BizTalk – AD Groups and Users

When BizTalk Server and SQL Server are installed on different machines, you must manually ad the right Groups and Users to your Active Directory. This post will describe how to do this and give suggestion of Groups and Users you will need.

In our lab environment, this is done on the domain controller (DC) my-dc01, which have the Active Directory Users and Computers installed.

Index

Prerequisites

This post assumes that you already have a Windows Failover Cluster with a clustered SQL instance (SQL Server installation). You can follow a series of blogpost about how to create it here:

Back to Index.


Create dedicated OU for BizTalk

A good idea is to create a dedicated OU (folder in the AD) for BizTalk. Go to: Active Directory Users and Computers on the server that is promoted to Domain Controller. Right click in the right pane:

AD OU BizTalk

And name a the OU (folder), it will show up in the left pane:

Note! Make sure to check Protect container from accidental deletion.

Create OU

Back to Index.


How to Create a Group in OU

Click on newly created OU and then right click on the right pane:

OU Group

Give the group a name:

New Group OU

Info. Two people in the icon means that it is a group. Only one person means that the entry is a User.

Back to Index.


How to Create User in OU

Select the OU and right click in the right pane, this time chose User:

AD OU User BizTalk

Enter the user data:

Create user in OU

Set a password for the user:

password user

Confirmation:

Created User

Right click the user to set properties for the User:

User properties OU

Under the tab Member Of you can set which groups the user will be in:

member of user

Info. You can also put groups in other groups.

Back to Index.


Table of all Groups for BizTalk

Note! Create everything in the BizTalk OU.

Note! The column SQL Server DB and SQL Server Role you can skip for now. This column is information about which SQL roles will be created for each database in the SQL Server for each entity in the AD OU. ‘SQL Server Role’ is in italics and name of [database] is in brackets. The BizTalk Configuration Application will create these roles and databases when we install BizTalk.

BizTalk Groups:

BizTalk Groups.
Group Name Members Description ‘SQL Server Role’ / [database]
SSO Administrators
  • srvc-bts-sso
  • BizTalk Server Administrators
 Administrator of the Enterprise Single Sign-On (SSO) service. ‘db_owner’ in:
  • [SSODB].
‘securityadmin’ in:
  • SQL Server
(In SQL Server where SSODB is installed)
SSO Affiliate Administrators
  • BizTalk Server Administrators
  • • BizTalk Application Users (If SSO config in pipeline)*
 Administrators of certain SSO affiliate applications. Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users.
BizTalk Server Administrators
  • usr-bts-admin
  • srvc-bts-admin
 Can deploy solutions, manage applications, and resolve message processing issues. To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single SignOn Affiliate Administrators. ‘BTS_ADMIN USERS’ in:
  • [BizTalkMgmtDb]
  • [BizTalkMsgBoxDb]
  • [BizTalkRuleEngineDb]
  • [BizTalkDTADb]
  • [BAMPrimaryImport]
‘db_owner’ in:
  • [BAMStarSchema]
  • [BAMPrimaryImport]
  • [BAMArchive]
  • [BAMAlertsApplication]
  • [BAMAlertsNSMain]
‘NSAdmin’ in:
  • [BAMAlertsApplication]
  • [BAMAlertsNSMain]
‘OLAP Administrators’ in:
  • [BAMAnalysis OLAP DB].
BizTalk Server Operators Has a low privilege role with access only to monitoring and troubleshooting actions. ‘BTS_OPERATORS’ in:
  • [BizTalkDTADb]
  • [BizTalkEDIDb]
  • [BizTalkMgmtDb]
  • [BizTalkMsgBoxDb]
  • [BizTalkRuleEngineDb]
BizTalk Server B2B Operators Contains users that must be able to configure and administer BizTalk Server TPM data and monitor solutions. ‘BTS_OPERATORS’ in:
  • [BizTalkDTADb]
  • [BizTalkEDIDb]
  • [BizTalkMgmtDb]
  • [BizTalkMsgBoxDb]
  • [BizTalkRuleEngineDb]
BizTalk Application Users
  • srvc-bts-host
  • SSO Affiliate Administrators (If SSO config in pipeline)
 The default name of the first In-Process BizTalk Host Group created by Configuration Manager. Service accounts for In-Process host instances. ‘BTS_HOST_USER’ in:
  • [BizTalkMgmtDb]
  • [BiTalkMsgBoxDb]
  • [BizTalkRuleEngineDb]
  • [BizTalkDTADb]
  • [BAMPrimaryImport]
‘BAM_EVENT_WRITER’ in:
  • [BAMPrimaryImport]
BizTalk Isolated Host Users
  • srvc-bts-isol-host
  • SSO Affiliate Administrators (If SSO config in pipeline)
 The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP. ‘BTS_HOST_USER’ in:
  • [BizTalkMgmtDb]
  • [BiTalkMsgBoxDb]
  • [BizTalkRuleEngineDb]
  • [BizTalkDTADb]
  • [BAMPrimaryImport]
BAM Portal Users
  • Everyone group is used per default
 (Optional Group) Has access to BAM Portal Web site Only required if you install/use BAM. Everyone group is used for this role by default. Contains no service accounts.

*Pipelines in BizTalk can be configured to use SSO functionality. In those cases, the biztalk application users need access to SSO. Simply put the group BizTalk Application Users into the group SSO Affiliate Administrators.

Back to Index.


Special Groups

Note! These groups are special cases!

BizTalk Special Groups.
Group Name Members Description ‘SQL Server Role’ / [database]
IIS_IUSRS
  • srvc-bts-isol-host
  • srvs-bts-bam
  • srvc-bts-bam-app
 This Group is a built-in group in AD. Find it under Builtin OU (Folder in AD)
IIS_WPG
  • srvc-bts-isol-host
  • srvs-bts-bam
  • srvc-bts-bam-app
 Only create this group if you are going to use Microsoft BizTalk Accelerator for RosettaNet.

Back to Index.


Table of all Users for BizTalk

Note! Create the Users in the same OU as the Groups – BizTalk.

Users in BizTalk Server
Users Member of Description ‘SQL Server Role’ / [database]
usr-bts-admin BizTalk Server Administrators The user who needs to be able to configure and administer BizTalk Server. This is a general account for configuring BizTalk Server.
srvc-bts-admin BizTalk Server Administrators Account used for installing and configuring BizTalk.* You must be logged in with this account to install BizTalk.
srvc-bts-sso SSO Administrators Service account used to run Enterprise Single Sign-On Service, which accesses the SSO database. User account for the SSO Administrator.
srvc-bts-host BizTalk Application Users Service account used to run BizTalk In-Process host instance with accesses to In-Process BizTalk host instance (BTNTSVC).
srvc-bts-isol-host
  • IIS_IUSRS
  • IIS_WPG (Optional, for RosettaNet.)
 Service account used to run BizTalk Isolated host instance (HTTP/SOAP).
srvc-bts-rule-engine (Optional, only if you use Business Rule Engine)Service account used to run Rule Engine Update Service, which receives notifications to deployment/undeployment policies from the Rule engine database. ‘RE_HOST_USER’ in:
  • [BizTalkRuleEngineDb]
srvc-bts-bam-alerts (Optional, required if you use BAM Alerts) Service account used to run BAM Notification Services, which accesses the BAM databases. Note! This account was previously known as BAM Notification Services Use ‘NSRunService’ :
  • [BAMAlertsApplication]
  • [BAMAlertsNSMain]
‘BAM_ManagementNSReader’ :
  • [BAMPrimaryImport]
srvs-bts-bam
  • IIS_IUSRS
  • IIS_WPG (Optional, for RosettaNet.)
 (Optional, requirement for BAM Portal) User account for BAM Management Web service (BAMManagementService) to access various BAM resources. BAM Portal calls BAMManagementService with the user credentials logged on the BAM Portal to manage alerts, get BAM definition XML and BAM views.
srvc-bts-bam-app
  • IIS_IUSRS
  • IIS_WPG (Optional, for RosettaNet.)
 (OPTIONAL: Only required if you configure/use BAM Portal) Application pool account for BAMAppPool, which hosts BAM Portal Web site.

Back to Index.


BizTalk Users for SQL

Note! These accounts must be created in the same OU – BizTalk.

Info. If your organization allows it, you can use one generic account for all these functions. E.g. srvc-sql-bts.

BizTalk SQL Accounts
User User Description
srvc-sql-agent Service Account – SQL Server Agent
srvc-sql-engine Service Account – SQL Server Database
srvc-sql-reporting Service Account – SQL Server Analysis
srvc-sql-integration Service Account – SQL Server Integration
srvc-sql-bts Optional – Use only this account for all service settings. In that case use it for:
  • SQL Server Agent
  • SQL Server Database
  • SQL Server Analysis
  • SQL Server Integration

Back to Index.


Overview Groups and Users

Here are all the groups and users:

all users and groups in AD

Back to Index.


How to add Logins to SQL Server

You want your SQL service account e.g. account srvc-sql-bts to be in the login folder:

SQL login
SQL Login

Once you have the logins, you can administrate them in SQL Server. Add Roles etc.

Back to Index.


How to add sysadmin for SQL Server

Here is one example of to add a group or account as sysadmin in SQL Server:

add sysadmin

Back to Index.


How to change SQL Service Accounts

Here is one example how to change a service account in SQL Server.

Note that you have to open the SQL Server Configuration Manager.

SQL Service accounts

Info. You should change Start Mode of SQL Server Agent from default Manual to Automatic.

Back to Index.


References

Back to Index.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright All rights reserved. Images are only allowed to be used on given permission.