BizTalk SSO Configuration Data Storage Tool

If you’ve been in the BizTalk world long enough, you’ve probably heard that you can securely store name/value pairs in the Enterprise Single Sign-On (SSO) database. However, I’ve never been thrilled with the mechanism for inserting and managing these settings, so, I’ve built a tool to fill the void.

Jon Flanders did some great work with SSO for storing configuration data, and the Microsoft MSDN site also has a sample application for using SSO as a Configuration Store, but, neither gave me exactly what I wanted. I want to lower the barrier of entry for SSO since it’s such a useful way to securely store configuration data.

So, I built the SSO Config Store Application Manager.

I can go ahead and enter in an application name, description, account groups with access permissions, and finally, a collection of fields that I want to store. “Masking” has to do with confidential values and making sure they are only returned “in the clear” at runtime (using the SSO_FLAG_RUNTIME flag). Everything in the SSO database is fully encrypted, but this flag has to do with only returning clear values for runtime queries.

You may not want to abandon the “ssomanage” command line completely. So, I let you export out the “new application” configuration into the SSO-ready format. You could also change this file for each environment (different user accounts, for instance), and then from the tool, load a particular XML configuration file during installation. So, I could create XML instances for development/test/production environments, open this tool in each environment, and load the appropriate file. Then, all you have to do is click “Create.”

If you flip to the “Manage” tab of the application, you can set the field values, or delete the application. Querying an application returns all the necessary info, and, the list of property names you previously defined.

If you’re REALLY observant, and use the “ssomanage” tool to check out the created application, you’ll notice that the first field is always named “dummy.” This is because if every case I’ve tested, the SSO query API doesn’t return the first property value from the database. Drove me crazy. So, I put a “dummy” in there, so that you’re always guaranteed to get back what you put in (e.g. put in four fields, including dummy, and always get back the three you actually entered). So, you can go ahead and safely enter values for each property in the list.

So how do we actually test that this works? I’ve included a class, SSOConfigHelper.cs (slightly modified from the MSDN SSO sample) in the below zip file, that you would included in your application or class library. This class has the “read” operation you need to grab the value from any SSO application. The command is as simple as:

string response = SSOConfigHelper.Read(queryName, propertyName);

Finally, when you’re done messing around in development, you can delete the application.

I have plenty of situations coming up where the development team will need to secure store passwords and connection strings and I didn’t like the idea of trying to encrypt the BizTalk configuration file, or worse, just being lazy and embedding the credentials in the code itself. Now, with this tool, there’s really no excuse not to quickly build an SSO Config Store application and jam your values in there.

You can download this tool from here.

Technorati Tags:

Author: Richard Seroter

Richard Seroter is Director of Developer Relations and Outbound Product Management at Google Cloud. He’s also an instructor at Pluralsight, a frequent public speaker, the author of multiple books on software design and development, and a former editor plus former 12-time Microsoft MVP for cloud. As Director of Developer Relations and Outbound Product Management, Richard leads an organization of Google Cloud developer advocates, engineers, platform builders, and outbound product managers that help customers find success in their cloud journey. Richard maintains a regularly updated blog on topics of architecture and solution design and can be found on Twitter as @rseroter.

80 thoughts

  1. Hi Richard,

    I working for customer that uses the SSO Config Store to place configuration data in. One of the backdraws is that there is no easy UI or Tool to manage data inside the store. Your tool provides this so I am very happy not to come with a solution myself. I will introduce your tool to this customer next week and try it out.



    1. Hi Richard,

      The method : SSOConfigManager.GetConfigProperties is not returning all the properties for the specific application.

      If am checking in your solution, then its working fine.

      If i call the same method from my application its returning only top 1 property.

      Could you please help me on this

      Thank you,
      +1 480 434 2033

      1. Hi Selvam, I don’t have much advice for you here! If it works in my app but not in yours, there must be SOMETHING different. Maybe one of the other folks subscribed to this post, or someone in the BizTalk discussion board has more experience with using this today.

        1. Hi Selvam,
          I’ve had the same problem and traced it down to the used “Microsoft.Enterprise.SingleSignOn.Interop.dll”:
          The one in ProgramFiles(x86)/MicrosoftServices was older (v2.0.05727 in Visual Studio; v6.0.245.0 in Explorer details) than the one in ProgramFiles/CommonFiles (v4.0.30319 in VisualStudio; v9.0.2096.0 in Explorer details).
          Could you check which reference is used in your application? Switching the reference to the newer one solved that problem for me.

  2. This loooks like a very nice tool! This interface is much cleaner than some others we’ve tried.

    I am curious about how to add new fields to an existing application entry. We tried adding them to the bottom of the “Manage” grid and clicking the save button, but the new entries aren’t saved – or, at least, they disappear when the “Retrieve Settings” button is clicked.

    We anticipate that some of our applications will continue to grow and require additional configuration settings, but deleting and recreating an app doesn’t seem like a great approach.

    Are we missing something?

  3. Hi Kelly,

    Funny enough, this topic came up at my office yesterday. In looking at the provided SSO API, you can “UpdateApplication” which lets you change settings, but, doesn’t look like there is an “UpdateFields” to allow for adding/modifying/deleting application fields.

    In our case, we took the XML file from our application, added the field we wanted, deleted the old one, and created a new one.

    Not great, but workable. I’ll see if there’s a way to add this via some other channel …

  4. Hi Richard,

    I have been really trying to implement the SSO solution for our windows applications across the company. I have not found a real good sample which helps to integrate all windows applications (desktop/web [asp/ 1.0,1.4,2.0 etc]) using Biztalk SSO.

    Please let me know if you have any ideas/resources relating this.

    My email id is

    Thank you

  5. Thanks Wade.

    And Jacob, I haven’t considered using BizTalk SSO in that broad a fashion. No reason it’s not possible to do so (esp. with AD integration), but I can’t provide you too much direction on this.

  6. Hi Richard,

    This looks like a great tool. Is there any guidance on how this compares with the MMC snap-in? I don’t seem to be able to see applications created in one tool when viewing in the other?

    Also, are you intending to publish the source code?


  7. Hey Mark,

    This does things a bit differently than the snap in. I personally didn’t have as much luck using the built in snap in, thus this tool. I should spend more time comparing the two and seeing how to get the applications created in each to show up for the other.

    As for source code, yeah, I need to do that. I’ll try and throw it up on CodePlex this week …

  8. hello,

    thanks for the code for that nice little UI, im about to make some changes to your UI to be able to handle an XML inside a field value. I found a way to by pass the problems regarding the static number of field that you can use… that must be set at the SSO application creation. I will probaly attach some text field to your list so you can see much better the XMl value, its hard to see inside a list.

    SO we basically have 1 field only in the SSO, that field contain an XML string that you list in it all you config field and values… so it allow you change it as you need.
    I also made a rapper around the SSOCOnffighelper class it retreive from the XML(the XML value) the value you want.

    thanks again for your code… so i didnt have to completly redevelop such a tool.

    Those any1 know if new Biztalk version (other then 2006) will address those COnfig store issue… and have a great UUI for it !!!!

  9. How do I manage SSO config properties using SSO command line tools, if it is at all possible? I could never find any info on this.

  10. Ilya,

    Do you mean application-specific properties, or SSO-wide configuration properties? If the latter, you can use the ssoconfig tool to change some things, or use the SSO Admin Snap In to change general SSO properties.

  11. Hi Richard,
    Do you have an updated version of this tool that exports existing applications (i.e. from the ‘Manage Application’ tab?) as the File -> Save Configuration to Xml option appears to be grey-ed out; or, can you suggest a way to acheive this?

    I appreciate that this sort of defeats the point of an encrypted config store, however our ops team wants a tangible backup before they apply any further changes to the store.

    Cheers, Nick.

  12. Hey Nick,

    I guess we’d have to add a feature to export the data as well, and, when loading it back in, populate the UI controls. I’ll have to take a look at that and see if you’re proposed “Export Application” is easy to put in.

  13. Hi,

    I’m receiving following error while trying to use code for Helper class:

    Class ‘ConfigurationPropertyBag’ must implement ‘Sub Read(propName As String, ByRef ptrVar As Object, errorLog As Integer)’ for interface ‘Microsoft.BizTalk.SSOClient.Interop.IPropertyBag’.

    I copied the code as is from your helper class and converted that to Vb.NET.
    Let me know if i’m missing something?

  14. Hi Richard,

    great tool. thanks.
    When i try to use it in biztalk 2006R2 on the send port the affiliated application doesnt show. It must be something in the database. If you ever figure it out please let me know.
    I think it is the same reason that biztalk SSO admin tool doesnt show it.


  15. Hi Richard!

    It’s a Great tool you’ve got here. Would really want to use it for storing username/passwords in our FTP-ports.

    I’ve experimented with it a little bit and it works fine apart from the thing that “john” noticed. The affiliate application wont list neither in the “SSO Affiliate” drop list (in the FTP port config) nor by running “ssomanage -listapps” (nor from the mmc but I guess thats pretty much the same).

    However I see it in the SSODB SSOX_ApplicationInfo table and i can use your tool to retrieve the settings.

    Perhaps this is not a problem (since there are a bunch of other apps in the SSOX_ApplicationInfo table that don’t get listed either) but I’m new to this so frankly I don’t know. Perhaps I should mention that I’ve tested it on my local developer machine that isn’t connected to a domain (no AD accounts).

    The thing here is that I think it would be nice for our administrators to be able to see what apps there are via the standard mmc GUI.

    It would be really happy if could help out and shed some light on this.

    Best regards/Merry Xmas
    Mattias Hammarsten

  16. Richard,

    The Save Configuration as XML function is disabled from the Manage Application tab. How do I get it to work?

  17. Hi Richard

    I’ve developed a GUI tool that does a similar job to yours except that you can view all apps and associated key/value pairs.

    The problem I have is that if a single app contains more than 512 config entries, the SSODB throws a fit and responds with the following error: [RPC: 0x800706F7: The stub recieved bad data] and none of the config data is viewable.

    I was wondering if you’ve ever come across this limitation on the number of config entries an app can contain and, if you have, if you know of a workaround.



    1. Sir,

      I know it is slightly off the topic but do you know if and how I can package this onto a applicaion using deployment framework. Also, am I allowed to do that from a licencing perspective(since it is your code)


      1. Not sure how to package it, but you are certainly welcome to do so without any fear of me chasing you down later. All I ask is that you keep the acknowledgements of me as the author.

  18. Hi Richard,

    This is a great tool, but in the time since you last commented on this is there a better way to ‘update’ the application beyond the workaround you posted in response to Kelly Meade’s question about this?

    Many thanks for such a great tool, and I’ve enjoyed your book

  19. Great tool Richard.
    I am facing a small glitch. I was able to retrieve the information from SSODB on my dev box (stand-alone installation). But it threw an exception when i moved it to a multi-server deployment. Though, I was able to make it work by having the SSO service run under the same account as my biztlak host. but it doesn’t seem to be a good practice. Do you have any recommendation/suggestion on this?

      1. Richard,

        I was able to solve the problem by adding the account under which my Biztalk host(s) run under to the “SSO Application Users” domain group.

  20. Richard,
    You have a really great tool here. I am actually in the process of re-writing it though. I’ve added a schema and it’s supporting class to work with single or multiple application configurations. I’ve also added the ability to mass export and import configurations that are contained in a single file. ie. multiple applications. The reason for the mass import and export feature is for moving our applications from one environment to the next without having to hand enter each application. I have a couple more features I would like to add to it before I write a tutorail on it. If anyone has features they would like to see just let me know and I’ll do my best to get them in. Also I am looking for a good place to write my turtorial/blog, I’m definately open to suggestions there as well.

  21. Hi Richard,
    I am using the SSO Config Store Application Manager tool to configure the BizTalk SSO applications.
    I am getting some errors while creating the application.

    1) I am seeing the Applictions in the List which are not created.
    2) When I try to select that its throwing an error “Application does not exisit”

    I have freshly installed a new SQL Server and configured the BizTalk Server. Before this it was using other server which is fully configured.

    Can you please help me out in removing these applications ?


  22. Hi Richard,
    I have deleted all the applications in the SSO tool and created the Application with couple of parameters. When I Click Create New Application , It gives me a response saying Application Successfully created.
    When I go back to the Manage Applications Tab and enter the Application name and click Retrive Settings its give an error saying that Applicion Does Not Exist.

    Mallesh B

  23. Hi Richard,
    I got this one fixed.
    The issue was the SSO was referencing the other Message Box. I reconfigured the Enterprise SSO through command promt ssomanage and assigned the local BizTalk server.
    Now I am able to create the Applciations and assign the values to the parameters.

    Thanks for all your support.


  24. I have looked through a few different solutions for the SSODB/Config problem and aside from looking at how the methods are used, how do you know how so much about Microsoft.EnterpriseSingleSignOn.Interop? Like how does one find out what SSOConfigStore really has in it, or what GetConfigInfo does if the code is all internal to microsoft?

  25. Pingback: BizTalk Tools
  26. Hi Seroter,

    I am impressed with the tool that aim using since 3 years with out any problem. Now i need to call this .exe file using commandline by passing the .xml. if you have any example or document related to invoking ssoconfig.exe through Commandline utility, please share with me.


  27. Hi Richard,
    I left a post on your other blog about the same tool, the one updated 2010, but i see you active in 2012 on this one. Great tool, but i really have a need for the options that is buggy in your tool. Its the same issue Kelly described up above. Cant save if you edit in manage and add or chnage a property/value. Did you ever resolve that? One way could be to read the app, delete it, add the new values or changed values and then create it again.. ?
    Let me know if there is a version with a fix.

    1. Hey, feel free to check out the source code and see if I have a condition there that is preventing this from working for you. I hadn’t heard of others with the issue, but maybe they were too polite to mention it!

  28. hi Richard, thanks for this great tool, however we are not able to add any new key in existing application, its a limitation or it is by design? And is there any way to add new key in existing app?

    Could you please kindly reply?


  29. Hi Richard,
    I would like to take back up of configuation file as we do the File -> Save Configuration to Xml using powershell or commands.Can you please help me how can I do this.


  30. Hi Richard, I am having issues upgrading the tool to BizTalk 2016 with SSO version 10, there seems to be an interop incompatibility with the newest version of SSO (10). Have you seen this? Thank you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.