Users often put the BizTalk Host Instance accounts in Administrators, SSO Admins and so on just to make it easier. But, when they try to do the minimum account access, the Host Group account never seems right: it can't start, can't get information for logging into remote services from SSO, and has SSO Events in the Event Log, etc. Recently I traced the SQL statements and the code and suddenly realized that the host instance were calling an Administrative API in SSO during startup and would fail. Specifically, the BizTalk Host Instances call the ISSOConfigStore::GetConfigInfo and that interface requires the account to be a member of the SSO Affiliate Administrators group. That has been historically missing from the documentation, but has been recently corrected due to the hard work of the documentation team.
How did we end up here?
My theory is that it was not originally needed in earlier builds of BizTalk Server, but over time, this call was added, but didn't get caught because most installations tend to give the Host Instance accounts too many rights.
After reading the SSO Documentation I could see why this was needed, pretty evident that it requires elevated privileges: Using Enterprise Single Sign-On Tools and APIs and specifically see: ISSOConfigStore Interface
Provides administration functions for the Enterprise Single Sign-On (SSO) configuration store.
How can you tell you are impacted by this?
Here is the Event Log Warning showing the ISSOService::GetConfigInfo Error that you will see when this is not configured correctly:
SSO AUDIT
Function: GetConfigInfo ({62599773-0329-4EFC-B344-COB90D617FAID})
Tracking ID: edi53e5c-dOc2-417d-bbd3-02177f9cOdbf
Client Computer: SomeCoolPRODComputer.Domain.AD
(wmiprvse.exe:4468)
Client User: DOM\btshost-inst
During my troubleshooting, I added the Host Groups for the accounts to the SSO Affiliate Administrators accounts to demonstrate the relationship and the requirement. Using this work around (I didn't have direct access to the SSO Groups in the domain) allowed me to confirm my theory.
Where are we today?
After collaboration with the Documentation Team, the online documentation has been updated at: Windows Groups and User Accounts in BizTalk Server
The documentation now says the following:
User | User Description | Group Affiliation |
Enterprise Single Sign-On Service | Service account used to run Enterprise Single Sign-On Service which accesses the SSO database. | SSO Administrators |
BizTalk Host Instance Account | Service account used to run BizTalk In-Process host instance which access In-Process BizTalk host instance (BTNTSVC). | BizTalk Application Users SSO Affiliate Administrators |
BizTalk Isolated Host Instance Account | Service account used to run BizTalk Isolated host instance (HTTP/SOAP). | BizTalk Isolated Host Users SSO Affiliate Administrators IIS_WPG |