Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: The need for a Domain Controller – Windows Groups and Service Accounts (Part 2)

Posted: January 4, 2012  |  Categories: Administration Advance Configurations BizTalk

A very important difference between a single server and a multi-server installation is that the multi-server configuration requires you to use domain users and groups to run the various BizTalk services making having a domain controller a necessity. These domain accounts and groups are used for the security configuration of the BizTalk Server databases.

Because BizTalk and SQL are installed on a separate machine, the use of a domain user account is, therefore, a necessity so that the account can have access rights on both the BizTalk machine and the SQL Server machine.

Create Domain Groups and Users

The BizTalk setup procedure is not able to create the Windows Groups and Users on a Domain Controller, so on a multi-computer installation, BizTalk Windows Groups and Users must be created manually on the Domain Controller.

The following information will be useful in creating these groups and accounts.

  • In a multicomputer environment, BizTalk Server supports only domain groups and domain service accounts.
  • BizTalk Server 2010 supports only <NetBIOSDomainName>\<User> name formats for Windows groups and service accounts.
  • BizTalk Server supports only Active Directory domain groups and user accounts in multi-computer configurations. Domain groups include Domain Local groups, Global groups, and Universal groups, which are supported in both single computer and multi-computer environments.
  • Built-in accounts such as NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE, NT AUTHORITY\SYSTEM, and Everyone are not supported when you install and configure BizTalk Server 2010 in a multi-computer environment.
  • For more information see Installing BizTalk Server 2010 and BAM in a Multi-Computer Environment manual.

Planning the use of a new Organizational Unit

To keep things tidy, we can place the BizTalk Users and Groups in an Organizational Unit (OU), it is a good practice to utilize a new Organizational Unit (OU) to create all groups, user accounts and service accounts that we will use in the configuration of BizTalk Server 2010.

OU is Active Directory containers into which you can place users, groups, computers, and other organizational units. By using them you can create containers within a domain that represent the hierarchical or logical structures within your organization.

To create a new OU follow these steps:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Right-click on the domain name and select NewàOrganizational Unit.
new Organizational Unit
  • Enter “BizTalk” as the name of the new ‘Organizational Unit Object”, Ensure to check “Protect container from accidental deletion” and press “OK”

Windows Groups Used In BizTalk Server

The following table lists the Windows groups and their membership used by BizTalk Server.

Note: must be created within the OU created earlier

GroupGroup DescriptionMembership
SSO AdministratorsThe administrator of the Enterprise Single Sign-On (SSO) service. For more information about SSO accounts, see “How to Specify SSO Administrator and Affiliate Administrators Accounts” at https://docs.microsoft.com/en-us/biztalk/core/how-to-specify-sso-administrators-and-affiliate-administrators-accounts.Contains service accounts for Enterprise Single Sign-On service. Contains users/groups that need to be able to configure and administer BizTalk Server and SSO service. Contains accounts used to run BizTalk Configuration Manager when configuring SSO master secret server.
SSO Affiliate AdministratorsAdministrators of certain SSO affiliate applications. Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users.Contains no service accounts. Contains account used for BizTalk Server Administrators.
BizTalk Server AdministratorsHas the fewest privileges necessary to perform administrative tasks. Can deploy solutions, manage applications, and resolve message processing issues. To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators. For more information, see “Managing BizTalk Server Security” in at https://docs.microsoft.com/en-us/biztalk/core/managing-biztalk-server-security.Contains users/groups that need to be able to configure and administer BizTalk Server.
BizTalk Server OperatorsHas a low privilege role with access only to monitoring and troubleshooting actions.Contains user/groups that will monitor solutions.
BizTalk Server B2B OperatorsHas a low privilege role with access only to monitoring and troubleshooting actions.Contains user/groups that will perform all party management operations
BizTalk Application UsersThe default name of the first In-Process BizTalk Host Group created by Configuration Manager. Use one BizTalk Host Group for each In-Process host in your environment. Includes accounts with access to In-Process BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe).Contains service accounts for the BizTalk In-Process host instance in the host that the BizTalk Host Group is designated for.
BizTalk Isolated Host UsersThe default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP. Use one BizTalk Isolated Host Group for each Isolated Host in your environment.Contains service accounts for the BizTalk Isolated host instance in the host that the Isolated BizTalk Host Group is designated for.
EDI Subsystem UsersHas access to the EDI database.Contains service accounts for BizTalk Base EDI service.
BAM Portal UsersHas access to BAM Portal Web site.Everyone group is used for this role by default.
BizTalk SharePoint Adapter Enabled HostsHas access to Windows SharePoint Services Adapter Web Service.Contains service accounts for the BizTalk host instance to be able to call the SharePoint Adapter.

To create a new Group you should follow these steps:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Select the OU created earlier: “BizTalk”. Right-click on the OU name and select NewàGroup.
new AD group
  • Enter the Group name of the new Group and ensure to select “Group scope” as “Domain local” or “Global” and “Group Type” as “Security”, press “OK”.
  • Repeat all the steps for the remaining groups.

IIS_IUSRS Group

IIS_IUSRS is another group used by BizTalk Server 2010, however, unlike the previous groups, we do not need to create this because it is a built-in group with access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

User and Service Accounts Used In BizTalk Server

The following table lists the Windows user or service accounts and group affiliations used by BizTalk Server.

Note: must be created within the OU created earlier

UserUser DescriptionGroup Affiliation
Enterprise Single Sign-On Service
Suggestions:
SsoService
srvc-bts-sso
The service account used to run the Enterprise Single Sign-On Service, which accesses the SSO database.SSO Administrators
Enterprise Single Sign-On Administrator
Suggestions:
SsoAdmin
usr-bts-sso-admin
The user account for the SSO Administrator.SSO Administrators
Single Sign-On affiliate User
Suggestions:
SsoAffiliate
usr-bts-sso-affiliate
User accounts for SSO Affiliate AdministratorsSSO Affiliate Administrators
BizTalk Host Instance Account
Suggestions:
BTSHostService
srvc-bts-untrusted
The service account used to run BizTalk In-Process host instance (BTNTSVC).BizTalk Application Users
BizTalk Isolated Host Instance Account
Suggestions:
BTSIsolatedHostService
srvc-bts-trusted
The service account used to run BizTalk Isolated host instance (HTTP/SOAP).BizTalk Isolated Host UsersIIS_WPG
Rule Engine Update Service
Suggestions:
ReuService
srvc-bts-rule-engine
The service account used to run the Rule Engine Update Service, which receives notifications to deployment/undeployment policies from the Rule engine database. 
BAM Notification Services User
Suggestions:
BamService
srvc-bts-bam-ns
The service account used to run BAM Notification Services, which accesses the BAM databases.SQLServer2005NotificationServicesUser$ <ComputerName>
BAM Management Web Service User
Suggestions:
BamWebService
srvc-bts-bam-ws
– srvc-bts-bam
The user account for BAM Management Web service (BAMManagementService) to access various BAM resources. BAM Portal calls BAMManagementService with the user credentials logged on the BAM Portal to manage alerts, get BAM definition XML and BAM views.IIS_WPG
BAM Application Pool Account
Suggestions:
BamApp
srvc-bts-bam-ap
Application pool account for BAMAppPool, which hosts BAM Portal Web site.IIS_WPG
BizTalk Base EDI service
Suggestions:
EDIServicesrvc-bts-edi
The service account used to run the BizTalk Base EDI service, which processes EDI documentations.ImportantThe Base EDI adapter was deprecated in BizTalk Server 2006 R2. The Base EDI adapter can be used in upgrade scenarios, but for new installations of BizTalk Server, use the native EDI and AS2 functionality.EDI Subsystem UsersIn-Process BizTalk Host Groups hosting the Base EDI adapter.
BizTalk Administrator
Suggestions:
BTSAdm– usr-bts-admin
User needs to be able to configure and administer BizTalk Server.BizTalk Server Administrators
BizTalk Server Operator User
Suggestions:
BTSOperator
– usr-bts-operator
The user account that will monitor solutionsBizTalk Server Operators
BizTalk Server B2B Operator User
Suggestions:
BTSB2BOperator
– usr-bts-b2b-operator
The user account that will perform all party management operationsBizTalk Server B2B Operators

To create a new user follow these steps:

  • Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Select the OU created earlier: “BizTalk”. Right-click on the OU name and select NewàUser.
new AD user
  • Enter the First and Last name and the User logon name of the new User. Press Next.
  • Enter the password and password confirmation and ensure to select “Password never expires”, press “Next”.
new AD user pass
  • Repeat all the steps for the remaining groups.

Summary of users and Groups Affiliation

GroupAccounts
SSO AdministratorsEnterprise Single Sign-On Service
Suggestions:
SsoService
srvc-bts-sso
Enterprise Single Sign-On Administrator
Suggestions:
SsoAdmin
usr-bts-sso-admin
BizTalk Server Administrators group
SSO Affiliate AdministratorsSingle Sign-On affiliate User
Suggestions:
SsoAffiliate
usr-bts-sso-affiliate
BizTalk Server AdministratorsBizTalk Administrator
Suggestions:
BTSAdm
– usr-bts-admin

Your user (suggestion) or sometimes Domain Admin
BizTalk Server OperatorsBizTalk Server Operator User
Suggestions:
BTSOperator
– usr-bts-operator
BizTalk Server B2B OperatorsBizTalk Server B2B Operator User
Suggestions:
BTSB2BOperator
– usr-bts-b2b-operator
BizTalk Application UsersBizTalk Host Instance Account
Suggestions:
BTSHostService
srvc-bts-untrusted
BizTalk Isolated Host UsersBizTalk Isolated Host Instance Account
Suggestions:
BTSIsolatedHostService
srvc-bts-trusted
EDI Subsystem UsersBizTalk Base EDI service
Suggestions:
EDIService
srvc-bts-edi
BAM Portal UsersEveryone group is used for this role by default.
Domain Users (suggestion)
IIS_IUSRS GroupBizTalk Isolated Host Instance Account
Suggestions:
BTSIsolatedHostService
srvc-bts-trusted
BAM Management Web Service User
Suggestions:
BamWebService
srvc-bts-bam-ws
– srvc-bts-bam

BAM Application Pool Account
Suggestions:
BamApp
srvc-bts-bam-ap

SQL Server Service Accounts

The following table lists the Windows service accounts used by SQL Server.

Note: must be created within the OU created earlier

UserUser Description
SQL Server Agent Service
Suggestions:
srvc-sql-agent
The service account used to run SQL Server Agent.
SQL Server Database Service
Suggestions:
srvc-sql- engine
Service account used to run SQL Server Database.
SQL Server Analysis Service
Suggestions:
srvc-sql
– analysis
The service account used to run SQL Server Analysis.
SQL Server Reporting Service
Suggestions:
srvc-sql
– reporting
The service account used to run SQL Server Reporting.
SQL Server Integration Service
Suggestions:
srvc-sql-integration
Service account used to run SQL Server Integration.

Alternatively, you can create a single Domain Account to run this services (like sql-bts-service or srvc-sql-bts)

Depending on the selection that you made while installing SQL Server, you will have the services installed on your server.

SQL Server Database Services:

  • SQL Server Agent
  • Analysis Services
  • Reporting Services
  • Integration Services
  • SQL Server Browser
  • Full-text search
  • SQL Server Active Directory Helper
  • SQL Writer

You can configure your SQL Server related services either during the setup or after the installation using the SQL Server Configuration Manager.

Types of startup accounts:

  • Local User Account: This user account is created on your server where SQL Server is installed, this account does not have access to network resources.
  • Local Service Account: This is a builtin Windows account that is available for configuring services in windows. This account has permissions as same as accounts that are in the user’s group, thus it has limited access to the resources on the server. This account is not supported for SQL SERVER and AGENT services.
  • Local System Account: This is a builtin Windows account that is available for configuring services in windows. This is a highly privileged account that has access to all resources on the server with administrator rights.
  • Network Service Account: This is a builtin Windows account that is available for configuring services in windows. This has permissions to access resources in the network under the computer account.
  • Domain Account: This account is a part of your domain that has access to network resources for which it is intended to have permission for. It is always advised to run SQL Server and related services under a domain account with minimum privilege need to run SQL Server and its related services.

Changing Service Accounts:

SQL Server service accounts can be configured either during installation or using the SQL Server Configuration Manager. The first one is part of the installation and can be configured during the step Instance Configuration. I would walk you through changing a service account using SQL Server Configuration Manager.

  • Start -> Programs Microsoft SQL Server 2008 -> Configuration Tools -> SQL Configuration Manager
  • Highlight a service in the right pane, right-click for properties.

You can change the built-in account here, else if you would like to change it to a Local User account or a domain user account, choose option This Account to Ungray it and enter the credentials of a local or a domain user account.

Remember that you will need to restart the SQL Server and related services for the new Service account to take effect.

References

Related Links

Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

8 thoughts on “Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: The need for a Domain Controller – Windows Groups and Service Accounts (Part 2)”

  1. I might be wrong by I believe that Isolated host is a non trusted account, hence the isolated account name you have suggested (BTSIsolatedHostService- srvc-bts-trusted) should be (BTSIsolatedHostService- srvc-bts-untrusted).

    Similarly other way round for BizTalk Application Users.

    1. Hi Bharat,
      Thanks for the feedback.

      First of all I fixed the format typo error in my blog. The idea was to give samples of naming convention that could use:
      – BTSHostService
      – srvc-bts-untrusted

      But it wasn’t a best choice of naming and I will fix the post soon.

      As you say: srvc-bts-trusted and srvc-bts-untrusted should be used for trusted or untrusted Host. However In-Process Hosts can be trusted or untrusted and the same occurs for Isolated hosts, they also can be defined as trusted or untrusted, so is not black and white… you can use this naming convention to associate trusted or untrusted hosts or you can use something like this:
      – srvc-bts-host-instance
      – srvc-bts-isolated-host

  2. Hi Sandro, Thanks for the great detail in this series, it is really helpful. Can I just clarify a few points tho.:
    I have been tasked with building and configuring a Biztalk 2013 multicomputer environment, so I am installing on a domain. My questions mainly relate to which user accounts/group accounts/service accounts I need to create and where to use them.

    But also,
    1) Does everything here also apply to Biztalk 2013, or just 2010?
    2) We are not building in Azure- do I still need to consider SSO?

    1. Hi Charlie… you can rely on this to install BizTalk Server 2013 with of course little small differences. Last time I did this type of installation with 2013 I use this step-by-step combined with BizTalk 2013 Installation and Configuration – Important considerations before set up the server (Part 1) – http://sandroaspbiztalkblog.wordpress.com/2013/05/05/biztalk-2013-installation-and-configuration-important-considerations-before-set-up-the-server-part-1/

      Users and groups are the same except I think with the IIS_IUSRS Group
      And SSO is always need. SOO has nothing to do with Azure

      A business process that relies on several different applications may have to cross several different security domains. Accessing an application on a Microsoft Windows system may require one set of security credentials, while accessing an application on an IBM mainframe may require different credentials, such as an RACF username and password. Dealing with this profusion of credentials is difficult for users, and it can be even harder for automated processes. To address this problem, BizTalk Server includes Enterprise Single Sign-On.

  3. Hi,

    As predicted, I return for further advice! 🙂

    Thanks to the really good info in these blogs, I have installed and configured two of three BIZTALK 2013 servers for a Test-Dev environment, with the first install being the SSO Master Secret Server. As mentioned, this is test-dev.

    At a later point I will install and configure BizTalk 2013 for some production servers.
    This will all be in one domain.

    I assume that only one Master Secret Server can exist on a domain?

    Today, I realise that having the SSO Master Secret Server on test-dev machine will not be ideal, due to testing and reboots.. etc… impacting on those trying to logon to a production server.

    Now is the best time for me to make changes to which server is configured as SSO Master Secret Server.

    What would you suggest?

    Thanks,

    Charlie

  4. HI Sandro,

    Seeking your help to give time frame. We are currently migrating Biztalk to new server with same version BTS2009. Could you please provide approximately how much time it will take to finish migration?

Leave a Reply

Your email address will not be published. Required fields are marked *

turbo360

Back to Top