Last day I was able to convince my client to use, for the first time, BAM for tracking and monitoring of specific processes. As I anticipated, 1-hour work resulted in a major impact (for better) on the people responsible for these tasks in the organization.
However, after I deploy my BAM Definition and tracking profile in a production environment and everything was working well, i.e., processes were running successfully and data was being tracked (I was able to see the tracking data in the database)…
If you don’t know, and contrary to what I thought also, the only user that always has access to the view and cannot be added to or removed from the view(s) is the Database Owner (BAMPrimaryImport). So the user that made the deploy of this BAM Definition don’t necessarily have access to this particular view in the BAM Portal!
In this particular case, I’m also the Database Owner, but when I try to access to BAM Portal the access was constantly being denied me and always asking to enter my credentials when browsing to it… even when I gave access to another domain user to this view and tested with these credentials the problem remained.
After examining the logs in the event I found this information message:
With the following details:
Event code: 4007
Event message: URL authorization failed for the request.
Event time: 23-04-2013 15:55:52
Event time (UTC): 23-04-2013 14:55:52
Event ID: 053c6e752b6a4de8ae400a9a9d7d26b1
Event sequence: 10
Event occurrence: 9
Event detail code: 0
Application domain: /LM/W3SVC/1/ROOT/BAM-1-130112015742350508
Trust level: BAMPortal_Minimal
Application Virtual Path: /BAM
Application Path: D:\Program Files (x86)\Microsoft BizTalk Server 2010\BAMPortal\
Machine name: MyMachine
Process ID: 9560
Process name: w3wp.exe
Account name: DOMAIN\bts-bam-ap
Request URL: http://localhost/BAM
Request path: /BAM
User host address: 192.168.***.***
Is authenticated: True
Authentication Type: Negotiate
Thread account name: DOMAIN\MYUSER
Custom event details:
Well, unfortunately, this problem or similar problems can happen for many reasons:
Fortunately for me, I have an E2E test environment which is an almost exact replica of PROD with which I could compare to see what was the problem and that was working well.
One thing I was sure: I had permission problems!
The first thing was to analyze the basic settings of the application pool like: credentials or .net version and so on… however, everything was properly configured and equal to the test environment.
After a few minutes, I remembered the basics… if you remember the BizTalk Configuration experience, you use the BizTalk Server configuration tool to specify whether BAM is enabled, and to specify the Web service accounts, the Windows groups that can view portal, and the Web site that will host the portal.
That you also can see in “.Net Authorization Rules” under BAM website:
Using the principle of least privilege, user accounts should have restrictive permissions to perform routine tasks in the BAM portal. BizTalk BAM Portal Users is the group, at least for me but this may change according to your configurations, where you defined the users or groups that can access to BAM Portal Web site.
In my case, after checking in AD, there was no one configured to have access to BAM Portal.
To solve this problem you have to configure the users or groups that you want to have access to BAM Portal under the “BizTalk BAM Portal Users” in your Active Directory.
After this operation, everything start work fine! Exactly as it should.