How to Enable Web Services for Windows XP

In Windows XP, Web services run in the ASP.NET worker process (aspnet_wp.exe). This process runs under the ASPNET user context by default. You can use this default account or you can change the process to run under the local or domain user account. You must add the account to the Windows group that you have configured in the isolated host that represents this adapter.

If you are using a different local or domain account, you should only add the user to the BizTalk Isolated Host User group. Do not add the user to any other groups (local or domain). By default, the local ASPNET user account is included in the local BizTalk Isolated Host User group. You should remove the ASPNET account from the local users group. 

You should create the user context that the ASP.NET worker process runs under with minimal privileges. For more information about minimal settings required for this user, see the MSDN article "How To: Create a Service Account for ASP.NET 2.0 Application" at

Web Services Publishing Wizard creates an ASP.NET 2.0 Web service. If you have both the .NET Framework version 1.1 and version 2.0 installed on your computer, you may encounter an error when you use the Web Services Publishing Wizard to create a virtual root (vroot folder) configured with the different version of ASP.NET (ASP.NET 1.1). For more information about how to configure ASP.NET version, see How to Enable ASP.NET 2.0 for Published Web Services.

Changing the user context of ASP.NET

To change the user context of ASP.NET, you must manually edit the machine.config file. By default, the machine.config file is located at %SystemRoot%\Microsoft.NET\Framework\<version number>\CONFIG. By default, the processModel element has username set to machine and password set to AutoGenerate. You can update the username and password attributes to contain a new username and password. This access method requires saving the username and password as clear text in the machine.config file. 

The following example shows the default settings for the machine.config file:




The following example shows a possible setting for the modified machine.config file:




For a more secure access method, you should use the ASP.NET Set Registry console application to encrypt and store these credentials in the registry.

For more information about configuring the ASP.NET process model settings, see "processModel Element (ASP.NET Settings Schema)" in the .NET Framework SDK documentation at

For more information about running aspnet_wp.exe, see "ASP.NET Debugging: System Requirements" in the .NET Framework SDK documentation at

When you change the user context of the ASP.NET user context, you must restart Internet Information Services and restart the BizTalk Service.

Storing the ASP.NET worker process username and password in the registry

The username and password attributes are stored in clear text in the configuration file. Although Internet Information Services (IIS) does not transmit configuration files in response to a user agent request, IIS can read configuration files in other ways. For example, an authenticated user with proper credentials on the domain that contains the server is able to read the configuration file. For increased security, the processModel element supports storage of encrypted username and password attributes in the registry. The credentials must be in REG_BINARY format encrypted by the Windows XP Data Protection API (DPAPI) encryption functions.

For more information about storing a user name and password, see "processModel Element (ASP.NET Settings Schema)" in the .NET Framework SDK documentation at

To verify the BizTalk Isolated Host installation
  1. In the BizTalk Server Administration Console, expand Host Instances.

  2. Verify that your computer has installed an isolated in the detail pane. The BizTalkServerIsolatedHost is the default isolated host name.

The status of isolated host instances is Not Applicable. BizTalk Server does not access the status information for external processes.

If an isolated host does not exist (not installed), you must install an isolated host and isolated host instance. For more information, see Managing BizTalk Hosts and Host Instances.

To verify the BizTalk Isolated Host Windows group
  1. In the BizTalk Server Administration Console, expand Host, right-click the isolated host that you want to look into, and then click Properties.

  2. Verify that the BizTalk Isolated Host Windows group in the Windows Group text box.

To change the user context of ASP.NET to a different local or domain account
  1. Open the machine.config file.

  2. Modify the attributes of the processModel element to reflect a user name (domain accounts must include the domain name and "\") and password.

  3. Save and close the machine.config file.

See Also

Other Resources

Enabling Web Services

  © 2009 Microsoft Corporation. All rights reserved.