Guidelines for Implementing Active Directory Permissions on Multi Server BizTalk Installations

Guidelines for Implementing Active ...

This topic describes guidelines for creating Active Directory Organizational Units, which consist of the user accounts and groups that you use in a Microsoft BizTalk Server installation.

The accounts created herein do not need permissions in the domain beyond those of ordinary users. The domain accounts may need elevated privileges within the trust boundary that includes:

BizTalk Server
Microsoft SharePoint Services (on the BizTalk Server server)
Microsoft SQL Server
External Database One
External Database Two
External Database N

For example, a domain account may need to be granted rights to perform certain actions on the systems hosting external databases. In another case, an account may need to write a file to a file drop folder, requiring write access to the folder.

Use the Active Directory Users and Computers console to create and manage domain user and group accounts. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.

BizTalk Server Installation and Configuration Account

In the development environment, the BizTalk Server installation program and the BizTalk Server Configuration Wizard require the use of an account with administrative rights on the BizTalk Server and SQL Server systems. Rights can be revoked or the account disabled as soon as setup and configuration are complete. The account must also belong to several BizTalk groups, covered in the following sections.

Note
You will not be able to configure SSO components if the account used for installation belongs to a different Active Directory forest than the server. If you do not have a BizTalk Server installer account, use a local administrator account for SSO configuration. This methodology may create other issues during installation, such as the need to log on to resources using different credentials.

BizTalk Server Development Accounts

Individuals doing BizTalk Server development require access to adapters, receive and send handlers, and receive locations. This access requires the domain developer group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

Note
Active Directory has restrictions regarding the types of groups that can contain foreign domain users, and the types of groups that can be contained in other groups. The groups and accounts created below are tested in a multiserver environment on a single domain.

BizTalk Server Deployment Accounts

Individuals deploying BizTalk Server applications will need to be administrators on the local systems and may require other permissions in the environment. A BizTalk Server deployment account is referenced in this topic for this purpose.

This access requires the domain deployment group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

Note
You will not be able to configure SSO components if the account used for installation belongs to a different Active Directory forest than the server. If you do not have a BizTalk Server deployment account, use a local administrator account for SSO configuration. This methodology may create other issues during installation, such as the need to log on to resources using different credentials.

BizTalk Server Support Accounts

Individuals supporting BizTalk Server applications will need to be administrators on the local systems. A BizTalk support account is referenced in this topic for this purpose.

This access requires the domain support group to be members of the BizTalk Server Administrators group.

SQL Server Service Accounts

The service running the SQL Server instance must belong to the same Active Directory domain as the accounts installing, developing, and deploying BizTalk Server components.

Use SQLAdmin for administrative functions (interactive logon).
Use SQLService to manage the service (no interactive logon).
Use SQLAccess to access external databases.
SQLAdmin must be a member of the local Administrators group on the SQL Server system.
SQLService must be a member of the local Administrators group on the SQL Server system and needs to be granted the Log on as a service user right.
SQLAccess needs appropriate rights on the remote database servers.

SQL Accounts:

User name	First Name	Last Name	Full Name
SQLService	SQL	SQLService	SQL Service Account
SQLAdmin	Admin	SQLService	SQL Admin Account
SQLAccess	Access	SQLService	SQL Access Account

Set account passwords according to company standards.

Important
On the computer running SQL Server, modify the startup parameters for the SQL Server and SQLServerAgent services to use the SQLService account and credentials.

Note
The Username fields are samples; you may need to change the names to avoid conflicting with other Active Directory accounts.

Windows SharePoint Services Account

The Windows SharePoint Services accounts must be created prior to installing SharePoint Services.

Recommendations and notes on the SharePoint Services account:

Use the SharePoint Admin Account (SPAdmin) for administrative functions, SharePoint Timer Service and all SharePoint Services access.
SPAdmin is the site owner and will need an e-mail alias.
SPAdmin must be a member of the local administrators group on the local BizTalk Server computer (Windows SharePoint Services setup does this).
SPAdmin must have the security administrator and database creator roles on the SQL Server computer (Windows SharePoint Services setup does this).

Sharepoint Accounts:

User name	First Name	Last Name	Full Name
SPAdmin	Admin	SPService	SharePoint Admin Account

Set account passwords according to company standards and be able to retrieve these passwords during the configuration steps. Refer to the Passwords section of this topic for issues surrounding generated passwords.

Note
This Username field is a sample; you may need to change this name to protect other AD accounts.

Important
After installing Windows SharePoint Services on the computer running BizTalk Server, confirm that the startup parameters for the SharePoint Timer Service is using the SPAdmin account and credentials.

BizTalk Groups and Users

BizTalk Server Groups and Users must be created prior to running the BizTalk Server Configuration Wizard. In a single-system installation, BizTalk Server uses local groups and accounts which are created during configuration. However, if separate BizTalk Server hosts are deployed or if BizTalk Server and SQL Server are installed on two different computers you must use domain user and group accounts.

Note
The BizTalk Server Configuration Wizard cannot create domain accounts.

Recommendations and notes on BizTalk Server service and user accounts:

Create an Organizational Unit (OU) for BizTalk Server. All accounts and groups will belong to this OU.
Be descriptive with full names; the names in the following lists should enable the installer to select the proper groups/accounts/users during configuration.
First name and last name are optional; included for consistency only.
The differentiator BTService and BTUser refers to service accounts (automatons) and generic/shared human users.
Create domain accounts and populate them via an ADSI script for user and group account creation for up line environments.

BizTalk Service Accounts

User name	First Name	Last Name	Full Name
BTService	BTS	BTService	BizTalk Service Account
BTServiceHost	Host	BTService	BizTalk Host Instance Account
BTServiceHostIso	HostIso	BTService	BizTalk Isolated Host Instance Account
SSOService	SSO	BTService	Enterprise Single Sign-On Service
BTServiceREU	REU	BTService	Rule Engine Update Service

Set user names according to company and environmental standards (for example, devBTService, alphaBTService). Set account passwords according to company standards and be able to retrieve them for the configuration steps. Refer to the Password Considerations for Development section of this topic for issues surrounding generated passwords.

The installer will notice the service accounts are quite granular, with a near one-to-one mapping to the services created by BizTalk Server. The granularity allows corporate IT security to track or restrict access as needed. The granularity is recommended, but it is up to the system designer and enterprise security personnel to determine if it is necessary in the enterprise environment.

The service accounts in the previous group are intended for automaton access only, not for interactive logon by users.

To set the appropriate account options

In the Active Directory Users and Computers console, click to expand the domain, and then click to expand the Users container.
Right-click the account and then select Properties to display the Properties dialog box for the account.
Click the Account tab of the Properties dialog box.
Click to check the following options:
- User cannot change password (enterprise security will batch change the passwords).
- Password never expires
Click the Log On To button to display the Logon Workstations dialog box.
Click the option for The following computers, add each computer running BizTalk Server and SQL Server, and then click OK.
Click the Remote Control tab of the Properties dialog box, and then click to clear the option to Enable remote control.
Click the Terminal Services Profile tab of the Properties dialog box.
Click to check the option to Deny this user permissions to log on to any Terminal Server.
Click OK to close the Properties dialog box for the account.
Repeat steps 3 through 10 for each service account.

BizTalk User Accounts

User name	First Name	Last Name	Full Name
BTUserAdmin	Admin	BTUser	BizTalk Administrative User Account
BTUserDeploy	Deploy	BTUser	BizTalk Deployment User Account
BTUserHostInstance	HostInstance	BTUser	BizTalk Host Instance Account
BTUserHostIsolated	IsolatedlHost	BTUser	BizTalk Isolated Host Instance Account
BTUserInstall	Install	BTUser	BizTalk Installation User Account
BTUserSupport	Support	BTUser	BizTalk Support Access Account

To set the appropriate account options follow these steps

In the Active Directory Users and Computers console click to expand the domain, and then click to expand the Users container.
Right-click the account and then select Properties to display the Properties dialog box for the account.
Click the Account tab of the Properties dialog box.
Click to check the following options:
- User cannot change password (enterprise security will batch change the passwords).
- Password never expires
Click the Log On To button to display the Logon Workstations dialog box.
Click the option for The following computers, add each computer running BizTalk Server and SQL Server, and then click OK.
Click the Remote Control tab of the Properties dialog box, and then click to check the option to Enable remote control.
Click the Terminal Services Profile tab of the Properties dialog box.
Click to clear the option to Deny this user permissions to log on to any Terminal Server.
Click OK to close the Properties dialog box for the account.

Repeat steps 3 through 10 for each user account.

Note
Any of these accounts can be disabled if the roles they are to provide are assigned to actual users. In the early stages of release one and release two, it is assumed that these accounts are used in the development, alpha test, and beta test environments.

BizTalk Group Accounts

Group Name	Group Type	Members
BizTalk Application Users	Global or Universal	BTServiceHost BTUserHostInstance
BizTalk Development Users	Global or Universal	(local domain accounts of development users) Note As a best practice, do not enable the BizTalk Development Users group in up-line environments.
BizTalk Deployment Users	Global or Universal	(local domain accounts of deployment users)
BizTalk Host Users	Global or Universal	BTUserHostInstance
BizTalk Isolated Host Users	Global or Universal	BTServiceHostIso BTUserHostInstance
BizTalk Server Administrators	Global or Universal	BTUserAdmin BTUserInstall BizTalk Development Users BizTalk Deployment Users
BizTalk Support Users	Global or Universal	BTUserSupport (local domain accounts of support users)
SSO Administrators	Global or Universal	SSOService BTUserInstall Local Administrator
SSO Affiliate Administrators	Global or Universal	BizTalk Development Users BizTalk Deployment Users BTServiceHostIso <console user>
Windows SharePoint Services Administrators	Global or Universal	SPAdmin BTUserInstall BTUserDeploy BizTalk Development Users BizTalk Deployment users

Recommendations and notes on domain groups:

Create the groups and add members prior to installing BizTalk Server.
Domain groups can be Global or Universal groups.
Use <DomainName>\<UserName> when specifying domain account information in the Configuration Wizard.
Groups and user/service accounts must belong to the domain in which the BizTalk Server computer belongs (the Configuration Wizard checks this and will not display accounts or groups containing accounts from other domains).
BizTalk Server requires domain accounts for all clustering scenarios.
When installing BizTalk Server, the console user needs to be a member of the following groups:
- BizTalk Server Administrators
- SSO Administrators (only when configuring the master secret server)
- Windows administrator
- SQL Server administrator
- OLAP administrator
The BTUserInstall account should be used for installation and configuration and should be disabled after configuration is complete.
To allow message event and service instance tracking to attach orchestrations to the debugger, the developer needs to belong to the BizTalk Server Administrators group, as outlined above in the section BizTalk Development Accounts.

Local Administrator Accounts

Confirm or add the following accounts and groups to the Local Administrators group on the SQL Server computer:

Domain\BTUserInstall (disable when configuration is complete)
Domain\BTUserDeploy (disable in production when deployment is complete)
Domain\SPAdmin
Domain\SQLAdmin
Domain\SQLService
Domain\BizTalk Development Users (omit in up line environments)
Domain\BizTalk Deployment Users (omit in development environments)

Confirm or add the following accounts and groups to the Local Administrators group on the BizTalk Server computer:

Domain\BTUserInstall (disable when configuration is complete)
Domain\BTUserDeploy (disable in production when deployment is complete)
Domain\BTUserSupport
Domain\SPAdmin
Domain\BizTalk Development Users (omit in upline environments)
Domain\BizTalk Deployment Users (omit in development environments)

SQL Server Administrator Accounts

Setup programs accept input from the installer and assigns SQL roles to users and groups:

During SharePoint Services setup, the SPAdmin account is granted Security Administrator and Database Creator rights on the SQL Server computer. These rights can be removed if the SPAdmin account is a member of the Local Administrators group.

E-Mail Account

SharePoint Services will send mail based on certain system events. Setup prompts for an e-mail address during the configuration process. Create e-mail aliases for this purpose and monitor the alias during setup and unit testing. In the production environment, this account should be accessible by a system administrator who is monitoring the system.

The e-mail account used by SharePoint Services is the WSS Administrator E-mail account.

Password Considerations for Development

For development and test environments, account passwords can be set by a standard and be distributable. Installer standards vary; this topic uses the template of initial capital letters abbreviating the service component followed by a lower-case abbreviation for the rest of the account (service or user). For service accounts, this topic uses 'Serv', for user accounts this topic uses 'User'.

For example:

Windows SharePoint Services (SharePoint) Service and admin account (SPAdmin) passwords: 'SPServ'.
BizTalk Service account passwords: 'BTServ'.
BizTalk User account passwords: 'BTUser'.

Some IT environments require passwords to contain non-alpha and/or numeric characters. In this scenario you could substitute a dollar sign ($) for "s", and an 'at' sign (@) for "a". The symbols are samples; develop a pattern that works best for you for shared accounts with semi-public passwords.

Sample redistributable passwords in use in the development environment are:

BT$erv99 BizTalk Service Accounts
BTU$er99 BizTalk User Accounts
SP$erv99 WSS Service Account (SPAdmin)
SQL$erv99 SQL Service/Access/Admin Account

Note
These recommendations are for development and shared environments only and do not recommend or discourage the use of corporate password policies. See your network administrator for password requirements.

Note
If corporate password policy includes generated passwords, be advised that some symbols and symbol combinations are special-use characters to XML. Inappropriate use of these characters will prevent configuration XML files from being opened during the configuration process. These symbols include "&", "<", ">", single- and double-quote, and may include others. Test the configuration XML file prior to executing file-based configuration. You can test this reliably for proper XML formatting by opening the document in Internet Explorer (or an XML editor) with the generated passwords embedded therein.

Note

If corporate password policy includes generated passwords, be advised that some symbols and symbol combinations are special-use characters to XML. Inappropriate use of these characters will prevent configuration XML files from being opened during the configuration process. These symbols include "&", "<", ">", single- and double-quote, and may include others. Test the configuration XML file prior to executing file-based configuration. You can test this reliably for proper XML formatting by opening the document in Internet Explorer (or an XML editor) with the generated passwords embedded therein.

For more information about deployment of secure passwords in up-line environments (including the method to test a BizTalk Server configuration file), see Configuring BizTalk Server.

Other Resources

Troubleshooting BizTalk Server Permissions