To use single sign-on, the Microsoft Single Sign-On service (SSOSrv) must be installed on all Microsoft Windows front-end Web servers in the farm. SSOSrv must also be installed on all servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also be installed on the index server.
SSOSrv is configured by using the Services console. When configuring the service, a logon account is required. The logon account must meet all of the following criteria:
- Must be a domain user account. It cannot be a group account.
- Must be an Office SharePoint Server farm account.
- Must be a member of the local Administrators group on the encryption-key server. (The encryption-key server is the first server on which you start SSOSrv.)
- Must be a member of the Security Administrators role and db_creator role on the computer running Microsoft SQL Server.
- Must be either the same as the single sign-on administrator account, or a member of the group account that is the single sign-on administrator account.
Configure and start the Microsoft Single Sign-On service
- On the server, click Start, Control Panel, Administrative Tools, and then click Computer Management.
- In the Computer Management console, expand Services and Applications, and then click Services.
- Right-click Microsoft Single Sign-On Service, and then choose Properties.
- On the General tab, change the Startup type to Automatic.
- On the General tab, under Service Status, click Start.
- Click OK to save your changes and close the Properties window.
- Repeat steps 1 through 6 for each applicable server in the farm.Source : http://technet.microsoft.com/en-us/library/cc262932.aspx#Section1