMMC.exe executable file is not working properly in BizTalk Server 2016.


The reason why this problem is happening is that with BizTalk Server 2016 there is a bug and the installation wizard doesn’t create all the necessary keys in the Register.

Also, if you look at the properties of the “SSO Administration” shortcut, this is pointing to the Microsoft.EnterpriseSingleSignOn.StartMMC.exe executable file. I don’t know the reason why Microsoft decided to create this strategy but in reality, this executable file is just “an easy way” (or dummy way) to open the “ENTSSO.msc”, normally present in the “C:\Program Files\Common Files\Enterprise Single Sign-On” folder and this executable read the “ENTSSO.msc” installation path from the Register:

key = Registry.LocalMachine.OpenSubKey(@"Software\Microsoft\ENTSSO");
object obj2 = key.GetValue("InstallPath") as string;
string str2 = "\"" + str + "\\entsso.msc\"";
ProcessStartInfo startInfo = new ProcessStartInfo("mmc.exe") {
    Arguments = str2

However, this is the aspect of the keys within BizTalk Server 2016:



The solution is easy, and you have very different ways to do it.

If you want to open the SSO Administration snap-in, you can:

  • Go to the Enterprise Single Sign-On installation folder
    • Normally, “C:\Program Files\Common Files\Enterprise Single Sign-on”
  • And directly execute the “ENTSSO.msc” (double click)

If you want to fix the SSO Administration shortcut to work properly, you can:

  • Open the Register
    • the following string: InstallPath
    • with the value: C:\Program Files\Common Files\Enterprise Single Sign-On

BizTalk Server 2016: PowerShell to fix the SSO Administration Console

Because in a normal situation there are more keys (strings) present in the Register. I decided to create a simple PowerShell script that you can use to fix all these bugs and put everything working normally again:

Set-ItemProperty -Path $registryPath -Name InstallPath -Value "C:\Program Files\Common Files\Enterprise Single Sign-On\"
Set-ItemProperty -Path $registryPath -Name ProductCode -Value "{F89B22BC-2768-4237-B300-5CFA52D9AC84}"



You can download BizTalk Server 2016: PowerShell to fix SSO Administration Console from GitHub here:

#1 all-in-one platform for Microsoft BizTalk Server management and monitoring
Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

13 thoughts on “How to fix BizTalk Server 2016 SSO Administration Console with PowerShell”

  1. During installation you can run setup another time with extra parameter after the normal SSO installation and it should be added too:

    :\BizTalk Server\Platform\SSO64\Setup.exe /quiet /ADDLOCAL froot

  2. Thanks. After adding the key in Registry its worked. But I can’t see the existing application configurations details in snapIn

    1. Hi Manish, the SSO Administration doesn’t have the functionality to show Application configurations for that you need to use the SSO Application Configuration snap-in that is a different tool.

  3. Hi,

    I am getting sso error with below while configuring the biztalk server 2016.

    Error : TITLE: Microsoft BizTalk Server Configuration Wizard

    There was an error in the SSO configuration module. See the configuration log for further details. (SSO)

    For help, click:


    (0x8007042C) The dependency service or group failed to start.

    For help, click:



    can any one help me on this.

  4. In the article you state, “Fortunately for Microsoft BizTalk Server team this tool is not heavily used by the customer.” What is commonly used for storing credentials?

    1. Most of the implementation that I saw was config files or registry (none of them should be used in my opinion)

  5. Dear Sandro, Hope you are well. We are having a serious issue with our BizTalk production environment and would appreciate your help.
    Error: Error Code: 0xC0002A1F, Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log for related errors.
    Failed to retrieve master secrets. Verify that the master secret server name is correct and that it is available.
    Secret Server Name: XXXXXXXX
    Error Code: 0x800706D9, There are no more endpoints available from the endpoint mapper.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to Top