Guidelines for Implementing Active Directory Permissions on Multi Server BizTalk Installations

 

This topic describes guidelines for creating Active Directory Organizational Units, which consist of the user accounts and groups that you use in a Microsoft BizTalk Server installation.

The accounts created herein do not need permissions in the domain beyond those of ordinary users. The domain accounts may need elevated privileges within the trust boundary that includes:

  • BizTalk Server

  • Microsoft SharePoint Services (on the BizTalk Server server)

  • Microsoft SQL Server

  • External Database One

  • External Database Two

  • External Database N

For example, a domain account may need to be granted rights to perform certain actions on the systems hosting external databases. In another case, an account may need to write a file to a file drop folder, requiring write access to the folder.

Use the Active Directory Users and Computers console to create and manage domain user and group accounts. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.

In the development environment, the BizTalk Server installation program and the BizTalk Server Configuration Wizard require the use of an account with administrative rights on the BizTalk Server and SQL Server systems. Rights can be revoked or the account disabled as soon as setup and configuration are complete. The account must also belong to several BizTalk groups, covered in the following sections.

System_CAPS_ICON_note.jpg Note

You will not be able to configure SSO components if the account used for installation belongs to a different Active Directory forest than the server. If you do not have a BizTalk Server installer account, use a local administrator account for SSO configuration. This methodology may create other issues during installation, such as the need to log on to resources using different credentials.

Individuals doing BizTalk Server development require access to adapters, receive and send handlers, and receive locations. This access requires the domain developer group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

System_CAPS_ICON_note.jpg Note

Active Directory has restrictions regarding the types of groups that can contain foreign domain users, and the types of groups that can be contained in other groups. The groups and accounts created below are tested in a multiserver environment on a single domain.

Individuals deploying BizTalk Server applications will need to be administrators on the local systems and may require other permissions in the environment. A BizTalk Server deployment account is referenced in this topic for this purpose.

This access requires the domain deployment group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

System_CAPS_ICON_note.jpg Note

You will not be able to configure SSO components if the account used for installation belongs to a different Active Directory forest than the server. If you do not have a BizTalk Server deployment account, use a local administrator account for SSO configuration. This methodology may create other issues during installation, such as the need to log on to resources using different credentials.

Individuals supporting BizTalk Server applications will need to be administrators on the local systems. A BizTalk support account is referenced in this topic for this purpose.

This access requires the domain support group to be members of the BizTalk Server Administrators group.

The service running the SQL Server instance must belong to the same Active Directory domain as the accounts installing, developing, and deploying BizTalk Server components.

  • Use SQLAdmin for administrative functions (interactive logon).

  • Use SQLService to manage the service (no interactive logon).

  • Use SQLAccess to access external databases.

  • SQLAdmin must be a member of the local Administrators group on the SQL Server system.

  • SQLService must be a member of the local Administrators group on the SQL Server system and needs to be granted the Log on as a service user right.

  • SQLAccess needs appropriate rights on the remote database servers.

SQL Accounts:

User nameFirst NameLast NameFull Name
SQLServiceSQLSQLServiceSQL Service Account
SQLAdminAdminSQLServiceSQL Admin Account
SQLAccessAccessSQLServiceSQL Access Account

Set account passwords according to company standards.

System_CAPS_ICON_important.jpg Important

On the computer running SQL Server, modify the startup parameters for the SQL Server and SQLServerAgent services to use the SQLService account and credentials.

System_CAPS_ICON_note.jpg Note

The Username fields are samples; you may need to change the names to avoid conflicting with other Active Directory accounts.

The Windows SharePoint Services accounts must be created prior to installing SharePoint Services.

Recommendations and notes on the SharePoint Services account:

  • Use the SharePoint Admin Account (SPAdmin) for administrative functions, SharePoint Timer Service and all SharePoint Services access.

  • SPAdmin is the site owner and will need an e-mail alias.

  • SPAdmin must be a member of the local administrators group on the local BizTalk Server computer (Windows SharePoint Services setup does this).

  • SPAdmin must have the security administrator and database creator roles on the SQL Server computer (Windows SharePoint Services setup does this).

Sharepoint Accounts:

User nameFirst NameLast NameFull Name
SPAdminAdminSPServiceSharePoint Admin Account

Set account passwords according to company standards and be able to retrieve these passwords during the configuration steps. Refer to the Passwords section of this topic for issues surrounding generated passwords.

System_CAPS_ICON_note.jpg Note

This Username field is a sample; you may need to change this name to protect other AD accounts.

System_CAPS_ICON_important.jpg Important

After installing Windows SharePoint Services on the computer running BizTalk Server, confirm that the startup parameters for the SharePoint Timer Service is using the SPAdmin account and credentials.

BizTalk Server Groups and Users must be created prior to running the BizTalk Server Configuration Wizard. In a single-system installation, BizTalk Server uses local groups and accounts which are created during configuration. However, if separate BizTalk Server hosts are deployed or if BizTalk Server and SQL Server are installed on two different computers you must use domain user and group accounts.

System_CAPS_ICON_note.jpg Note

The BizTalk Server Configuration Wizard cannot create domain accounts.

Recommendations and notes on BizTalk Server service and user accounts:

  • Create an Organizational Unit (OU) for BizTalk Server. All accounts and groups will belong to this OU.

  • Be descriptive with full names; the names in the following lists should enable the installer to select the proper groups/accounts/users during configuration.

  • First name and last name are optional; included for consistency only.

  • The differentiator BTService and BTUser refers to service accounts (automatons) and generic/shared human users.

  • Create domain accounts and populate them via an ADSI script for user and group account creation for up line environments.

BizTalk Service Accounts

User nameFirst NameLast NameFull Name
BTServiceBTSBTServiceBizTalk Service Account
BTServiceHostHostBTServiceBizTalk Host Instance Account
BTServiceHostIsoHostIsoBTServiceBizTalk Isolated Host Instance Account
SSOServiceSSOBTServiceEnterprise Single Sign-On Service
BTServiceREUREUBTServiceRule Engine Update Service

Set user names according to company and environmental standards (for example, devBTService, alphaBTService). Set account passwords according to company standards and be able to retrieve them for the configuration steps. Refer to the Password Considerations for Development section of this topic for issues surrounding generated passwords.

The installer will notice the service accounts are quite granular, with a near one-to-one mapping to the services created by BizTalk Server. The granularity allows corporate IT security to track or restrict access as needed. The granularity is recommended, but it is up to the system designer and enterprise security personnel to determine if it is necessary in the enterprise environment.

The service accounts in the previous group are intended for automaton access only, not for interactive logon by users.

To set the appropriate account options

  1. In the Active Directory Users and Computers console, click to expand the domain, and then click to expand the Users container.

  2. Right-click the account and then select Properties to display the Properties dialog box for the account.

  3. Click the Account tab of the Properties dialog box.

  4. Click to check the following options:

    • User cannot change password (enterprise security will batch change the passwords).

    • Password never expires

  5. Click the Log On To button to display the Logon Workstations dialog box.

  6. Click the option for The following computers, add each computer running BizTalk Server and SQL Server, and then click OK.

  7. Click the Remote Control tab of the Properties dialog box, and then click to clear the option to Enable remote control.

  8. Click the Terminal Services Profile tab of the Properties dialog box.

  9. Click to check the option to Deny this user permissions to log on to any Terminal Server.

  10. Click OK to close the Properties dialog box for the account.

  11. Repeat steps 3 through 10 for each service account.

BizTalk User Accounts

User nameFirst NameLast NameFull Name
BTUserAdminAdminBTUserBizTalk Administrative User Account
BTUserDeployDeployBTUserBizTalk Deployment User Account
BTUserHostInstanceHostInstanceBTUserBizTalk Host Instance Account
BTUserHostIsolatedIsolatedlHostBTUserBizTalk Isolated Host Instance Account
BTUserInstallInstallBTUserBizTalk Installation User Account
BTUserSupportSupportBTUserBizTalk Support Access Account

To set the appropriate account options follow these steps

  1. In the Active Directory Users and Computers console click to expand the domain, and then click to expand the Users container.

  2. Right-click the account and then select Properties to display the Properties dialog box for the account.

  3. Click the Account tab of the Properties dialog box.

  4. Click to check the following options:

    • User cannot change password (enterprise security will batch change the passwords).

    • Password never expires

  5. Click the Log On To button to display the Logon Workstations dialog box.

  6. Click the option for The following computers, add each computer running BizTalk Server and SQL Server, and then click OK.

  7. Click the Remote Control tab of the Properties dialog box, and then click to check the option to Enable remote control.

  8. Click the Terminal Services Profile tab of the Properties dialog box.

  9. Click to clear the option to Deny this user permissions to log on to any Terminal Server.

  10. Click OK to close the Properties dialog box for the account.

  11. Repeat steps 3 through 10 for each user account.

    System_CAPS_ICON_note.jpg Note

    Any of these accounts can be disabled if the roles they are to provide are assigned to actual users. In the early stages of release one and release two, it is assumed that these accounts are used in the development, alpha test, and beta test environments.

BizTalk Group Accounts

Group NameGroup TypeMembers
BizTalk Application UsersGlobal or Universal- BTServiceHost
- BTUserHostInstance
BizTalk Development UsersGlobal or Universal(local domain accounts of development users) Note: As a best practice, do not enable the BizTalk Development Users group in up-line environments.
BizTalk Deployment UsersGlobal or Universal(local domain accounts of deployment users)
BizTalk Host UsersGlobal or UniversalBTUserHostInstance
BizTalk Isolated Host UsersGlobal or Universal- BTServiceHostIso
- BTUserHostInstance
BizTalk Server AdministratorsGlobal or Universal- BTUserAdmin
- BTUserInstall
- BizTalk Development Users
- BizTalk Deployment Users
BizTalk Support UsersGlobal or UniversalBTUserSupport (local domain accounts of support users)
SSO AdministratorsGlobal or Universal- SSOService
- BTUserInstall
- Local Administrator
SSO Affiliate AdministratorsGlobal or Universal- BizTalk Development Users
- BizTalk Deployment Users
- BTServiceHostIso
- <console user>
Windows SharePoint Services AdministratorsGlobal or Universal- SPAdmin
- BTUserInstall
- BTUserDeploy
- BizTalk Development Users
- BizTalk Deployment users

Recommendations and notes on domain groups:

  • Create the groups and add members prior to installing BizTalk Server.

  • Domain groups can be Global or Universal groups.

  • Use <DomainName>\<UserName> when specifying domain account information in the Configuration Wizard.

  • Groups and user/service accounts must belong to the domain in which the BizTalk Server computer belongs (the Configuration Wizard checks this and will not display accounts or groups containing accounts from other domains).

  • BizTalk Server requires domain accounts for all clustering scenarios.

  • When installing BizTalk Server, the console user needs to be a member of the following groups:

    • BizTalk Server Administrators

    • SSO Administrators (only when configuring the master secret server)

    • Windows administrator

    • SQL Server administrator

    • OLAP administrator

    The BTUserInstall account should be used for installation and configuration and should be disabled after configuration is complete.

  • To allow message event and service instance tracking to attach orchestrations to the debugger, the developer needs to belong to the BizTalk Server Administrators group, as outlined above in the section BizTalk Development Accounts.

Confirm or add the following accounts and groups to the Local Administrators group on the SQL Server computer:

  • Domain\BTUserInstall (disable when configuration is complete)

  • Domain\BTUserDeploy (disable in production when deployment is complete)

  • Domain\SPAdmin

  • Domain\SQLAdmin

  • Domain\SQLService

  • Domain\BizTalk Development Users (omit in up line environments)

  • Domain\BizTalk Deployment Users (omit in development environments)

Confirm or add the following accounts and groups to the Local Administrators group on the BizTalk Server computer:

  • Domain\BTUserInstall (disable when configuration is complete)

  • Domain\BTUserDeploy (disable in production when deployment is complete)

  • Domain\BTUserSupport

  • Domain\SPAdmin

  • Domain\BizTalk Development Users (omit in upline environments)

  • Domain\BizTalk Deployment Users (omit in development environments)

Setup programs accept input from the installer and assigns SQL roles to users and groups:

  • During SharePoint Services setup, the SPAdmin account is granted Security Administrator and Database Creator rights on the SQL Server computer. These rights can be removed if the SPAdmin account is a member of the Local Administrators group.

SharePoint Services will send mail based on certain system events. Setup prompts for an e-mail address during the configuration process. Create e-mail aliases for this purpose and monitor the alias during setup and unit testing. In the production environment, this account should be accessible by a system administrator who is monitoring the system.

The e-mail account used by SharePoint Services is the WSS Administrator E-mail account.

For development and test environments, account passwords can be set by a standard and be distributable. Installer standards vary; this topic uses the template of initial capital letters abbreviating the service component followed by a lower-case abbreviation for the rest of the account (service or user). For service accounts, this topic uses 'Serv', for user accounts this topic uses 'User'.

For example:

  • Windows SharePoint Services (SharePoint) Service and admin account (SPAdmin) passwords: 'SPServ'.

  • BizTalk Service account passwords: 'BTServ'.

  • BizTalk User account passwords: 'BTUser'.

Some IT environments require passwords to contain non-alpha and/or numeric characters. In this scenario you could substitute a dollar sign ($) for "s", and an 'at' sign (@) for "a". The symbols are samples; develop a pattern that works best for you for shared accounts with semi-public passwords.

Sample redistributable passwords in use in the development environment are:

  • BT$erv99 BizTalk Service Accounts

  • BTU$er99 BizTalk User Accounts

  • SP$erv99 WSS Service Account (SPAdmin)

  • SQL$erv99 SQL Service/Access/Admin Account

System_CAPS_ICON_note.jpg Note

These recommendations are for development and shared environments only and do not recommend or discourage the use of corporate password policies. See your network administrator for password requirements.

System_CAPS_ICON_note.jpg Note

If corporate password policy includes generated passwords, be advised that some symbols and symbol combinations are special-use characters to XML. Inappropriate use of these characters will prevent configuration XML files from being opened during the configuration process. These symbols include "&", "<", ">", single- and double-quote, and may include others. Test the configuration XML file prior to executing file-based configuration. You can test this reliably for proper XML formatting by opening the document in Internet Explorer (or an XML editor) with the generated passwords embedded therein.

For more information about deployment of secure passwords in up-line environments (including the method to test a BizTalk Server configuration file), see Configuration Overview for BizTalk Server 2013 and 2013 R2.

Troubleshooting BizTalk Server Permissions

Community Additions

ADD
Show: