BizTalk 2013 R2 – SSO configuration application MMC snap-in isssue and its overlooked behavior

There are many features, tools in BizTalk they might sound trivial and often overlooked, but when you actually need them in your projects the trivial things will become important and end up taking a good amount of your time and give good learning experience.

One of those gems is the SSO Configuration Application MMC Snap-In tool. BizTalk uses Enterprise Single Sign-On (ESSO) to store encrypted user credentials in Single Sign-On (SSODB) database, which can then be transmitted to various systems and to securely store send port and receive location adapter configuration information for BizTalk. The SSODB can also be used to store your application configuration data.

BizTalk’s administration console is used for writing and reading adapter configurations. To store and read your application configuration data Microsoft hasn’t provided and tool out-of-box. Richard Seroter’s SSO Config Data Store Tool has been the tool used by many until BizTalk 2009 when Microsoft provided SSO Configuration Application MMC Snap-In tool to add and manage application and key-value pairs within the applications in SSODB.

When the newer versions of BizTalk were released this little gem has not been updated. You will have issues in using this tool. This is where the great BizTalk community filled the gap and provided the solution. For BizTalk 2013 R2 – Sandro Pereira’s fix will certainly help.


After the fix suggested by Sandro, this tool works fine in a single server environment where you have both the BizTalk processing server and the SQL database installed on one machine. But in a multi-computer environment when you create a key value pair, you will see odd behavior. For one or two keys you can create them, but when you add more key-value pairs nothing will happen.  You will see this behavior if you try to create the key-value pairs from a server which is not a “master secret server”. From a non-master secret server, you can read all the configured applications and its key-value pairs, but you cannot create key-value pair’s properly. You can do this from the master secret server.


Logon to the master secret server, install the SSO Configuration Application MMC Snap-In (if you’ve not done already) and apply the fix as Sandro suggested. And in there you can create and read all the applications and its key-value pairs. This for me is a bug i.e. this snap-in cannot be used to “create” the key-value pairs from all the servers but only from the master secret server. More often your BizTalk processing server would not be a master secret serve and it would be the SQL server which is clustered for high-availability. This behavior is not been documented anywhere. Hence this blog post.

Some have reported this:

If you’re not sure how to find the master secret sever

  1. Select SSO Administration from Microsoft Enterprise Single Sign-On.
  2. In the scope pane, clickon the System. On the right pane should show the details about the SSO database.
  3. In the SSO information list you should see a column called “Master Secret Server”

SSO Master Secret Server


  1. Select SSO Administration from Microsoft Enterprise Single Sign-On.
  2. In the scope pane, right clickSystem, and then click Properties. The Master secret server is displayed on the General tab of the System Properties dialog box.

SSO Master Secret Server Properties

Posted in: BizTalk, SSO DB, Tools Tagged: , , Leave a comment December 23, 2016


M.R.ASHWINPRABHU is the founder and CEO of Fortuvis Systems Limited, a consulting company specialised in Microsoft technologies. Ashwin is a highly experienced integration consultant who works with clients to deliver high quality solutions. He works as technical lead developer, application architect and consultant, specializing in custom applications, enterprise application integration (BizTalk), Web services and Windows Azure.

Leave a Reply

Your email address will not be published. Required fields are marked *