Back up and restore SSO (Office SharePoint Server 2007)

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2015-03-09

The Microsoft Single Sign-on (SSO) feature in Microsoft Office SharePoint Server 2007 maps user credentials to back-end data systems. SSO is primarily used for business intelligence scenarios.

The SSO environment consists of the Microsoft Single Sign-on service, the SSO database, and the encryption key. You must back up and restore both the encryption key and the SSO database. However, the service does not have to be backed up. You should always do a full backup of the SSO database.

For more information about SSO, see Plan for single sign-on.

Back up SSO

Backing up the SSO environment involves backing up the encryption key and the SSO database.

The encryption key is a 128-bit, randomly generated key that is used for encrypting and decrypting user credential data that is stored in the database. You should back up the encryption key after first setting up SSO and then back up the key again every time that the key is regenerated. The encryption key cannot be backed up remotely. The encryption key can only be backed up to removable storage media. You must use the SharePoint Central Administration Web site to back up the encryption key. You cannot use the Stsadm command-line tool.

Warning

  • The encryption key and the SSO database that contains the information that has been encrypted by using that key should be backed up at the same time. If the encryption key and the encrypted information in the SSO database become unsynchronized, the encrypted information in the database is unusable and users must submit their credentials again.

  • Store the encryption key backup and the SSO database backup in secure locations.

  • Do not store the backup media for the encryption key in the same location as the backup media for the SSO database. If a malicious user obtains a copy of both the database and the key, the encryption is compromised, and a malicious user could gain access to all credentials stored within the single sign-on database and gain unauthorized access to computer resources.

The SSO database contains user credentials, SSO tickets, configuration data, and auditing data. You should back up the SSO database after it is initially created and again every time that you make configuration changes to SSO or re-encrypt the credential information. You can only re-encrypt the credential information after you regenerate a new key. Additionally, you can include SSO database and encryption key backups with the regularly scheduled database backups for your server farm.

Ensure that the encryption key and the database are synchronized

The credential information that is stored in the SSO database and the backed up encryption key can become unsynchronized in the following ways:

  • It is possible to generate a new encryption key and back it up without re-encrypting the credential information that is stored in the SSO database. As a result, the credential information is encrypted with the previous key.

  • It is also possible to generate a new encryption key and re-encrypt the SSO database by using that encryption key without backing up the new encryption key.

  • Office SharePoint Server 2007 overwrites the previous encryption key on the backup media if the name of the backed up encryption key file is not first changed.

You can help to ensure that the database and the encryption key are synchronized by:

  • Securely storing the encryption key backup and SSO database backup.

  • Using a naming convention — for example, appending the date and time to the encryption key and database .bak file name or to the folder names where they are stored.

You only have to synchronize the database backup and the encryption key backup when you create a new key and re-encrypt the database. Therefore, to ensure synchronization, every time that you use a new key to re-encrypt the credential information that is stored in the SSO database, always back up the new encryption key. On the other hand, if you are backing up the database as part of your regular backup schedule and the database is encrypted by using the same key as previously, you do not have to follow a synchronization process.

For example, you might do the following:

  1. Before regenerating a new encryption key and encrypting the credential information that is stored in the SSO database, copy the current encryption key to a secure folder.

  2. Append the date to the key name — for example, “BaseKey [04.10.2008].key”.

  3. Copy the current SSO database backup (.bak) file to a different secure folder.

  4. Append the date to the .bak file name — for example, “SSO [04.10.2008].bak”.

  5. Regenerate the key and re-encrypt the credential information that is stored in the SSO database, and then back up the new key and the SSO database.

Restore SSO

You might have to restore the SSO environment. In some scenarios, you must restore only the encryption key or only the SSO database. The following table describes several recovery scenarios and lists what must be restored.

Scenario What to restore

Move the encryption-key server role to a different server computer.

Encryption key

Change the SSO service account.

Encryption key

Restore the failed database server computer.

SSO database

Migrate the Office SharePoint Server 2007 farm to a different set of server computers.

Encryption key and SSO database

Recover from a farm-wide disaster.

Encryption key and SSO database

Task Requirements

The following are required to perform the procedures for this task:

  • Membership in the Farm Administrators SharePoint group is the minimum required to complete these procedures.

  • You must be logged on to the encryption-key server locally to back up the encryption key. The encryption-key server is the first server that the SSO service is enabled on. The encryption-key server must be running the SharePoint Central Administration Web site.

  • If the IT environment requires that your database administrator (DBA) must back up or restore the SSO database, you must coordinate backing up the encryption key with the DBA to ensure that the correct key is backed up for the database. The account that is used to back up the SSO database must be a member of the SQL Server db_backupoperator fixed database role. The account that is used to restore the SSO database must be a member of the SQL Server dbcreator fixed server role.

  • You do not have to restart the computer to complete these tasks. However, you must stop and restart the SSO service to complete some the tasks. Because the SSO service will not be available while it is restarting, users must log on to each service or application they use.

  • You can perform the procedures for this task by using the SharePoint Central Administration Web site. You can back up and restore the SSO database (but not the encryption key) by using the Stsadm command-line tool.

You can perform the following procedures to back up and restore SSO:

See Also

Concepts

Back up and restore a farm (Office SharePoint Server 2007)
Back up and restore an entire farm (Office SharePoint Server 2007)
Create a recovery farm (Office SharePoint Server 2007)
Back up and restore Web applications by using built-in tools (Office SharePoint Server 2007)
Back up and restore site collections by using built-in tools (Office SharePoint Server 2007)
Back up and restore databases (Office SharePoint Server)
Back up and restore SSPs (Office SharePoint Server 2007)
Back up and restore My Sites by using built-in tools (Office SharePoint Server 2007)
Back up and restore InfoPath forms by using built-in tools (Office SharePoint Server 2007)
Back up and restore an item by using DPM (Office SharePoint Server)
Back up and restore a site by using DPM (Office SharePoint Server)