Winsec event – Enterprise Single Sign-on (2011-04-21)

In this event we will discuss and demonstrate Enterprise Single Sign-on.

The first part of the event will introduce you to the terminology and different ways to approach single sign-on.
Which are the different platforms and infrastructure you can use to facilitate sign-on for the end user?
What about web single sign-on, simplified logon, enterprise single sign-on and federation?

In the second part of the session we will show you around on the MS single sign-on solution and we demonstrate the Microsoft Sentillon product suite for single sign-on & context management.

Location to be confirmed.

Register at :

Sentillion and Windows 2008 R2 AD

(note-to-self, as per support article KBA-01026-GQ8D6F)

When you setup Sentillion expreSSO or Vergence Single Sign-on to sync with Active Directory  on Windows 2008 R2 domain controllers, you could experience trouble when querying AD for users and groups.

This error is seen in the expreSSO AD sync logs (located at ‘/var/log/sync_logs/sync_engine.log’):

ERROR SyncEngine Internal error: Error when searching endpoint AD

java.lang.RuntimeException: Error on search: [LDAP: error code 12 – 00002040: SvcErr: DSID-031401E0, problem 5010 (UNAVAIL_EXTENSION), data 0

This is because of how AD is queried bij VSS/expreSSO for deleted objects.
This error is thrown by Microsoft AD when searching for more than 250 entries.

(BTW: Other platforms suffer from the same issue. Like OID, see here.)

You will need to apply a Microsoft patch to all of your Server 2008 domain controllers:
(replace 2 system files in case of x64 servers).

In addition to that patch, you must also add the following key to the registry of the DCs. To do this, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. Right-click the Parameters subkey, point to New, and then click String Value.
  4. Type DSA Heuristics, and then press ENTER.
  5. Right-click DSA Heuristics, type 0000000001, and then click OK.Note There are nine zeros and a one in this registry value.
  6. Exit Registry Editor.

Once the patch has been applied and the registry updated, you’ll need to reboot your AD servers.