A very important difference between a single server and a multi-server installation is that the multi-server configuration requires you to use domain users and groups to run the various BizTalk services making having a domain controller a necessity. These domain accounts and groups are used for the security configuration of the BizTalk Server databases.
Because BizTalk and SQL are installed on a separate machine, the use of a domain user account is, therefore, a necessity so that the account can have access rights on both the BizTalk machine and the SQL Server machine.
Create Domain Groups and Users
The BizTalk setup procedure is not able to create the Windows Groups and Users on a Domain Controller, so on a multi-computer installation, BizTalk Windows Groups and Users must be created manually on the Domain Controller.
The following information will be useful in creating these groups and accounts.
- In a multicomputer environment, BizTalk Server supports only domain groups and domain service accounts.
- BizTalk Server 2010 supports only <NetBIOSDomainName>\<User> name formats for Windows groups and service accounts.
- BizTalk Server supports only Active Directory domain groups and user accounts in multi-computer configurations. Domain groups include Domain Local groups, Global groups, and Universal groups, which are supported in both single computer and multi-computer environments.
- Built-in accounts such as NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE, NT AUTHORITY\SYSTEM, and Everyone are not supported when you install and configure BizTalk Server 2010 in a multi-computer environment.
- For more information see Installing BizTalk Server 2010 and BAM in a Multi-Computer Environment manual.
Planning the use of a new Organizational Unit
To keep things tidy, we can place the BizTalk Users and Groups in an Organizational Unit (OU), it is a good practice to utilize a new Organizational Unit (OU) to create all groups, user accounts and service accounts that we will use in the configuration of BizTalk Server 2010.
OU is Active Directory containers into which you can place users, groups, computers, and other organizational units. By using them you can create containers within a domain that represent the hierarchical or logical structures within your organization.
To create a new OU follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click on the domain name and select NewàOrganizational Unit.
- Enter “BizTalk” as the name of the new ‘Organizational Unit Object”, Ensure to check “Protect container from accidental deletion” and press “OK”
Windows Groups Used In BizTalk Server
The following table lists the Windows groups and their membership used by BizTalk Server.
Note: must be created within the OU created earlier
Group | Group Description | Membership |
SSO Administrators | The administrator of the Enterprise Single Sign-On (SSO) service. For more information about SSO accounts, see “How to Specify SSO Administrator and Affiliate Administrators Accounts” at https://docs.microsoft.com/en-us/biztalk/core/how-to-specify-sso-administrators-and-affiliate-administrators-accounts. | Contains service accounts for Enterprise Single Sign-On service. Contains users/groups that need to be able to configure and administer BizTalk Server and SSO service. Contains accounts used to run BizTalk Configuration Manager when configuring SSO master secret server. |
SSO Affiliate Administrators | Administrators of certain SSO affiliate applications. Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users. | Contains no service accounts. Contains account used for BizTalk Server Administrators. |
BizTalk Server Administrators | Has the fewest privileges necessary to perform administrative tasks. Can deploy solutions, manage applications, and resolve message processing issues. To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators. For more information, see “Managing BizTalk Server Security” in at https://docs.microsoft.com/en-us/biztalk/core/managing-biztalk-server-security. | Contains users/groups that need to be able to configure and administer BizTalk Server. |
BizTalk Server Operators | Has a low privilege role with access only to monitoring and troubleshooting actions. | Contains user/groups that will monitor solutions. |
BizTalk Server B2B Operators | Has a low privilege role with access only to monitoring and troubleshooting actions. | Contains user/groups that will perform all party management operations |
BizTalk Application Users | The default name of the first In-Process BizTalk Host Group created by Configuration Manager. Use one BizTalk Host Group for each In-Process host in your environment. Includes accounts with access to In-Process BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe). | Contains service accounts for the BizTalk In-Process host instance in the host that the BizTalk Host Group is designated for. |
BizTalk Isolated Host Users | The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP. Use one BizTalk Isolated Host Group for each Isolated Host in your environment. | Contains service accounts for the BizTalk Isolated host instance in the host that the Isolated BizTalk Host Group is designated for. |
EDI Subsystem Users | Has access to the EDI database. | Contains service accounts for BizTalk Base EDI service. |
BAM Portal Users | Has access to BAM Portal Web site. | Everyone group is used for this role by default. |
BizTalk SharePoint Adapter Enabled Hosts | Has access to Windows SharePoint Services Adapter Web Service. | Contains service accounts for the BizTalk host instance to be able to call the SharePoint Adapter. |
To create a new Group you should follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Select the OU created earlier: “BizTalk”. Right-click on the OU name and select NewàGroup.
- Enter the Group name of the new Group and ensure to select “Group scope” as “Domain local” or “Global” and “Group Type” as “Security”, press “OK”.
- Repeat all the steps for the remaining groups.
IIS_IUSRS Group
IIS_IUSRS is another group used by BizTalk Server 2010, however, unlike the previous groups, we do not need to create this because it is a built-in group with access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.
User and Service Accounts Used In BizTalk Server
The following table lists the Windows user or service accounts and group affiliations used by BizTalk Server.
Note: must be created within the OU created earlier
User | User Description | Group Affiliation |
Enterprise Single Sign-On Service Suggestions: – SsoService – srvc-bts-sso | The service account used to run the Enterprise Single Sign-On Service, which accesses the SSO database. | SSO Administrators |
Enterprise Single Sign-On Administrator Suggestions: – SsoAdmin – usr-bts-sso-admin | The user account for the SSO Administrator. | SSO Administrators |
Single Sign-On affiliate User Suggestions: – SsoAffiliate – usr-bts-sso-affiliate | User accounts for SSO Affiliate Administrators | SSO Affiliate Administrators |
BizTalk Host Instance Account Suggestions: – BTSHostService – srvc-bts-untrusted | The service account used to run BizTalk In-Process host instance (BTNTSVC). | BizTalk Application Users |
BizTalk Isolated Host Instance Account Suggestions: – BTSIsolatedHostService – srvc-bts-trusted | The service account used to run BizTalk Isolated host instance (HTTP/SOAP). | BizTalk Isolated Host UsersIIS_WPG |
Rule Engine Update Service Suggestions: – ReuService – srvc-bts-rule-engine | The service account used to run the Rule Engine Update Service, which receives notifications to deployment/undeployment policies from the Rule engine database. | |
BAM Notification Services User Suggestions: – BamService – srvc-bts-bam-ns | The service account used to run BAM Notification Services, which accesses the BAM databases. | SQLServer2005NotificationServicesUser$ <ComputerName> |
BAM Management Web Service User Suggestions: – BamWebService – srvc-bts-bam-ws – srvc-bts-bam | The user account for BAM Management Web service (BAMManagementService) to access various BAM resources. BAM Portal calls BAMManagementService with the user credentials logged on the BAM Portal to manage alerts, get BAM definition XML and BAM views. | IIS_WPG |
BAM Application Pool Account Suggestions: – BamApp – srvc-bts-bam-ap | Application pool account for BAMAppPool, which hosts BAM Portal Web site. | IIS_WPG |
BizTalk Base EDI service Suggestions: – EDIService– srvc-bts-edi | The service account used to run the BizTalk Base EDI service, which processes EDI documentations.ImportantThe Base EDI adapter was deprecated in BizTalk Server 2006 R2. The Base EDI adapter can be used in upgrade scenarios, but for new installations of BizTalk Server, use the native EDI and AS2 functionality. | EDI Subsystem UsersIn-Process BizTalk Host Groups hosting the Base EDI adapter. |
BizTalk Administrator Suggestions: – BTSAdm– usr-bts-admin | User needs to be able to configure and administer BizTalk Server. | BizTalk Server Administrators |
BizTalk Server Operator User Suggestions: – BTSOperator – usr-bts-operator | The user account that will monitor solutions | BizTalk Server Operators |
BizTalk Server B2B Operator User Suggestions: – BTSB2BOperator – usr-bts-b2b-operator | The user account that will perform all party management operations | BizTalk Server B2B Operators |
To create a new user follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Select the OU created earlier: “BizTalk”. Right-click on the OU name and select NewàUser.
- Enter the First and Last name and the User logon name of the new User. Press Next.
- Enter the password and password confirmation and ensure to select “Password never expires”, press “Next”.
- Repeat all the steps for the remaining groups.
Summary of users and Groups Affiliation
Group | Accounts |
SSO Administrators | Enterprise Single Sign-On Service Suggestions: – SsoService – srvc-bts-sso Enterprise Single Sign-On Administrator Suggestions: – SsoAdmin – usr-bts-sso-admin BizTalk Server Administrators group |
SSO Affiliate Administrators | Single Sign-On affiliate User Suggestions: – SsoAffiliate – usr-bts-sso-affiliate |
BizTalk Server Administrators | BizTalk Administrator Suggestions: – BTSAdm – usr-bts-admin Your user (suggestion) or sometimes Domain Admin |
BizTalk Server Operators | BizTalk Server Operator User Suggestions: – BTSOperator – usr-bts-operator |
BizTalk Server B2B Operators | BizTalk Server B2B Operator User Suggestions: – BTSB2BOperator – usr-bts-b2b-operator |
BizTalk Application Users | BizTalk Host Instance Account Suggestions: – BTSHostService – srvc-bts-untrusted |
BizTalk Isolated Host Users | BizTalk Isolated Host Instance Account Suggestions: – BTSIsolatedHostService – srvc-bts-trusted |
EDI Subsystem Users | BizTalk Base EDI service Suggestions: – EDIService – srvc-bts-edi |
BAM Portal Users | Everyone group is used for this role by default. Domain Users (suggestion) |
IIS_IUSRS Group | BizTalk Isolated Host Instance Account Suggestions: – BTSIsolatedHostService – srvc-bts-trusted BAM Management Web Service User Suggestions: – BamWebService – srvc-bts-bam-ws – srvc-bts-bam BAM Application Pool Account Suggestions: – BamApp – srvc-bts-bam-ap |
SQL Server Service Accounts
The following table lists the Windows service accounts used by SQL Server.
Note: must be created within the OU created earlier
User | User Description |
SQL Server Agent Service Suggestions: – srvc-sql-agent | The service account used to run SQL Server Agent. |
SQL Server Database Service Suggestions: – srvc-sql- engine | Service account used to run SQL Server Database. |
SQL Server Analysis Service Suggestions: – srvc-sql – analysis | The service account used to run SQL Server Analysis. |
SQL Server Reporting Service Suggestions: – srvc-sql – reporting | The service account used to run SQL Server Reporting. |
SQL Server Integration Service Suggestions: – srvc-sql-integration | Service account used to run SQL Server Integration. |
Alternatively, you can create a single Domain Account to run this services (like sql-bts-service or srvc-sql-bts)
Depending on the selection that you made while installing SQL Server, you will have the services installed on your server.
SQL Server Database Services:
- SQL Server Agent
- Analysis Services
- Reporting Services
- Integration Services
- SQL Server Browser
- Full-text search
- SQL Server Active Directory Helper
- SQL Writer
You can configure your SQL Server related services either during the setup or after the installation using the SQL Server Configuration Manager.
Types of startup accounts:
- Local User Account: This user account is created on your server where SQL Server is installed, this account does not have access to network resources.
- Local Service Account: This is a builtin Windows account that is available for configuring services in windows. This account has permissions as same as accounts that are in the user’s group, thus it has limited access to the resources on the server. This account is not supported for SQL SERVER and AGENT services.
- Local System Account: This is a builtin Windows account that is available for configuring services in windows. This is a highly privileged account that has access to all resources on the server with administrator rights.
- Network Service Account: This is a builtin Windows account that is available for configuring services in windows. This has permissions to access resources in the network under the computer account.
- Domain Account: This account is a part of your domain that has access to network resources for which it is intended to have permission for. It is always advised to run SQL Server and related services under a domain account with minimum privilege need to run SQL Server and its related services.
Changing Service Accounts:
SQL Server service accounts can be configured either during installation or using the SQL Server Configuration Manager. The first one is part of the installation and can be configured during the step Instance Configuration. I would walk you through changing a service account using SQL Server Configuration Manager.
- Start -> Programs Microsoft SQL Server 2008 -> Configuration Tools -> SQL Configuration Manager
- Highlight a service in the right pane, right-click for properties.
You can change the built-in account here, else if you would like to change it to a Local User account or a domain user account, choose option This Account to Ungray it and enter the credentials of a local or a domain user account.
Remember that you will need to restart the SQL Server and related services for the new Service account to take effect.
References
- Windows Groups and User Accounts in BizTalk Server
- Part 3: BizTalk High Availability Server Environment – SQL & BizTalk Active Directory Accounts
- Installing BizTalk Server 2010 and BAM in a Multi-Computer Environment manual
- SQL Server Service accounts
Related Links
- Installing BizTalk Server 2010 in a Basic Multi-Computer Environment – Installation scenario (Part 1)
- Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: Preparing Computers for Installation – Important considerations before setting up the servers (Part 3)
- Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: Preparing and Install SQL Server 2008 R2 machine (Part 4)
- Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: Preparing and install prerequisites on BizTalk Server 2010 machine (Part 5)
- Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: Testing environment connectivity’s (Part 6)
- Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: Install and configure BizTalk Server 2010 machine (Part 7)
I might be wrong by I believe that Isolated host is a non trusted account, hence the isolated account name you have suggested (BTSIsolatedHostService- srvc-bts-trusted) should be (BTSIsolatedHostService- srvc-bts-untrusted).
Similarly other way round for BizTalk Application Users.
Hi Bharat,
Thanks for the feedback.
First of all I fixed the format typo error in my blog. The idea was to give samples of naming convention that could use:
– BTSHostService
– srvc-bts-untrusted
But it wasn’t a best choice of naming and I will fix the post soon.
As you say: srvc-bts-trusted and srvc-bts-untrusted should be used for trusted or untrusted Host. However In-Process Hosts can be trusted or untrusted and the same occurs for Isolated hosts, they also can be defined as trusted or untrusted, so is not black and white… you can use this naming convention to associate trusted or untrusted hosts or you can use something like this:
– srvc-bts-host-instance
– srvc-bts-isolated-host
Hi Sandro .
Yes it make sense now.
Thanks for a wonderful post ! 🙂
Cheers
Bharat
Hi Sandro, Thanks for the great detail in this series, it is really helpful. Can I just clarify a few points tho.:
I have been tasked with building and configuring a Biztalk 2013 multicomputer environment, so I am installing on a domain. My questions mainly relate to which user accounts/group accounts/service accounts I need to create and where to use them.
But also,
1) Does everything here also apply to Biztalk 2013, or just 2010?
2) We are not building in Azure- do I still need to consider SSO?
Hi Charlie… you can rely on this to install BizTalk Server 2013 with of course little small differences. Last time I did this type of installation with 2013 I use this step-by-step combined with BizTalk 2013 Installation and Configuration – Important considerations before set up the server (Part 1) – http://sandroaspbiztalkblog.wordpress.com/2013/05/05/biztalk-2013-installation-and-configuration-important-considerations-before-set-up-the-server-part-1/
Users and groups are the same except I think with the IIS_IUSRS Group
And SSO is always need. SOO has nothing to do with Azure
A business process that relies on several different applications may have to cross several different security domains. Accessing an application on a Microsoft Windows system may require one set of security credentials, while accessing an application on an IBM mainframe may require different credentials, such as an RACF username and password. Dealing with this profusion of credentials is difficult for users, and it can be even harder for automated processes. To address this problem, BizTalk Server includes Enterprise Single Sign-On.
Cheers Sandro,
I appreciate the advice.
(I’ll probably be back here again soon) !
Hi,
As predicted, I return for further advice! 🙂
Thanks to the really good info in these blogs, I have installed and configured two of three BIZTALK 2013 servers for a Test-Dev environment, with the first install being the SSO Master Secret Server. As mentioned, this is test-dev.
At a later point I will install and configure BizTalk 2013 for some production servers.
This will all be in one domain.
I assume that only one Master Secret Server can exist on a domain?
Today, I realise that having the SSO Master Secret Server on test-dev machine will not be ideal, due to testing and reboots.. etc… impacting on those trying to logon to a production server.
Now is the best time for me to make changes to which server is configured as SSO Master Secret Server.
What would you suggest?
Thanks,
Charlie
HI Sandro,
Seeking your help to give time frame. We are currently migrating Biztalk to new server with same version BTS2009. Could you please provide approximately how much time it will take to finish migration?