BizTalk BAM Portal URL authorization failed for the request (Event code 4007)

Yesterday I was able to convince my client to use, for the first time, BAM for tracking and monitoring of specific processes. As I anticipated, 1 hour of work resulted in a major impact (for the better) on the people responsible for these tasks in the organization.

However, after I deploy my BAM Definition and tracking profile in a production environment and everything was working well, i.e., processes were running successfully, and data was being tracked (I was able to see the tracking data in the database)…

If you don’t know, and contrary to what I thought also, the only user that always has access to the view and cannot be added to or removed from the view(s) is the Database Owner (BAMPrimaryImport). So the user who made the deployment of this BAM Definition doesn’t necessarily have access to this particular view in the BAM Portal!

In this particular case, I’m also the Database Owner, but when I try to access the BAM Portal, the access is constantly being denied to me, and always asked to enter my credentials when browsing to it… even when I gave access to another domain user to this view and tested with these credentials, the problem remained.

After examining the logs in the event, I found this information message:

With the following details:

Event code: 4007
Event message: URL authorization failed for the request.
Event time: 23-04-2013 15:55:52
Event time (UTC): 23-04-2013 14:55:52
Event ID: 053c6e752b6a4de8ae400a9a9d7d26b1
Event sequence: 10
Event occurrence: 9
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/BAM-1-130112015742350508
Trust level: BAMPortal_Minimal
Application Virtual Path: /BAM
Application Path: D:\Program Files (x86)\Microsoft BizTalk Server 2010\BAMPortal\
Machine name: MyMachine

Process information:
Process ID: 9560
Process name: w3wp.exe
Account name: DOMAIN\bts-bam-ap

Request information:
Request URL: http://localhost/BAM
Request path: /BAM
User host address: 192.168.***.***
User: DOMAIN\MYUSER
Is authenticated: True
Authentication Type: Negotiate
Thread account name: DOMAIN\MYUSER

Custom event details:

Cause

Well, unfortunately, this problem or similar problems can happen for many reasons:

• BAM Deployment Gotchas

Fortunately for me, I have an E2E test environment, which is an almost exact replica of PROD, with which I could compare to see what the problem was, and that was working well.

One thing I was sure of: I had permission problems!

The first thing was to analyze the basic settings of the application pool, like credentials or .NET version, and so on… However, everything was properly configured and equal to the test environment.

After a few minutes, I remembered the basics… if you remember the BizTalk Configuration experience, you use the BizTalk Server configuration tool to specify whether BAM is enabled, and to specify the Web service accounts, the Windows groups that can view the portal, and the Web site that will host the portal.

That you can also see in “.Net Authorization Rules” under the BAM website:

Using the principle of least privilege, user accounts should have restrictive permissions to perform routine tasks in the BAM portal. BizTalk BAM Portal Users is the group, at least for me, but this may change according to your configurations, where you defined the users or groups that can access to BAM Portal website.

Solution

In my case, after checking in AD, there was no one configured to have access to the BAM Portal.

To solve this problem, you have to configure the users or groups that you want to have access to the BAM Portal under the “BizTalk BAM Portal Users” in your Active Directory.

After this operation, everything start work fine! Exactly as it should.

Hope you find this helpful! If you liked the content or found it useful and would like to support me in writing more, consider buying (or helping to buy) a Star Wars Lego set for my son.