Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: The need for a Domain Controller – Windows Groups and Service Accounts (Part 2)

Posted: January 4, 2012 in BizTalk
Tags: , ,

A very important difference between a single server and a multi-server installation is that the multi-server configuration requires you to use domain users and groups to run the various BizTalk services making having a domain controller a necessity. These domain accounts and groups are used for the security configuration of the BizTalk Server databases.

Because BizTalk and SQL are installed on a separate machine, the use of a domain user account is therefore a necessity so that the account can have access rights on both the BizTalk machine and the SQL Server machine.

Create Domain Groups and Users

The BizTalk setup procedure is not able to create the Windows Groups and Users on a Domain Controller, so on a multi-computer installation, BizTalk Windows Groups and Users must be created manually on the Domain Controller.

The following information will be useful in creating these groups and accounts.

  • In a multicomputer environment, BizTalk Server supports only domain groups and domain service accounts.
  • BizTalk Server 2010 supports only <NetBIOSDomainName>\<User> name formats for Windows groups and service accounts.
  • BizTalk Server supports only Active Directory domain groups and user accounts in multi-computer configurations. Domain groups include Domain Local groups, Global groups, and Universal groups, which are supported in both single computer and multi-computer environments.
  • Built-in accounts such as NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE, NT AUTHORITY\SYSTEM, and Everyone are not supported when you install and configure BizTalk Server 2010 in a multi-computer environment.
  • For more information see Installing BizTalk Server 2010 and BAM in a Multi-Computer Environment manual.
Planning the use of a new Organizational Unit

To keep things tidy, we can place the BizTalk Users and Groups in an Organizational Unit (OU), it is a good practice to utilize a new Organizational Unit (OU) to create all groups, user accounts and service accounts that we will use in the configuration of BizTalk Server 2010.

OU are Active Directory containers into which you can place users, groups, computers, and other organizational units. By using them you can create containers within a domain that represent the hierarchical or logical structures within your organization.

To create a new OU follow these steps:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Right-click on the domain name and select NewàOrganizational Unit.

new-Organizational-Unit

  • Enter “BizTalk” as the name of the new ‘Organizational Unit Object”, Ensure to check “Protect container from accidental deletion” and press “OK”
Windows Groups Used In BizTalk Server

The following table lists the Windows groups and their membership used by BizTalk Server.

Note: must be created within the OU created earlier

Group Group Description Membership
SSO Administrators Administrator of the Enterprise Single Sign-On (SSO) service. For more information about SSO accounts, see “How to Specify SSO Administrator and Affiliate Administrators Accounts” at http://go.microsoft.com/fwlink/?LinkID=89383. Contains service accounts for Enterprise Single Sign-On service. Contains users/groups that need to be able to configure and administer BizTalk Server and SSO service. Contains accounts used to run BizTalk Configuration Manager when configuring SSO master secret server.
SSO Affiliate Administrators Administrators of certain SSO affiliate applications. Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users. Contains no service accounts. Contains account used for BizTalk Server Administrators.
BizTalk Server Administrators Has the fewest privileges necessary to perform administrative tasks. Can deploy solutions, manage applications, and resolve message processing issues. To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators. For more information, see “Managing BizTalk Server Security” in at http://go.microsoft.com/fwlink/?linkid=110476. Contains users/groups that need to be able to configure and administer BizTalk Server.
BizTalk Server Operators Has a low privilege role with access only to monitoring and troubleshooting actions. Contains user/groups that will monitor solutions.
BizTalk Server B2B Operators Has a low privilege role with access only to monitoring and troubleshooting actions. Contains user/groups that will perform all party management operations
BizTalk Application Users The default name of the first In-Process BizTalk Host Group created by Configuration Manager. Use one BizTalk Host Group for each In-Process host in your environment. Includes accounts with access to In-Process BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe). Contains service accounts for the BizTalk In-Process host instance in the host that the BizTalk Host Group is designated for.
BizTalk Isolated Host Users The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP. Use one BizTalk Isolated Host Group for each Isolated Host in your environment. Contains service accounts for the BizTalk Isolated host instance in the host that the Isolated BizTalk Host Group is designated for.
EDI Subsystem Users Has access to the EDI database. Contains service accounts for BizTalk Base EDI service.
BAM Portal Users Has access to BAM Portal Web site. Everyone group is used for this role by default.
BizTalk SharePoint Adapter Enabled Hosts Has access to Windows SharePoint Services Adapter Web Service. Contains service accounts for the BizTalk host instance to be able to call SharePoint Adapter.

To create a new Group follow these steps:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Select the OU create earlier: “BizTalk”. Right-click on the OU name and select NewàGroup.

new-AD-group

  • Enter the Group name of the new Group and ensure to select “Group scope” as “Domain local” or “Global” and “Group Type” as “Security”, press “OK”.
  • Repeat all the steps for the remaining groups.
IIS_IUSRS Group

IIS_IUSRS is another group used by BizTalk Server 2010, however, unlike the previous groups we do not need to create this because it is a built-in group with access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

User and Service Accounts Used In BizTalk Server

The following table lists the Windows user or service accounts and group affiliations used by BizTalk Server.

Note: must be created within the OU created earlier

User User Description Group Affiliation
Enterprise Single Sign-On Service
Suggestions:
- SsoService
- srvc-bts-sso
Service account used to run Enterprise Single Sign-On Service, which accesses the SSO database. SSO Administrators
Enterprise Single Sign-On Administrator
Suggestions:
- SsoAdmin
- usr-bts-sso-admin
User account for the SSO Administrator. SSO Administrators
Single Sign-On affiliate User
Suggestions:
- SsoAffiliate
- usr-bts-sso-affiliate
User accounts for SSO Affiliate Administrators SSO Affiliate Administrators
BizTalk Host Instance Account
Suggestions:
- BTSHostService
- srvc-bts-untrusted
Service account used to run BizTalk In-Process host instance (BTNTSVC). BizTalk Application Users
BizTalk Isolated Host Instance Account
Suggestions:
- BTSIsolatedHostService
- srvc-bts-trusted
Service account used to run BizTalk Isolated host instance (HTTP/SOAP). BizTalk Isolated Host UsersIIS_WPG
Rule Engine Update Service
Suggestions:
- ReuService
- srvc-bts-rule-engine
Service account used to run Rule Engine Update Service, which receives notifications to deployment/undeployment policies from the Rule engine database.
BAM Notification Services User
Suggestions:
- BamService
- srvc-bts-bam-ns
Service account used to run BAM Notification Services, which accesses the BAM databases. SQLServer2005NotificationServicesUser$<ComputerName>
BAM Management Web Service User
Suggestions:
- BamWebService
- srvc-bts-bam-ws
- srvc-bts-bam
User account for BAM Management Web service (BAMManagementService) to access various BAM resources. BAM Portal calls BAMManagementService with the user credentials logged on the BAM Portal to manage alerts, get BAM definition XML and BAM views. IIS_WPG
BAM Application Pool Account
Suggestions:
- BamApp
- srvc-bts-bam-ap
Application pool account for BAMAppPool, which hosts BAM Portal Web site. IIS_WPG
BizTalk Base EDI service
Suggestions:
- EDIService- srvc-bts-edi
Service account used to run BizTalk Base EDI service, which processes EDI documentations.ImportantThe Base EDI adapter was deprecated in BizTalk Server 2006 R2. The Base EDI adapter can be used in upgrade scenarios, but for new installations of BizTalk Server, use the native EDI and AS2 functionality. EDI Subsystem UsersIn-Process BizTalk Host Groups hosting the Base EDI adapter.
BizTalk Administrator
Suggestions:
- BTSAdm- usr-bts-admin
User need to be able to configure and administer BizTalk Server. BizTalk Server Administrators
BizTalk Server Operator User
Suggestions:
- BTSOperator
- usr-bts-operator
User account that will monitor solutions BizTalk Server Operators
BizTalk Server B2B Operator User
Suggestions:
- BTSB2BOperator
- usr-bts-b2b-operator
User account that will perform all party management operations BizTalk Server B2B Operators

To create a new user follow these steps:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Select the OU create earlier: “BizTalk”. Right-click on the OU name and select NewàUser.

new-AD-user

  • Enter the First and Last name and the User logon name of the new User. Press Next.
  • Enter the password and password confirmation and ensure to select “Password never expires”, press “Next”.

new-AD-user-pass

  • Repeat all the steps for the remaining groups.
Summary of users and Groups Affiliation
Group Accounts
SSO Administrators Enterprise Single Sign-On Service
Suggestions:
- SsoService
- srvc-bts-sso

Enterprise Single Sign-On Administrator
Suggestions:
- SsoAdmin
- usr-bts-sso-admin

BizTalk Server Administrators group

SSO Affiliate Administrators Single Sign-On affiliate User
Suggestions:
- SsoAffiliate
- usr-bts-sso-affiliate
BizTalk Server Administrators BizTalk Administrator
Suggestions:
- BTSAdm
- usr-bts-admin

Your user (suggestion) or sometimes Domain Admin

BizTalk Server Operators BizTalk Server Operator User
Suggestions:
- BTSOperator
- usr-bts-operator
BizTalk Server B2B Operators BizTalk Server B2B Operator User
Suggestions:
- BTSB2BOperator
- usr-bts-b2b-operator
BizTalk Application Users BizTalk Host Instance Account
Suggestions:
- BTSHostService
- srvc-bts-untrusted
BizTalk Isolated Host Users BizTalk Isolated Host Instance Account
Suggestions:
- BTSIsolatedHostService
- srvc-bts-trusted
EDI Subsystem Users BizTalk Base EDI service
Suggestions:
- EDIService
- srvc-bts-edi
BAM Portal Users Everyone group is used for this role by default.Domain Users (suggestion)
IIS_IUSRS Group BizTalk Isolated Host Instance Account
Suggestions:
- BTSIsolatedHostService
- srvc-bts-trusted

BAM Management Web Service User
Suggestions:
- BamWebService
- srvc-bts-bam-ws
- srvc-bts-bam

BAM Application Pool Account
Suggestions:
- BamApp
- srvc-bts-bam-ap

SQL Server Service Accounts

The following table lists the Windows service accounts used by SQL Server.

Note: must be created within the OU created earlier

User User Description
SQL Server Agent Service
Suggestions:
- srvc-sql-agent
Service account used to run SQL Server Agent.
SQL Server Database Service
Suggestions:
- srvc-sql- engine
Service account used to run SQL Server Database.
SQL Server Analysis Service
Suggestions:
- srvc-sql
- analysis
Service account used to run SQL Server Analysis.
SQL Server Reporting Service
Suggestions:
- srvc-sql
- reporting
Service account used to run SQL Server Reporting.
SQL Server Integration Service
Suggestions:
- srvc-sql-integration
Service account used to run SQL Server Integration.

Alternatively, you can create a single Domain Account to run this services (like sql-bts-service or srvc-sql-bts)

Depending on the selection that you made while installing SQL Server, you will have the services installed in your server.

SQL Server Database Services:

  • SQL Server Agent
  • Analysis Services
  • Reporting Services
  • Integration Services
  • SQL Server Browser
  • Full-text search
  • SQL Server Active Directory Helper
  • SQL Writer

You can configure you SQL Server related services either during the setup or after the installation using the SQL Server configuration Manager.

Types of startup accounts:

  • Local User Account: This user account is created in your server where SQL Server is installed, this account does not have access to network resources.
  • Local Service Account: This is a builtin windows account that is available for configuring services in windows. This account has permissions as same as accounts that are in the users group, thus it has limited access to the resources in the server. This account is not supported for SQL SERVER and AGENT services.
  • Local System Account: This is a builtin windows account that is available for configuring services in windows. This is a highly privileged account that has access to all resources in the server with administrator rights.
  • Network Service Account: This is a builtin windows account that is available for configuring services in windows. This has permissions to access resources in the network under the computer account.
  • Domain Account: This account is a part of your domain that has access to network resources for which it is intended to have permission for. It is always advised to run SQL Server and related services under a domain account with minimum privilege need to run SQL Server and its related services.

Changing Service Accounts:

SQL Server service accounts can be configured either during installation or using SQL Server configuration Manager. The first one is part of the installation and can be configured during the step Instance Configuration. I would walk you through changing a service account using SQL Server Configuration Manager.

  • Start -> Programs Microsoft SQL Server 2008 -> Configuration Tools -> SQL Configuration Manager
  • Highlight a service in the right pane, right click for properties.

You can change the built-in account here, else if you would like to change it to a Local User account or a domain user account, choose option This Account to Ungray it and enter the credentials of a local or a domain user account.

Remember that you will need to restart the SQL Server and related services for the new Service account to take effect.

References
Related Links

Tags: BizTalk 2010 | Installation | Configuration

About these ads
Comments
  1. Bharat says:

    I might be wrong by I believe that Isolated host is a non trusted account, hence the isolated account name you have suggested (BTSIsolatedHostService- srvc-bts-trusted) should be (BTSIsolatedHostService- srvc-bts-untrusted).

    Similarly other way round for BizTalk Application Users.

    • Hi Bharat,
      Thanks for the feedback.

      First of all I fixed the format typo error in my blog. The idea was to give samples of naming convention that could use:
      - BTSHostService
      - srvc-bts-untrusted

      But it wasn’t a best choice of naming and I will fix the post soon.

      As you say: srvc-bts-trusted and srvc-bts-untrusted should be used for trusted or untrusted Host. However In-Process Hosts can be trusted or untrusted and the same occurs for Isolated hosts, they also can be defined as trusted or untrusted, so is not black and white… you can use this naming convention to associate trusted or untrusted hosts or you can use something like this:
      - srvc-bts-host-instance
      - srvc-bts-isolated-host

  2. Bharat says:

    Hi Sandro .
    Yes it make sense now.
    Thanks for a wonderful post ! :)
    Cheers
    Bharat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s