How to recover Master Secret Server

As a part of the recovery process during DR (Disaster Recovery) or any other unforeseen scenarios, one might have to restore the master secret to re-use the existing setup and data. This article will show you how to prepare and restore the master secret in an easy way and get your environment going.

Groundworks

In order to perform the groundworks, and during the restoring process you must log on the master secret server with an account that is both Windows and SSO administrator.

Master Secret Recovery preparations

The two needed preparation for recovery of Master Secret are:

Taking the backup of the Master Secret.
Preparing config file in case there is a need to move the Master Secret on another serve

1. Backup of the Master Secret

On the search menu or at run, type mmc.exe. Click on File and select “Add & Remove Snap-in”. Select Enterprise Single Sign-on from the available Snap-ins, add it, and click OK.
In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node.
Right-click System, and then click Backup Secret.
Save the backup file in <Where the backup should be stored>
Save the password and store it.

Note: Please make sure you have the “ENTSSO experiences a memory leak after you apply hotfix 3000847” installed on the machine. https://support.microsoft.com/en-us/kb/3062831

2. Prepare a config file to move Master Secret on another server

If we move the master secret, we need to update it in the SSO database so that it refers to the new master secret server. For example, the name of the new master secret server may be NewSSOServer. To do this, follow these steps on the original master secret server:

Paste the following code in a text editor (like notepad) and save the file as a .xml file. For example, save the file as %ENV%-SSO-UpdateInfo.xml in <Where the file should be stored>.

<sso>
<globalInfo>
<secretServer>NewSSOServer</secretServer>
</globalInfo>
</sso>

Enterprise SSO Master Secret Server Recovery

We have taken two scenarios, first restoring the Master Secret on the current server and second moving the master secret to another machine.

Restoring on the same server

If the master secret has been corrupted for some reason you can recover the secret from a backup.

Log on to the Master Secret Server.
On the search menu or at run, type mmc.exe. Click on File and select “Add & Remove Snap-in”. Select Enterprise Single Sign-on from the available Snap-ins, add it, and click OK.
In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node.
Right-click System, and then click Restore Secret…
Browse to the backup file in <Where the backup should be stored> and enter the password and click OK.
Restart Enterprise Single Sign On Service on Master Secret server.

Moving to a new Master Secret Server

If the master secret server cluster cannot be brought online, it can be moved to another server. Choose one of the BizTalk Servers to be the new Master Secret Server.

Log on to the BizTalk Server that will be Master Secret Server.
Retrieve the file %ENV%-SSO-UpdateInfo.xml.
At an elevated rights (run as an administrator) command prompt, navigate to the Enterprise SSO installation folder. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssomanage -updatedb %ENV%-SSO-UpdateInfo.xml to update the master secret server name in the database
Restart Enterprise Single Sign On service on the new Master Secret server. If we don’t restart the service, the restoration will not work.
On the search menu or at run, type mmc.exe. Click on file and select “Add & Remove Snap-in”. Select Enterprise Single Sign-on from the available Snap-ins, add it and click OK.
In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node.
Right-click System, and then click Restore Secret…
Browse to the backup file in <Where the backup is stored> and enter the password and click OK.