Recovery of Master Secret Server



October 8, 2021

As a part of the recovery process during DR (Disaster Recovery) or any other unforeseen scenarios, one might have to restore the master secret to re-use the existing setup and data. This article will show you how to prepare and restore the master secret in an easy way and get your environment going.

Groundworks

In order to perform the groundworks, and during the restoring process you must log on the master secret server with an account that is both Windows and SSO administrator.

Master Secret Recovery preparations

The two needed preparation for recovery of Master Secret are:

  • Taking the backup of the Master Secret. 
  • Preparing config file in case there is a need to move the Master Secret on another serve

1. Backup of the Master Secret Backup of the Master Secret 

  1. On the search menu or at run, type mmc.exe. Click on File and select “Add & Remove Snap-in”. Select Enterprise Single Sign-on from the available Snap-ins, add it, and click OK.
  2. In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node.
  3. Right-click System, and then click Backup Secret.
  4. Save the backup file in <Where the backup should be stored>
  5. Save the password and store it.

Note: Please make sure you have the “ENTSSO experiences a memory leak after you apply hotfix 3000847” installed on the machine. https://support.microsoft.com/en-us/kb/3062831

 

2. Prepare a config file to move Master Secret on another server

If we move the master secret, we need to update it in the SSO database so that it refers to the new master secret server. For example, the name of the new master secret server may be NewSSOServer. To do this, follow these steps on the original master secret server:

Paste the following code in a text editor (like notepad) and save the file as a .xml file. For example, save the file as %ENV%-SSO-UpdateInfo.xml in <Where the file should be stored>.

<sso>
<globalInfo>
<secretServer>NewSSOServer</secretServer>
</globalInfo>
</sso>

Enterprise SSO Master Secret Server Recovery

We have taken two scenarios, first restoring the Master Secret on the current server and second moving the master secret to another machine.

Restoring on the same server

Restoring on the same server

If the master secret has been corrupted for some reason you can recover the secret from a backup.

  1. Log on to the Master Secret Server.

  2. On the search menu or at run, type mmc.exe. Click on File and select “Add & Remove Snap-in”. Select Enterprise Single Sign-on from the available Snap-ins, add it, and click OK.

  3. In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node.

  4. Right-click System, and then click Restore Secret…

  5. Browse to the backup file in <Where the backup should be stored> and enter the password and click OK.Browse to the backup file
  6. Restart Enterprise Single Sign On Service on Master Secret server.

 

Moving to a new Master Secret Server

If the master secret server cluster cannot be brought online, it can be moved to another server. Choose one of the BizTalk Servers to be the new Master Secret Server.

  1. Log on to the BizTalk Server that will be Master Secret Server.

  2. Retrieve the file %ENV%-SSO-UpdateInfo.xml.

  3. At an elevated rights (run as an administrator) command prompt, navigate to the Enterprise SSO installation folder. By default, the installation folder is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
  4. Type ssomanage -updatedb %ENV%-SSO-UpdateInfo.xml to update the master secret server name in the database
    Type ssomanage -updatedb %ENV%-SSO-UpdateInfo.xml to update the master secret server name in the database
    Restore Secret
  5. Restart Enterprise Single Sign On service on the new Master Secret server. If we don’t restart the service, the restoration will not work.

  6. On the search menu or at run, type mmc.exe. Click on file and select “Add & Remove Snap-in”. Select Enterprise Single Sign-on from the available Snap-ins, add it and click OK.

  7. In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node. 

  8. Right-click System, and then click Restore Secret…
  9. Browse to the backup file in <Where the backup is stored> and enter the password and click OK.
    Restore Secret

Screenshots source: MSDN

 

Join monthly AIMS AIOps Talk with Marius and Raman to get more tangible knowledge about implementing AIOps in your organisation

Banner Blog AIOps Talk

 

Topics from this blog: Technical

Author

Raman is an IT professional with 11+ years of proven experience in IT Project/Program Management, Service Delivery, Service Governance, Transition & Transformation management, Customer relationship management for global organizations.

Raman Dubey

Raman is an IT professional with 11+ years of proven experience in IT Project/Program Management, Service Delivery, Service Governance, Transition & Transformation management, Customer relationship management for global organizations.

More from the Author

Oct 8, 2021 2:00:51 PM
Recovery of Master Secret Server

Share this Post

Subscribe to our newsletter

RECENT ARTICLES

Technical

BizTalk: Undiscovered secret of DTA purge and Archive stored procedure

DTA Database is one of the most important databases in the BizTalk DB component. The issue in this database can cause a lot of performance issues in BizTalk. To keep the DB healthy, Microsoft...
Technical

Recovery of Master Secret Server

As a part of the recovery process during DR (Disaster Recovery) or any other unforeseen scenarios, one might have to restore the master secret to re-use the existing setup and data. This article will...
aiops

AIMS teams up with the Norwegian Computing Center to make predictions to alert of a possible problem even before the problem itself arises

At AIMS, we strive to alert as early as possible that some problem is arising for a business-critical system. We want to arrive as far as to make predictions to alert of a possible problem even...