Now that WSSDemo.com is running in a Hyper-v multi-server farm, SharePoint features such as the BDC and Data Form web part can't use Integrated security SQL access without configuring Kerberos. Many of my customers don't want to enable this (for whatever reason, fear of the unknown is my guess) just for the sake of SharePoint so I decided to try out SharePoint's SSO service to solve this problem on WSSDemo.com (and because I'm chicken and don't want to change the current web app authentication mode).

I have configured SSO in a single server VPC environment easily but trying to get it working in a multi-server environment proved to be a challenge.

My final steps (which I still need to repro to confirm) were:

1. Start the Windows SSO service on the Central Admin server first and run it under a domain account (SSOService).
2. Add the SSOService account to the MOS Farm Administrators
3. Add the SSOService account to the local admin group on the MOSS Servers and give the account SQL Server rights (I just added it to the local admins group on the SQL server because this accounts needs to be able to create the SSO database).
4. Logon to the Central Admin server using the SSOService account. This will light up all the settings links. If anything is wrong at this point you will either get a red error text saying the service can't be configured or when you click on the "Manage server settings" you get an Access Denied error.
   
5. Configure the Server settings specifying the SSOService account as the SSO Admin account (the only way I could get it to work), then I could create the encryption key and application definitions.
6. Now I'm trying to create a SQL data source in SharePoint Designer that uses SSO. Because my SharePoint designer is connecting to SharePoint over the Internet and only has HTTP access to the MOSS WFE, I can't complete the connection to bring back the list of databases (at least I think that is the problem) so I'm installing a Hyper-v virtual desktop OS with SPD installed that will be joined to the same domain as the MOSS farm.

If step 6 works, I will be able to continue this story. Stay tuned...