It is a common headache for BizTalk administrators: you restart your Windows Server, but your BizTalk Host Instances (BTSNTSvc.exe) remain in a “Stopped” state, despite being set to start automatically. In my case, after rebooting the operating system, BizTalk Server 2010 services: BizTalk Service BizTalk Group: BizTalkServerApplication fail to start automatically.
📝 One-Minute Brief
After a system restart, BizTalk 2010 host instances (BTSNTSvc.exe) may fail to start automatically, even if configured to do so. This is typically caused by a timing issue where the Enterprise Single Sign-On (ESSO) service hasn’t fully initialized before BizTalk tries to start. The solution is to change the startup type of the BizTalk Host Instance services to “Automatic (Delayed Start)” to ensure ESSO is ready first.
Cause
This is a Microsoft known issue with BizTalk Runtime, forcing us to manually start the services.
I was hoping that BizTalk 2010 CU2, released on August 31, 2011, would resolve this problem, but no such luck.
BizTalk Server has a hard dependency on the ESSO service. During a system boot, Windows attempts to start many services simultaneously. If the BizTalk Host Instance tries to initialize before the ESSO service is fully up and running, the BizTalk service will fail and stop.
This is essentially a race condition where ESSO—the slower service—loses, causing BizTalk to crash on startup.
Solution
In Services.msc, set the Startup type to Automatic (Delayed Start) option in these services:
- Enterprise Single Sign-On Service
- And BizTalk Service BizTalk Group : BizTalkServerApplication Service
This behavior also occurs in BizTalk 2009 and 2006 R2. The solution is the same. You should change the startup types for the BizTalk services on all the BizTalk machines in the group to Automatic (Delayed Start).
Thank you, Thiago Almeida and Saravana, for alerting me that this behavior also occurs in the previous versions (see Thiago’s post)
Hope you find this helpful! If you liked the content or found it useful and would like to support me in writing more, consider buying (or helping to buy) a Star Wars Lego set for my son.
Hi Sandro,
The reason for this is BizTalk service depends on the SSO service which takes a while to start on system start. Since the SSO service doesnt start instantaneously, the BizTalk service fails to start automatically as well.
Dipesh
http://dipeshavlani.net
Hi Dipesh Avlani,
First of all thanks for the comment and for the explanation. You are absolutely right!
However, is not new that BizTalk requires SSO service to start, old versions of the product (2006, 2006 R2, 2009, …) also require this service and in none of them my clients had this problem.
Hi Sandro, does the resolution you provide work. Do the services come up automatically if we change the startup type to Automatic(delayed start) for ESSO and host instances ?
Hi Suruchi,
Yes the solution works. I already implemented and successfully tested it in three BizTalk environments on different clients.
it works for me too , thanks
Hi Sandro, I am facing following issue while importing binding file in BizTalk administrator.
Log Name: Application
Source: ENTSSO
Date: 02/09/2014 10:31:22
Event ID: 10536
Task Category: Enterprise Single Sign-On
Level: Warning
Keywords: Classic
User: N/A
Computer: AAA123
Description:
SSO AUDIT
Function: GetConfigInfo ({234A7EB3-E3EE-4DCA-826C-5DAF9D29EF30})
Tracking ID: 53c47314-01b1-4ab4-b4a9-217b8596df86
Client Computer: AAA123 (BTSNTSvc.exe:8428)
Client User: DEVADMINsvcFTSBTHIADev
Application Name: {234A7EB3-E3EE-4DCA-826C-5DAF9D29EF30}
Error Code: 0xC0002A1F, Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log for related errors.
Event Xml:
10536
3
1
0x80000000000000
59151
Application
AAA123
GetConfigInfo ({234A7EB3-E3EE-4DCA-826C-5DAF9D29EF30})
53c47314-01b1-4ab4-b4a9-217b8596df86
AAA123 (BTSNTSvc.exe:8428)
DEVADMINsvcFTSBTHIADev
{234A7EB3-E3EE-4DCA-826C-5DAF9D29EF30}
0xC0002A1F, Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log for related errors.
Log Name: Application
Source: ENTSSO
Date: 02/09/2014 10:31:39
Event ID: 11016
Task Category: Enterprise Single Sign-On
Level: Error
Keywords: Classic
User: N/A
Computer: AAA123
Description:
The AuthzInitializeContextFromSid function failed with ERROR_ACCESS_DENIED. This means that the service account that the SSO server is running under does not have sufficient permissions to check group membership in Active Directory. Please check your documentation for details on how to fix this problem.
Event Xml:
11016
2
1
0x80000000000000
59161
Application
AAA123
Log Name: Application
Source: ENTSSO
Date: 02/09/2014 10:31:39
Event ID: 11008
Task Category: Enterprise Single Sign-On
Level: Warning
Keywords: Classic
User: N/A
Computer: AAA123
Description:
Check group membership failed.
Group Name: DEVADMINGGFTS SSO Administrators
Account Name: C42726
Additional Data: 644
Error Code: 0x80070005, Access is denied.
Event Xml:
11008
3
1
0x80000000000000
59162
Application
AAA123
DEVADMINGGFTS SSO Administrators
C42726
644
0x80070005, Access is denied.
Log Name: Application
Source: ENTSSO
Date: 02/09/2014 10:31:39
Event ID: 11042
Task Category: Enterprise Single Sign-On
Level: Warning
Keywords: Classic
User: N/A
Computer: AAA123
Description:
Access denied. The client user must be a member of one of the following accounts to perform this function.
SSO Administrators: DEVADMINGGFTS SSO Administrators
SSO Affiliate Administrators: DEVADMINGGFTS Affiliate Administrators
Application Administrators: DEVADMINGGFTS BizTalk Administrators
Application Users: DEVADMINGGFTS Biztalk I Host Users Group
Additional Data: ADMINC42726 {05C6B431-E358-4557-B998-6ED46D430AD4} WCF-CustomIsolated_RL_SABBSIsolatedHost_{05C6B431-E358-4557-B998-6ED46D430AD4}
Event Xml:
11042
3
1
0x80000000000000
59163
Application
AAA123
DEVADMINGGFTS SSO Administrators
DEVADMINGGFTS Affiliate Administrators
DEVADMINGGFTS BizTalk Administrators
DEVADMINGGFTS Biztalk I Host Users Group
ADMINC42726 {05C6B431-E358-4557-B998-6ED46D430AD4} WCF-CustomIsolated_RL_SABBSIsolatedHost_{05C6B431-E358-4557-B998-6ED46D430AD4}
Hi Girish,
At the first look it seems that the service account that the SSO server is running under does not have sufficient permissions to check group membership in Active Directory (http://msdn.microsoft.com/en-us/library/bb899075.aspx).
Or the master secret had somehow become corrupt, it can be restored thus:
1. In a command prompt, goto C:Program FilesCommon FilesEnterprise Single Sign-On
2. Enter “ssoConfig -restoresecret SSOxxxx.bak”, where xxxx is a BizTalk generated code”
3. Enter the password that was set on BizTalk installation.
Check also this thread for more info: http://social.msdn.microsoft.com/Forums/en-US/72c27ad4-bc10-4787-b785-1b7c97022588/cannot-perform-encryption-or-decryption-because-the-secret-is-not-available-from-the-master?forum=biztalkgeneral
Excellent pointer to a vexing issue …