Resolving errors with SSO cluster configuration

  • Article

We were trying to install SSO on a SQL cluster. We ran the following command:
C:\Program Files\Common Files\Enterprise Single Sign-On>ssomanage -updatedb GlobalInfo.xml

1. We got the following error:
C:\Program Files\Common Files\Enterprise Single Sign-On>ssomanage -updatedb GlobalInfo.xml
Using SSO server : XXXXXX
ERROR: 0xC0002A0F : Could not contact the SSO server 'XXXXXX'. Check that SSO is configured and that the SSO service is running on that server. (RPC: 0x800706D9: There are no more endpoints available from the endpoint mapper.)

2. We then restarted the ENTSSO and there was a ifferent error this time:  

Source: ENTSSO
Date: 10/10/2012 3:24:58 PM
Event ID: 10532
Task Category: Enterprise Single Sign-On 
Level: Warning 
Keywords: Classic
User: N/A
Computer: XXXXXX
Description:
Failed to retrieve master secrets. Verify that the master secret server name is correct and that it is available.

Secret Server Name: XXXXXX

Error Code:
0x80002918, No secrets were found in the registry of the master secret server. Use the configuration tools to generate or restore a master secret.

3. We then created ENTSSO as a clustered Generic service on the SQL cluster. Failed over the cluster on both nodes and checked. Restarted ENTSSO on Active node and tried to run the -updatedb command again. This time the error was:

C:\Program Files\Common Files\Enterprise Single Sign-On>ssomanage -updatedb GlobalInfo.xml
Using SSO server : XXXXXX
ERROR: 0xC0002A13 : This function can only be performed by a local administrator.

4. We un-configured SSO from BizTalk Configuration on both nodes and reconfigured and ran the ssomanage -updatedb command again. Again the same local admin error:
C:\Program Files\Common Files\Enterprise Single Sign-On>ssomanage -updatedb GlobalInfo.xml
Using SSO server : XXXXXX
ERROR: 0xC0002A13 : This function can only be performed by a local administrator.

Cause:
After doing some analysis we found out the issue was related to limited availability of the ports. In this scenario only port XXXX was opened between BizTalk Server and SQL Server (on which the SSO Server is present). For such communications it is important that port 135 and the secondary RPC ports needs to be opened. After opening the required port range the issue was resolved. To get more information on SSO and Master Secret Server clustering , please refer to the following link: https://msdn.microsoft.com/en-us/library/aa561823(BTS.10).aspx

Resolution:
"The client machine will send a request to the server on port 135. On the server, there is an endpoint mapper (EPM) service that listens for incoming requests on port 135. Once the EPM service gets a request it assigns a random port from the ephemeral port range 1024-65535 (for Windows 2003 and prior versions). Further transaction communication takes place on this port between the server and the client.

The ephemeral port range has changed in Windows Vista/Windows 2008, the new range is 49152-65535. Further transaction communication takes place on this port between the server and the client.” Also the default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008. Refer to the following link: https://support.microsoft.com/kb/929851 

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000.

For restricting the port range we need to configure it on the server. Here are the steps to do it:
1. Start --> Run --> (type in) Dcomcnfg. You should be inside Component Services MMC.

2. Expand Component Services --> Computers --> My Computer (right click) --> Properties --> Default Protocols.

3. Select the “Connection-oriented TCP/IP” --> Click “Properties” button. Specify the port range (For Example: 50000-50200)

3. In case you have a Firewall, the same port range should be opened bi-directionally for these machines.

This port range should be opened on both the machines that are participating in a Distributed Transaction.

You can also refer to the following blog, which mentions about some basic troubleshooting steps for ESSO: https://blogs.msdn.com/b/biztalkcpr/archive/2008/06/23/basic-troubleshooting-for-enterprise-single-sign-on-sso.aspx 
The error mentioned below can also occur due to the following reason:
RPC:0x800706D9: There are no more endpoints available from the endpoint mapper.

    1. When the checkbox "Use Network Name for computer name" was not selected in Enterprise Single Sign-On Cluster Resource.( https://support.microsoft.com/kb/198893)
    2. In the BT admin, check the SSO Server Name in the properties of the group, there is a good chance that this will still have the name of the older master secret server. 

Hope this helps. !!!

Written by
Rasika Chaudhary

Reviewed by
Jainath V R

Microsoft India GTSC