Guidelines for Implementing Active Directory Permissions on Multi Server BizTalk Installations

This topic describes guidelines for creating Active Directory Organizational Units, which consist of the user accounts and groups that you use in a Microsoft BizTalk Server 2006 installation.

The accounts created herein do not need permissions in the domain beyond those of ordinary users. The domain accounts may need elevated privileges within the trust boundary that includes:

  • BizTalk Server 2006

  • Microsoft SharePoint Services (on the BizTalk Server 2006 server)

  • Microsoft SQL Server

  • External Database One

  • External Database Two

  • External Database N

For example, a domain account may need to be granted rights to perform certain actions on the systems hosting external databases. In another case, an account may need to write a file to a file drop folder, requiring write access to the folder.

Use the Active Directory Users and Computers console to create and manage domain user and group accounts. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.

BizTalk Installation and Configuration Account

In the development environment, the BizTalk Server 2006 installation program and the BizTalk Server 2006 Configuration Wizard require the use of an account with administrative rights on the BizTalk Server 2006 and SQL Server systems. Rights can be revoked or the account disabled as soon as setup and configuration are complete. The account must also belong to several BizTalk groups, covered in the following sections.

Aa950047.note(en-us,BTS.20).gifNote
You will not be able to configure SSO components if the account used for installation belongs to a different Active Directory forest than the server. If you do not have a BizTalk Server 2006 installer account, use a local administrator account for SSO configuration. This methodology may create other issues during installation, such as the need to log on to resources using different credentials.
BizTalk Development Accounts

Individuals doing BizTalk Server 2006 development require access to adapters, receive and send handlers, and receive locations. This access requires the domain developer group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

Aa950047.note(en-us,BTS.20).gifNote
Active Directory has restrictions regarding the types of groups that can contain foreign domain users, and the types of groups that can be contained in other groups. The groups and accounts created below are tested in a multiserver environment on a single domain.
BizTalk Deployment Accounts

Individuals deploying BizTalk Server 2006 applications will need to be administrators on the local systems and may require other permissions in the environment. A BizTalk deployment account is referenced in this topic for this purpose.

This access requires the domain deployment group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

Aa950047.note(en-us,BTS.20).gifNote
You will not be able to configure SSO components if the account used for installation belongs to a different Active Directory forest than the server. If you do not have a BizTalk deployment account, use a local administrator account for SSO configuration. This methodology may create other issues during installation, such as the need to log on to resources using different credentials.
BizTalk Support Accounts

Individuals supporting BizTalk Server 2006 applications will need to be administrators on the local systems. A BizTalk support account is referenced in this topic for this purpose.

This access requires the domain support group to be members of the BizTalk Server Administrators group.
SQL Server Service Accounts

The service running the SQL Server instance must belong to the same Active Directory domain as the accounts installing, developing, and deploying BizTalk Server 2006 components.

  • Use SQLAdmin for administrative functions (interactive logon).

  • Use SQLService to manage the service (no interactive logon).

  • Use SQLAccess to access external databases.

  • SQLAdmin must be a member of the local Administrators group on the SQL Server system.

  • SQLService must be a member of the local Administrators group on the SQL Server system and needs to be granted the Log on as a service user right.

  • SQLAccess needs appropriate rights on the remote database servers.

SQL Accounts:

User name First Name Last Name Full Name

SQLService

SQL

SQLService

SQL Service Account

SQLAdmin

Admin

SQLService

SQL Admin Account

SQLAccess

Access

SQLService

SQL Access Account

Set account passwords according to company standards.

Aa950047.Important(en-us,BTS.20).gifImportant
On the computer running SQL Server, modify the startup parameters for the SQL Server and SQLServerAgent services to use the SQLService account and credentials.

Aa950047.note(en-us,BTS.20).gifNote
The Username fields are samples; you may need to change the names to avoid conflicting with other Active Directory accounts.
Windows SharePoint Services Account

The Windows SharePoint Services accounts must be created prior to installing SharePoint Services.

Recommendations and notes on the SharePoint Services account:

  • Use the SharePoint Admin Account (SPAdmin) for administrative functions, SharePoint Timer Service and all SharePoint Services access.

  • SPAdmin is the site owner and will need an e-mail alias.

  • SPAdmin must be a member of the local administrators group on the local BizTalk Server 2006 computer (Windows SharePoint Services setup does this).

  • SPAdmin must have the security administrator and database creator roles on the SQL Server computer (Windows SharePoint Services setup does this).

Sharepoint Accounts:

User name First Name Last Name Full Name

SPAdmin

Admin

SPService

SharePoint Admin Account

Set account passwords according to company standards and be able to retrieve these passwords during the configuration steps. Refer to the Passwords section of this topic for issues surrounding generated passwords.

Aa950047.note(en-us,BTS.20).gifNote
This Username field is a sample; you may need to change this name to protect other AD accounts.

Aa950047.Important(en-us,BTS.20).gifImportant
After installing Windows SharePoint Services on the computer running BizTalk Server 2006, confirm that the startup parameters for the SharePoint Timer Service is using the SPAdmin account and credentials.
BizTalk Groups and Users

BizTalk Server 2006 Groups and Users must be created prior to running the BizTalk Server 2006 Configuration Wizard. In a single-system installation, BizTalk Server 2006 uses local groups and accounts which are created during configuration. However, if separate BizTalk Server 2006 hosts are deployed or if BizTalk Server 2006 and SQL Server are installed on two different computers you must use domain user and group accounts.

Aa950047.note(en-us,BTS.20).gifNote
The BizTalk Server 2006 Configuration Wizard cannot create domain accounts.

Recommendations and notes on BizTalk Server 2006 service and user accounts:

  • Create an Organizational Unit (OU) for BizTalk Server 2006. All accounts and groups will belong to this OU.

  • Be descriptive with full names; the names in the following lists should enable the installer to select the proper groups/accounts/users during configuration.

  • First name and last name are optional; included for consistency only.

  • The differentiator BTService and BTUser refers to service accounts (automatons) and generic/shared human users.

  • Create domain accounts and populate them via an ADSI script for user and group account creation for up line environments.

BizTalk Service Accounts

User name First Name Last Name Full Name

BTService

BTS

BTService

BizTalk Service Account

BTServiceBAS

BAS

BTService

BizTalk Server BAS Application Pool Account

BTServiceBASWeb

BASWeb

BTService

BizTalk BAS Publishing Web Service Account (BAM Query)

BTServiceEDI

EDI

BTService

BizTalk Base EDI Service Account

BTServiceHost

Host

BTService

BizTalk Host Instance Account

BTServiceHostIso

HostIso

BTService

BizTalk Isolated Host Instance Account

SSOService

SSO

BTService

Enterprise Single Sign-On Service

BTServiceHWF

HWF

BTService

Human Workflow Services Account

BTServiceREU

REU

BTService

Rule Engine Update Service

Set user names according to company and environmental standards (for example, devBTService, alphaBTService). Set account passwords according to company standards and be able to retrieve them for the configuration steps. Refer to the Password Considerations for Development section of this topic for issues surrounding generated passwords.

The installer will notice the service accounts are quite granular, with a near one-to-one mapping to the services created by BizTalk Server 2006. The granularity allows corporate IT security to track or restrict access as needed. The granularity is recommended, but it is up to the system designer and enterprise security personnel to determine if it is necessary in the enterprise environment.

The service accounts in the previous group are intended for automaton access only, not for interactive logon by users.

To set the appropriate account options

  1. In the Active Directory Users and Computers console, click to expand the domain, and then click to expand the Users container.

  2. Right-click the account and then select Properties to display the Properties dialog box for the account.

  3. Click the Account tab of the Properties dialog box.

  4. Click to check the following options:

    • User cannot change password (enterprise security will batch change the passwords).

    • Password never expires

  5. Click the Log On To button to display the Logon Workstations dialog box.

  6. Click the option for The following computers, add each computer running BizTalk Server 2006 and SQL Server, and then click OK.

  7. Click the Remote Control tab of the Properties dialog box, and then click to clear the option to Enable remote control.

  8. Click the Terminal Services Profile tab of the Properties dialog box.

  9. Click to check the option to Deny this user permissions to log on to any Terminal Server.

  10. Click OK to close the Properties dialog box for the account.

  11. Repeat steps 3 through 10 for each service account.

BizTalk User Accounts

User name First Name Last Name Full Name

BTUserAdmin

Admin

BTUser

BizTalk Administrative User Account

BTUserBASTechMgr

TechManager

BTUser

BizTalk BAS Tech Manager

BTUserBASTechPub

TechPublisher

BTUser

BizTalk BAS Tech Publisher

BTUserDeploy

Deploy

BTUser

BizTalk Deployment User Account

BTUserHostInstance

HostInstance

BTUser

BizTalk Host Instance Account

BTUserHostIsolated

IsolatedlHost

BTUser

BizTalk Isolated Host Instance Account

BTUserInstall

Install

BTUser

BizTalk Installation User Account

BTUserSupport

Support

BTUser

BizTalk Support Access Account

To set the appropriate account options follow these steps

  1. In the Active Directory Users and Computers console click to expand the domain, and then click to expand the Users container.

  2. Right-click the account and then select Properties to display the Properties dialog box for the account.

  3. Click the Account tab of the Properties dialog box.

  4. Click to check the following options:

    • User cannot change password (enterprise security will batch change the passwords).

    • Password never expires

  5. Click the Log On To button to display the Logon Workstations dialog box.

  6. Click the option for The following computers, add each computer running BizTalk Server 2006 and SQL Server, and then click OK.

  7. Click the Remote Control tab of the Properties dialog box, and then click to check the option to Enable remote control.

  8. Click the Terminal Services Profile tab of the Properties dialog box.

  9. Click to clear the option to Deny this user permissions to log on to any Terminal Server.

  10. Click OK to close the Properties dialog box for the account.

  11. Repeat steps 3 through 10 for each user account.

    Aa950047.note(en-us,BTS.20).gifNote
    Any of these accounts can be disabled if the roles they are to provide are assigned to actual users. In the early stages of release one and release two, it is assumed that these accounts are used in the development, alpha test, and beta test environments.

BizTalk Group Accounts

Group Name Group Type Members

BizTalk Application Users

Global or Universal
  • BTServiceHost

  • BTUserHostInstance

BizTalk BAS Administrators

Global or Universal
  • BTUserAdmin

  • SPAdmin

  • BTServiceBASWeb

  • BTUserInstall

BizTalk BAS Managers

Global or Universal

(none)

BizTalk BAS Users

Global or Universal

(none)

BizTalk BAS Web Services Group

Global or Universal

BTServiceBASWeb

BizTalk Development Users

Global or Universal

(local domain accounts of development users)

Aa950047.note(en-us,BTS.20).gifNote
As a best practice, do not enable the BizTalk Development Users group in up-line environments.

BizTalk Deployment Users

Global or Universal

(local domain accounts of deployment users)

BizTalk EDI Subsystem Users

Global or Universal

BTServiceEDI

BizTalk Host Users

Global or Universal

BTUserHostInstance

BizTalk Isolated Host Users

Global or Universal
  • BTServiceHostIso

  • BTUserHostInstance

  • BTServiceHWF

BizTalk Server Administrators

Global or Universal
  • BTUserAdmin

  • BTUserBASTechMgr

  • BTServiceBASWeb

  • BTUserInstall

  • BizTalk Development Users

  • BizTalk Deployment Users

BizTalk Support Users

Global or Universal

BTUserSupport (local domain accounts of support users)

SSO Administrators

Global or Universal
  • SSOService

  • BTUserInstall

  • Local Administrator

SSO Affiliate Administrators

Global or Universal
  • BizTalk Development Users

  • BizTalk Deployment Users

  • BTServiceHostIso

  • <console user>

Windows SharePoint Services Administrators

Global or Universal
  • SPAdmin

  • BTUserInstall

  • BTUserDeploy

  • BizTalk Development Users

  • BizTalk Deployment users

Recommendations and notes on domain groups:

  • Create the groups and add members prior to installing BizTalk Server 2006.

  • Domain groups can be Global or Universal groups.

  • Use <DomainName>\<UserName> when specifying domain account information in the Configuration Wizard.

  • Groups and user/service accounts must belong to the domain in which the BizTalk Server 2006 computer belongs (the Configuration Wizard checks this and will not display accounts or groups containing accounts from other domains).

  • BizTalk Server 2006 requires domain accounts for all clustering scenarios.

  • When installing BizTalk Server 2006, the console user needs to be a member of the following groups:

    • BizTalk Server Administrators

    • SSO Administrators (only when configuring the master secret server)

    • Windows administrator

    • SQL Server administrator

    • OLAP administrator.

    The BTUserInstall account should be used for installation and configuration and should be disabled after configuration is complete.

  • To allow HAT to attach orchestrations to the debugger, the developer needs to belong to the BizTalk Server Administrators group, as outlined above in the section BizTalk Development Accounts.
Local Administrator Accounts

Confirm or add the following accounts and groups to the Local Administrators group on the SQL Server computer:

  • Domain\BTUserInstall (disable when configuration is complete)

  • Domain\BTUserDeploy (disable in production when deployment is complete)

  • Domain\SPAdmin

  • Domain\SQLAdmin

  • Domain\SQLService

  • Domain\BizTalk Development Users (omit in upline environments)

  • Domain\BizTalk Deployment Users (omit in development environments)

Confirm or add the following accounts and groups to the Local Administrators group on the BizTalk Server 2006 computer:

  • Domain\BTUserInstall (disable when configuration is complete)

  • Domain\BTUserDeploy (disable in production when deployment is complete)

  • Domain\BTUserSupport

  • Domain\SPAdmin

  • Domain\BizTalk Development Users (omit in upline environments)

  • Domain\BizTalk Deployment Users (omit in development environments)
SQL Server Administrator Accounts

Setup programs accept input from the installer and assigns SQL roles to users and groups:

  • During SharePoint Services setup, the SPAdmin account is granted Security Administrator and Database Creator rights on the SQL Server computer. These rights can be removed if the SPAdmin account is a member of the Local Administrators group.
E-Mail Accounts

BizTalk Server 2006 and SharePoint Services will send mail based on certain system events. Setup prompts for an e-mail address during the configuration process. Create e-mail aliases for these purposes and monitor them during setup and unit testing. In the production environment, this account should be accessible by a system administrator who is monitoring the system.

These e-mail accounts include:

  • BAS Site E-mail

  • WSS Administrator E-mail

Neither account is of a critical nature unless BAS is enabled.
Password Considerations for Development

For development and test environments, account passwords can be set by a standard and be distributable. Installer standards vary; this topic uses the template of initial capital letters abbreviating the service component followed by a lower-case abbreviation for the rest of the account (service or user). For service accounts, this topic uses 'Serv', for user accounts this topic uses 'User'.

For example:

  • Windows SharePoint Services (SharePoint) Service and admin account (SPAdmin) passwords: 'SPServ'.

  • BizTalk Service account passwords: 'BTServ'.

  • BizTalk User account passwords: 'BTUser'.

Some IT environments require passwords to contain non-alpha and/or numeric characters. In this scenario you could substitute a dollar sign ($) for "s", and an 'at' sign (@) for "a". The symbols are samples; develop a pattern that works best for you for shared accounts with semi-public passwords.

Sample redistributable passwords in use in the development environment are:

  • BT$erv99 BizTalk Service Accounts

  • BTU$er99 BizTalk User Accounts

  • SP$erv99 WSS Service Account (SPAdmin)

  • SQL$erv99 SQL Service/Access/Admin Account

Aa950047.note(en-us,BTS.20).gifNote
These recommendations are for development and shared environments only and do not recommend or discourage the use of corporate password policies. See your network administrator for password requirements.

Aa950047.note(en-us,BTS.20).gifNote
If corporate password policy includes generated passwords, be advised that some symbols and symbol combinations are special-use characters to XML. Inappropriate use of these characters will prevent configuration XML files from being opened during the configuration process. These symbols include "&", "<", ">", single- and double-quote, and may include others. Test the configuration XML file prior to executing file-based configuration. You can test this reliably for proper XML formatting by opening the document in Internet Explorer (or an XML editor) with the generated passwords embedded therein.

For more information about deployment of secure passwords in up-line environments (including the method to test a BizTalk Server 2006 configuration file) see Configuring BizTalk Server 2006.
See Also

Other Resources

Troubleshooting BizTalk Server Permissions

Tags :


Page view tracker