Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
BizTalk Server Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
BizTalk Server
BizTalk Server 2004
SDK
Programming Guide
 Enabling Web Services for Windows 2...
Microsoft BizTalk Server 2004
Enabling Web Services for Windows 2000 Server and Windows XP

In Windows 2000 Server and Windows XP, Web services run in the ASP.NET worker process (aspnet_wp.exe). This process runs under the ASPNET user context by default. You can use this default account or you can change the process to run under the local or domain user account. You must add the account to the Windows group that you have configured in the Isolated Host that represents this adapter.

By default, the local ASPNET user account is included in the local users group. You should remove the ASPNET account from the local users group. If you are using a different local or domain account, you should only add the user to the BizTalk Isolated Host User group. Do not add the user to any other groups (local or domain).

You should create the user context that the ASP.NET worker process runs under with minimal privileges. For more information about minimal settings required for this user, see the MSDN article "How To: Create a Custom Account to Run ASP.NET" at http://go.microsoft.com/FWLink/?LinkID=16725.

Changing the user context of ASP.NET

To change the user context of ASP.NET, you must manually edit the machine.config file. By default, the machine.config file is located at systemroot\Microsoft.NET\Framework\version number\CONFIG. By default, the processModel element has username set to machine and password set to AutoGenerate. You can update the username and password attributes to contain a new username and password. This access method requires saving the username and password as clear text in the machine.config file. 

The following example shows the default settings for the machine.config file:

<processModel
…
   userName="machine"
   password="AutoGenerate"
…
/>

The following example shows a possible setting for the modified machine.config file:

<processModel
…
   userName="MyName"
   password="My_Secure_Password"
…
/>

For a more secure access method, you should use the ASP.NET Set Registry console application to encrypt and store these credentials in the registry.

For more information about configuring the ASP.NET process model settings, see "<processModel> Element" in the .NET Framework SDK documentation at http://go.microsoft.com/fwlink/?LinkId=25657.

For more information about running aspnet_wp.exe, see "ASP.NET Debugging: System Requirements" in the .NET Framework SDK documentation at http://go.microsoft.com/fwlink/?LinkId=25658.

Note  When you change the user context of the ASP.NET user context, you must restart Internet Information Services and restart the BizTalk Service.

Storing the ASP.NET worker process username and password in the registry

The username and password attributes are stored in clear text in the configuration file. Although Internet Information Services (IIS) does not transmit configuration files in response to a user agent request, IIS can read configuration files in other ways. For example, an authenticated user with proper credentials on the domain that contains the server is able to read the configuration file. For increased security, the processModel element supports storage of encrypted username and password attributes in the registry. The credentials must be in REG_BINARY format encrypted by the Windows 2000 Server and Windows XP Data Protection API (DPAPI) encryption functions.

For more information about storing a user name and password, see "<processModel> Element" in the .NET Framework SDK documentation at http://go.microsoft.com/fwlink/?LinkId=25657.

To verify the BizTalk Isolated Host installation

  1. In the BizTalk Administration Console, expand Hosts.
  2. Verify that your computer has installed an isolated. The BizTalkServerIsolatedHost is the default isolated host name.

Note  You should not be concerned if the status of the host is unknown.

If an isolated host does not exist (not installed), you must install an isolated host.

To verify the BizTalk Isolated Host Windows group

  • In the BizTalk Administration Console, right-click the isolated host.

The Windows group appears in the list in the Windows group box.

To change the user context of ASP.NET to a different local or domain account

  1. Open the machine.config file.
  2. Modify the attributes of the processModel element to reflect a user name (domain accounts must include the domain name and "\") and password.
  3. Save and close the machine.config file.

See Also

Enabling Web Services

Troubleshooting Published Web Services

To download updated BizTalk Server 2004 Help from www.microsoft.com, go to http://go.microsoft.com/fwlink/?linkid=20616.

Copyright © 2004 Microsoft Corporation.
All rights reserved.
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Site Feedback
Page view tracker