OpsanBlog

Michael Coates - Microsoft Pragmatic Evangelist

Posted with:
 Windows Live Writer
 Download Live Writer

My Windows Live Local Collections:
 Las Vegas
 Los Angeles
 San Jose
 Seattle
 Washington, DC
 My Walks

Article Categories

Archives

Post Categories

Bloggers

BizTalk accounts for multi-server installations

Found smatterings of documents on the web; even a few that mostly brought this topic together.  I built this one: it is fully tested in an AD environment.  I look forward to useful feedback.

Active Directory Recommendations

This document covers recommendations for creating Active Directory Organizational Units, Users and Groups for a BizTalk installation.  This appendix will be called out by the installation document at the point where account/group creation should occur.

 

The accounts created herein do not need any privileges on the domain beyond those of ordinary users.  The domain accounts may need to have elevated privileges within the trust boundary that includes:

 

  • BizTalk
  • Windows SharePoint Services (on the BizTalk server)
  • BizTalk SQL Server
  • External Database One
  • External Database Two
  • External Database N 

 

For example, a domain account may need to be granted rights to perform certain actions on the systems hosting external databases.  In another case, an account may need to write a file to a file drop folder, requiring write access to the folder.

 

BizTalk Installation and Configuration Account

In the development environment, the BizTalk Setup program and the BizTalk Configuration Wizard require the use of an account with administrative rights on the BizTalk and SQL Server systems.  Rights can be revoked or the account disabled as soon as setup and configuration are complete.  The account must also belong to several BizTalk groups, covered in the sections below.

 

Note: You will not be able to configure SSO components if the account used for installation belongs to a different AD Forest than the server.  If lacking a BizTalk installer account, use a local administrator account for SSO configuration.  This methodology may create other issues during installation, such as the need to log onto resources using different credentials.

 

BizTalk Development Accounts

Individuals doing BizTalk development require access to adapters, receive and send handlers, and receive locations.  This access requires the domain developer group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

 

Note: Active Directory has restrictions regarding the types of groups that can contain foreign domain users, and the types of groups that can be contained in other groups.  The groups and accounts created below are tested in a multi-server environment on a single domain.

 

BizTalk Deployment Accounts

Individuals deploying BizTalk applications will need to be administrators on the local systems and may require other permissions in the environment.  A BizTalk Deployment account is documented in the sections below for this purpose. 

 

This access requires the domain deployment group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.

 

Note: You will not be able to configure SSO components if the account used for installation belongs to a different AD Forest than the server.  If lacking a BizTalk deployment account, use a local administrator account for SSO configuration.  This methodology may create other issues during installation, such as the need to log onto resources using different credentials.

 

BizTalk Support Accounts

Individuals supporting BizTalk applications will need to be administrators on the local systems.  A BizTalk Support account is documented in the sections below for this purpose. 

 

This access requires the domain support group to be members of the BizTalk Server Administrators.

 

SQL Server Service Accounts

The service running the SQL instance must belong to the same AD domain as the accounts installing, developing and deploying BizTalk components.

 

  • Use “SQLAdmin” for administrative functions (interactive login).
  • Use “SQLService” to manage the service (no interactive login).
  • Use “SQLAccess” to access external databases.
  • SQLAdmin must be a member of the local Administrators group on the SQL Server system.
  • SQLService must be a member of the local Administrators group on the SQL Server system and needs to have the “Log on as a service” user right.
  • SQLAccess needs appropriate rights on the remote database servers.

 

SQL Accounts:

Username

First Name

Last Name

Full Name

SQLService

SQL

SQLService

SQL Service Account

SQLAdmin

Admin

SQLService

SQL Admin Account

SQLAccess

Access

SQLService

SQL Access Account

 

Set account passwords according to company standards.

 

Important: On the SQL Server, modify the startup parameters for the SQL Service and SQLServerAgent services to use the SQLService account and credentials.

 

Note: The Username fields are samples; you may need to change the names to avoid conflict with other AD accounts.

 

SharePoint Service Account

The SharePoint Service accounts must be created prior to installing Windows SharePoint Services (WSS).  WSS is a prerequisite to the BizTalk installation if deploying Business Activity Monitoring (recommended, even if not deployed until a later release).

 

Recommendations and notes on the Microsoft Windows SharePoint Services account:

 

  • Use the SharePoint Admin Account (SPAdmin) for administrative functions, SharePoint Timer Service and all WSS access.
  • SPAdmin is the site owner and will need an email alias.
  • SPAdmin must be a member of the local administrators group on the local BizTalk server (WSS setup does this).
  • SPAdmin must have the security administrator and database creator roles on the SQL Server (WSS setup does this).

 

SharePoint Accounts:

Username

First Name

Last Name

Full Name

SPAdmin

Admin

SPService

SharePoint Admin Account

 

Set account passwords according to company standards and be able to retrieve these passwords during the configuration steps.  Refer to the “Passwords” section in this document for issues surrounding generated passwords.

 

Note: The Username fields are samples; you may need to change the names to protect other AD accounts. 

 

Important: Post-WSS installation on the BizTalk Server, confirm the startup parameters for the SharePoint Timer Service is using the SPAdmin account and credentials.

 

BizTalk Groups and Users

BizTalk Groups and Users must be created prior to running the BizTalk Configuration Wizard.  In a single-system installation, BizTalk uses local groups and accounts, creating these during configuration.  However, if separate BizTalk hosts are deployed or if BizTalk and SQL Server are installed on two different computers you must use domain user and group accounts. 

 

Note: The Configuration Wizard cannot create domain accounts.

 

Recommendation: Create domain accounts and populate them via an ADSI script for user and group account creation for upline environments.

 

Recommendations and notes on BizTalk service and user accounts:

 

  • Create an Organizational Unit (OU) for BizTalk.  All accounts and groups will belong to this OU.
  • Be descriptive with full names; the names in the lists below should enable the installer to select the proper groups/accounts/users during configuration.
  • First name and last name are optional; included for consistency only.
  • The differentiator “BTService” and “BTUser” refers to service accounts (automatons) and generic/shared human users.

 

BizTalk Service Accounts

The following accounts and groups have been tested in an AD environment.  BizTalk configuration creates the SQL logins and database access when you reference these accounts in the BizTalk Configuration Wizard (domain names are omitted for brevity).

 

Service Accounts

Username

First Name

Last Name

Description

BTService

BTS

BTService

BizTalk Service Account

BTServiceBAS

BAS

BTService

BizTalk Server BAS Application Pool Account

BTServiceBASWeb

BASWeb

BTService

BizTalk BAS Publishing Web Service Account (BAM Query)

BTServiceEDI

EDI

BTService

BizTalk Base EDI Service Account

BTServiceHost

Host

BTService

BizTalk Host Instance Account

BTServiceHostIso

HostIso

BTService

BizTalk Isolated Host Instance Account

SSOService

SSO

BTService

Enterprise Single Sign-On Service

BTServiceHWF

HWF

BTService

Human Workflow Services Account

BTServiceREU

REU

BTService

Rule Engine Update Service

 

Set usernames according to company and environmental standards (i.e., devBTService, alphaBTService).  Set account passwords according to company standards and be able to retrieve it for the configuration steps.  Refer to the “Passwords” section in this document for issues surrounding generated passwords.

 

The installer will notice the service accounts are quite granular, with a near one-to-one mapping to the services created by BizTalk.  The granularity allows corporate IT security to track or restrict access as needed.  The granularity is recommended, but it is up to the system designer and enterprise security personnel to determine if it is necessary in the enterprise environment.

 

Note: the service accounts in the group above are intended for automaton access only, not for interactive login by users.  Set the following in the Active Directory OU for each account:

 

Service account security considerations:

 

  • User cannot change password: check (enterprise security will batch change the passwords).
  • Password never expires: check.
  • “Allow logon to terminal server”: uncheck.
  • “Remote control”: uncheck “enable remote control”.
  • “Log on to”: none (disallow using the account on any other workstation).

 

BizTalk User Accounts

The following generic accounts have been tested in an AD environment.  Project management may instead require the use of actual user accounts (domain names are omitted for brevity).

 

User Accounts

Username

First Name

Last Name

Description

BTUserAdmin

Admin

BTUser

BizTalk Administrative User Account

BTUserBASTechMgr

TechManager

BTUser

BizTalk BAS Tech Manager

BTUserBASTechPub

TechPublisher

BTUser

BizTalk BAS Tech Publisher

BTUserDeploy

Deploy

BTUser

BizTalk Deployment User Account

BTUserHostInstance

HostInstance

BTUser

BizTalk Host Instance Account

BTUserHostIsolated

IsolatedlHost

BTUser

BizTalk Isolated Host Instance Account

BTUserInstall

Install

BTUser

BizTalk Installation User Account

BTUserSupport

Support

BTUser

BizTalk Support Access Account

 

Generic user account security considerations:

 

  • User cannot change password: check (enterprise security will batch change the passwords).
  • Password never expires: check.
  • “Allow logon to terminal server”: check.
  • “Remote control”: check “enable remote control”.
  • “Log on to”: none (disallow using the account on any other workstation).

 

Note: any of these accounts can all be disabled if the roles they are to provide are assigned to actual users.  In the early stages of release one and release two, the author is assuming the use of these accounts in the development, alpha test and beta test environments.

 

BizTalk Group Accounts

The following group accounts have been tested in an AD environment.

 

Recommendations and notes on domain groups:

 

  • Create the groups and add members prior to installing BizTalk.
  • Domain groups are “Global” groups.
  • Use <DomainName>\<UserName> when specifying domain account information in the Configuration Wizard.
  • Groups and user/service accounts must belong to the domain in which the BizTalk server belongs (the Configuration Wizard checks this and will not display accounts or groups containing accounts from other domains).
  • BizTalk Server requires domain accounts for all clustering scenarios.
  • When installing BizTalk, the console user needs to be in the BizTalk Server Administrators group, SSO Administrators (only when configuring the master secret server); Windows administrator; SQL Server administrator; OLAP administrator.  The BTUserInstall account should be used for installation and configuration; disable the account after configuration is complete.
  • To allow HAT to attach orchestrations to the debugger, the developer needs to belong to the BizTalk Server Administrators group, as outlined above in “BizTalk Development Accounts”.

 

Groups

Group Name

Group Type

Members

BizTalk Application Users

Global

BTServiceHost; BTUserHostInstance

BizTalk BAS Administrators

Global

BTUserAdmin; SPAdmin; BTServiceBASWeb; BTUserInstall

BizTalk BAS Managers

Global

(none)

BizTalk BAS Users

Global

(none)

BizTalk BAS Web Services Group

Global

BTServiceBASWeb

BizTalk Development Users

Global

(local domain accounts of development users)

BizTalk Deployment Users

Global

(local domain accounts of deployment users)

BizTalk EDI Subsystem Users

Global

BTServiceEDI

BizTalk Host Users

Global

BTUserHostInstance

BizTalk Isolated Host Users

Global

BTServiceHostIso; BTUserHostInstance; BTServiceHWF

BizTalk Server Administrators

Global

BTUserAdmin; BTUserBASTechMgr; BTServiceBASWeb; BTUserInstall; BizTalk Development Users; BizTalk Deployment Users

BizTalk Support Users

Global

BTUserSupport (local domain accounts of support users)