BizTalk Server 2004 accounts for multi-server installations

Found smatterings of documents on the web; even a few that mostly brought this topic together.  I built this one: it is fully tested in an AD environment.  I look forward to useful feedback.

Active Directory Recommendations
This document covers recommendations for creating Active Directory Organizational Units, Users and Groups for a BizTalk installation.  This appendix will be called out by the installation document at the point where account/group creation should occur.
 
The accounts created herein do not need any privileges on the domain beyond those of ordinary users.  The domain accounts may need to have elevated privileges within the trust boundary that includes:

  • BizTalk
  • Windows SharePoint Services (on the BizTalk server)
  • BizTalk SQL Server
  • External Database One
  • External Database Two
  • External Database N

For example, a domain account may need to be granted rights to perform certain actions on the systems hosting external databases.  In another case, an account may need to write a file to a file drop folder, requiring write access to the folder.

BizTalk Installation and Configuration Account
In the development environment, the BizTalk Setup program and the BizTalk Configuration Wizard require the use of an account with administrative rights on the BizTalk and SQL Server systems.  Rights can be revoked or the account disabled as soon as setup and configuration are complete.  The account must also belong to several BizTalk groups, covered in the sections below.
 
Note: You will not be able to configure SSO components if the account used for installation belongs to a different AD Forest than the server.  If lacking a BizTalk installer account, use a local administrator account for SSO configuration.  This methodology may create other issues during installation, such as the need to log onto resources using different credentials.
 
BizTalk Development Accounts
Individuals doing BizTalk development require access to adapters, receive and send handlers, and receive locations.  This access requires the domain developer group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.
 
Note: Active Directory has restrictions regarding the types of groups that can contain foreign domain users, and the types of groups that can be contained in other groups.  The groups and accounts created below are tested in a multi-server environment on a single domain.
 
BizTalk Deployment Accounts
Individuals deploying BizTalk applications will need to be administrators on the local systems and may require other permissions in the environment.  A BizTalk Deployment account is documented in the sections below for this purpose.
 
This access requires the domain deployment group to be members of the BizTalk Server Administrators and SSO Affiliate Administrators groups.
 
Note: You will not be able to configure SSO components if the account used for installation belongs to a different AD Forest than the server.  If lacking a BizTalk deployment account, use a local administrator account for SSO configuration.  This methodology may create other issues during installation, such as the need to log onto resources using different credentials.
 
BizTalk Support Accounts
Individuals supporting BizTalk applications will need to be administrators on the local systems.  A BizTalk Support account is documented in the sections below for this purpose. This access requires the domain support group to be members of the BizTalk Server Administrators.
 
SQL Server Service Accounts
The service running the SQL instance must belong to the same AD domain as the accounts installing, developing and deploying BizTalk components.

  • Use “SQLAdmin” for administrative functions (interactive login).
  • Use “SQLService” to manage the service (no interactive login).
  • Use “SQLAccess” to access external databases.
  • SQLAdmin must be a member of the local Administrators group on the SQL Server system.
  • SQLService must be a member of the local Administrators group on the SQL Server system and needs to have the “Log on as a service” user right.
  • SQLAccess needs appropriate rights on the remote database servers.
Username First Name Last Name Full Name
SQLService SQL SQLService SQL Service Account
SQLAdmin Admin SQLService SQL Admin Account
SQLAccess Access SQLService SQL Access Account

Set account passwords according to company standards.
 
Important: On the SQL Server, modify the startup parameters for the SQL Service and SQLServerAgent services to use the SQLService account and credentials.
 
Note: The Username fields are samples; you may need to change the names to avoid conflict with other AD accounts.
 
SharePoint Service Account
The SharePoint Service accounts must be created prior to installing Windows SharePoint Services (WSS).  WSS is a prerequisite to the BizTalk installation if deploying Business Activity Monitoring (recommended, even if not deployed until a later release).
 
Recommendations and notes on the Microsoft Windows SharePoint Services account:

  • Use the SharePoint Admin Account (SPAdmin) for administrative functions, SharePoint Timer Service and all WSS access.
  • SPAdmin is the site owner and will need an email alias.
  • SPAdmin must be a member of the local administrators group on the local BizTalk server (WSS setup does this).
  • SPAdmin must have the security administrator and database creator roles on the SQL Server (WSS setup does this).
Username First Name Last Name Full Name
SPAdmin Admin SPService SharePoint Admin Account

Set account passwords according to company standards and be able to retrieve these passwords during the configuration steps. Refer to the “Passwords” section in this document for issues surrounding generated passwords.

Note: The Username fields are samples; you may need to change the names to protect other AD accounts.

Important: Post-WSS installation on the BizTalk Server, confirm the startup parameters for the SharePoint Timer Service is using the SPAdmin account and credentials.

BizTalk Groups and Users
BizTalk Groups and Users must be created prior to running the BizTalk Configuration Wizard. In a single-system installation, BizTalk uses local groups and accounts, creating these during configuration. However, if separate BizTalk hosts are deployed or if BizTalk and SQL Server are installed on two different computers you must use domain user and group accounts.

Note: The Configuration Wizard cannot create domain accounts.

Recommendation: Create domain accounts and populate them via an ADSI script for user and group account creation for upline environments.

Recommendations and notes on BizTalk service and user accounts:

  • Create an Organizational Unit (OU) for BizTalk. All accounts and groups will belong to this OU.
  • Be descriptive with full names; the names in the lists below should enable the installer to select the proper groups/accounts/users during configuration.
  • First name and last name are optional; included for consistency only.
  • The differentiator “BTService” and “BTUser” refers to service accounts (automatons) and generic/shared human users.

BizTalk Service Accounts
The following accounts and groups have been tested in an AD environment. BizTalk configuration creates the SQL logins and database access when you reference these accounts in the BizTalk Configuration Wizard (domain names are omitted for brevity).

Username First Name Last Name Full Name
BTService BTS BTService BizTalk Service Account
BTServiceBAS BAS BTService BizTalk Server BAS Application Pool Account
BTServiceBASWeb BASWeb BTService BizTalk BAS Publishing Web Service Account (BAM Query)
BTServiceEDI EDI BTService BizTalk Base EDI Service Account
BTServiceHost Host BTService BizTalk Host Instance Account
BTServiceHostISO HostIso BTService BizTalk Isolated Host Instance Account
SSOService SSO BTService Enterprise Single Sign-On Service
BTServiceHWF HWF BTService Human Workflow Services Account
BTServiceREU REU BTService Rule Engine Update Service

Set usernames according to company and environmental standards (i.e., devBTService, alphaBTService). Set account passwords according to company standards and be able to retrieve it for the configuration steps. Refer to the “Passwords” section in this document for issues surrounding generated passwords.

The installer will notice the service accounts are quite granular, with a near one-to-one mapping to the services created by BizTalk. The granularity allows corporate IT security to track or restrict access as needed. The granularity is recommended, but it is up to the system designer and enterprise security personnel to determine if it is necessary in the enterprise environment.

Note: the service accounts in the group above are intended for automaton access only, not for interactive login by users. Set the following in the Active Directory OU for each account:

Service account security considerations:

  • User cannot change password: check (enterprise security will batch change the passwords).
  • Password never expires: check.
  • “Allow logon to terminal server”: uncheck.
  • “Remote control”: uncheck “enable remote control”.
  • “Log on to”: none (disallow using the account on any other workstation).

BizTalk User Accounts
The following generic accounts have been tested in an AD environment. Project management may instead require the use of actual user accounts (domain names are omitted for brevity).

User Accounts

Username First Name Last Name Full Name
BTUserAdmin Admin BTUser BizTalk Administrative User Account
BTUserBASTechMgr TechManager BTUser BizTalk BAS Tech Manager
BTUserBASTechPub TechPublisher BTUser BizTalk BAS Tech Publisher
BTUserDeploy Deploy BTUser BizTalk Deployment User Account
BTUserHostInstance HostInstance BTUser BizTalk Host Instance Account
BTUserHostIsolated IsolatedHost BTUser BizTalk Isolated Host Instance Account
BTUserInstall Install BTUser BizTalk Installation User Account
BTUserSupport Support BTUser BizTalk Support Access Account

Generic user account security considerations:

  • User cannot change password: check (enterprise security will batch change the passwords).
  • Password never expires: check.
  • “Allow logon to terminal server”: check.
  • “Remote control”: check “enable remote control”.
  • “Log on to”: none (disallow using the account on any other workstation).

Note: any of these accounts can all be disabled if the roles they are to provide are assigned to actual users. In the early stages of release one and release two, the author is assuming the use of these accounts in the development, alpha test and beta test environments.

BizTalk Group Accounts
The following group accounts have been tested in an AD environment. Recommendations and notes on domain groups:

  • Create the groups and add members prior to installing BizTalk.
  • Domain groups are “Global” groups.
  • Use <DomainName>\<UserName> when specifying domain account information in the Configuration Wizard.
  • Groups and user/service accounts must belong to the domain in which the BizTalk server belongs (the Configuration Wizard checks this and will not display accounts or groups containing accounts from other domains).
  • BizTalk Server requires domain accounts for all clustering scenarios.
  • When installing BizTalk, the console user needs to be in the BizTalk Server Administrators group, SSO Administrators (only when configuring the master secret server); Windows administrator; SQL Server administrator; OLAP administrator. The BTUserInstall account should be used for installation and configuration; disable the account after configuration is complete.
  • To allow HAT to attach orchestrations to the debugger, the developer needs to belong to the BizTalk Server Administrators group, as outlined above in “BizTalk Development Accounts”.
Group Name Group Type Members
BizTalk Application Users Global BTServiceHost; BTUserHostInstance
BizTalk BAS Administrators Global BTUserAdmin; SPAdmin; BTServiceBASWeb; BTUserInstall
BizTalk BAS Managers Global (none)
BizTalk BAS Users Global (none)
BizTalk BAS Web Services Group Global BTServiceBASWeb
BizTalk Development Users Global (local domain accounts of development users)
BizTalk Deployment Users Global (local domain accounts of deployment users)
BizTalk EDI Subsystem Users Global BTServiceEDI
BizTalk Host Users Global BTUserHostInstance
BizTalk Isolated Host Users Global BTServiceHostIso; BTUserHostInstance; BTServiceHWF
BizTalk Server Administrators Global BTUserAdmin; BTUserBASTechMgr; BTServiceBASWeb; BTUserInstall; BizTalk Development Users; BizTalk Deployment Users
BizTalk Support Users Global BTUserSupport (local domain accounts of support users)
SSO Administrators Global SSOService; BTUserInstall; Local Administrator
SSO Affiliate Administrators Global BizTalk Development Users; BizTalk Deployment Users; BTServiceHostIso; <console user>
WSS Administrators Global SPAdmin; BTUserInstall; BTUserDeploy; BizTalk Development Users; BizTalk Deployment users

Note: Do not enable BizTalk Development users in upline environments. Domain accounts are omitted for brevity.

Local Administrator Accounts
Confirm or add the following accounts and groups to the Local Administrators group on the SQL Server:

  • Domain\BTUserInstall (disable when configuration is complete)
  • Domain\BTUserDeploy (disable in production when deployment is complete)
  • Domain\SPAdmin
  • Domain\SQLAdmin
  • Domain\SQLService
  • Domain\BizTalk Development Users (omit in upline environments)
  • Domain\BizTalk Deployment Users (omit in development environments)

Confirm or add the following accounts and groups to the Local Administrators group on the BizTalk Server:

  • Domain\BTUserInstall (disable when configuration is complete)
  • Domain\BTUserDeploy (disable in production when deployment is complete)
  • Domain\BTUserSupport
  • Domain\SPAdmin
  • Domain\BizTalk Development Users (omit in upline environments)
  • Domain\BizTalk Deployment Users (omit in development environments)

SQL Server Administrator Accounts
Setup programs accept input from the installer and assigns SQL Roles to users and groups:

  • During the WSS setup, the SPAdmin account is granted Security Administrator and Database Creator rights on the SQL Server. This can be removed if the SPAdmin account is a member of the Local Administrators group.

Email Accounts
BizTalk and SharePoint services will send mail based on certain system events. Setup prompts for an email address during the configuration process. Create email aliases for these purposes and monitor them during setup and unit testing. In the production environment, this account should be accessible by a system administrator who is monitoring the system. These email accounts include:

  • BAS Site Email
  • WSS Administrator Email

Neither is of a critical nature until BAS is enabled.

Password Considerations for Development
For Development, and Test environments, passwords for the accounts can be set by a standard and be distributable. Installer standards vary; I use the template of initial capital letters abbreviating the service component followed by a lower-case abbreviation for the rest of the account (service or user). For service accounts, I use ‘Serv’, for user accounts, ‘User. Hence:

  • WSS (SharePoint) Service and admin account (SPAdmin) passwords: ‘SPServ’.
  • BizTalk Service account passwords: ‘BTServ’.
  • BizTalk User account passwords: ‘BTUser’.

Some IT environments require passwords to contain non-alpha and/or numeric characters. I will typically substitute a dollar sign ($) for “s”, an ‘at’ sign (@) for “a”. The symbols are samples; develop a pattern that works for you for shared accounts with semi-public passwords.

Sample redistributable passwords in use in the development environment are:

  • BT$erv99 BizTalk Service Accounts
  • BTU$er99 BizTalk User Accounts
  • SP$erv99 WSS Service Account (SPAdmin)
  • SQL$erv99 SQL Service/Access/Admin Account

Note: These recommendations are for development and shared environments only. This document does not attempt to set or discourage the use of corporate password policies. See your administrator for password requirements.

Note: If corporate password policy includes generated passwords, be advised that some symbols and symbol combinations are special-use characters to XML. Inappropriate use of these characters will prevent the document from being opened during the configuration step. These symbols include “&”, “<”, “>, single- and double-quote, and may include others. Test the configuration XML file prior to executing file-based configuration. You can test thihs reliably for proper XML formatting by opening the document in Internet Explorer (or an XML editor) with the generated passwords embedded therein.

Deployment of secure passwords in upline environments (including the method to test the BizTalk configuration file) is referenced in the BizTalk Configuration document.

Runtime Security Considerations
This document assumes an insular environment, with BizTalk and other enterprise components functioning within a trusted boundary. As the development moves into production, designers should perform application threat modeling using STRIDE, DREAD and SD3 practices. Such modeling and practices is outside the scope of this document.

Please see the “BizTalk Development Infrastructure Recommendations” for more detail on the trust boundary.

BizTalk Configuration Wizard
This section is called out in the “BizTalk Configuration” document. It assumes you’ve created the accounts as described above, modifying names as necessary for a specific environment.

Windows Accounts Pane in the Configuration Wizard:

Name Account
BizTalk Administrators Group Domain\BizTalk Server Administrators
BAS Site Owner Domain\SPAdmin
SSO Administrators Domain\SSO Administrators
SSO Affiliate Administrators Domain\SSO Affiliate Administrators
BizTalk Host Users Group Domain\BizTalk Application Users
BizTalk Isolated Host Users Domain\BizTalk Isolated Host Users
EDI Base EDI Users Group Domain\EDI Subsystem Users
BizTalk BAS Web Services Group Domain\BizTalk BAS Web Services Group
BizTalk BAS Users Domain\BizTalk BAS Users
BizTalk BAS Managers Domain\BizTalk BAS Managers
BizTalk BAS Administrators Domain\BizTalk BAS Administrators

Note: the BizTalk Configuration Wizard checks for valid accounts and groups in this step.

Windows Services Configurations Pane:

Name Log on as:
BizTalk Server BAS Publishing Web Service Account Domain\BTServiceBASWeb
BizTalk BAS Management Web Service Account Domain\BTServiceBASWeb
Human Workflow Services User Account Domain\BTServiceHWF
BizTalk Base EDI service Domain\BTServiceEDI
BizTalk Isolated Host Instance Account Domain\BTServiceHostIso
BizTalk Host Instance Account Domain\BTServiceHost
Rule Engine Update Service Domain\BTServiceREU
Enterprise Single Sign-on Service Domain\SSOService
BAM Query Web Service user Domain\BTServiceBASWeb
BizTalk Server BAS Application Pool Account Domain\BTServiceBAS

This pane requires the installer to know the passwords for each account, as the wizard checks each credential as it is entered. If deploying into the development, alpha or beta environments, these passwords are likely to be semi-public, and follow some pattern. See “Password Considerations”, above.

Advertisements

About Michael Coates
I am a pragmatic evangelist. The products, services and solutions I write about fulfill real-world expectations and use cases. I stay up-to-date on real products I use and review, and share my thoughts here. I apply the same lens when designing an architecture, product or when writing papers. I am always looking for ways that technology can create or enhance a business opportunity .. not just technology for technology's sake. My CV says: Seasoned technology executive, leveraging years of experience with enterprise and integration architectural patterns, executed with healthy doses of business acumen and pragmatism. That's me. My web site says: Technology innovations provide a myriad of opportunities for businesses. That said, having the "latest and greatest" for its own sake isn't always a recipe for success. Business successes gained through exploiting innovation relies on analysis of how the new features will enhance your business followed by effective implementation. Goals vary far and wide: streamlining operations, improving customer experience, extending brand, and many more. In all cases, you must identify and collect the metrics you can apply to measure your success. Analysis must be holistic and balanced: business and operational needs must be considered when capitalizing on a new technology asset or opportunity.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: