Phidiax Tech Blog

Adventures in custom software and technology implementation.

BizTalk Host Instance accounts require membership to SSO Affiliate Administrators – SSO Audit GetConfigInfo

Users often put the BizTalk Host Instance accounts in Administrators, SSO Admins and so on just to make it easier. But, when they try to do the minimum account access, the Host Group account never seems right: it can't start, can't get information for logging into remote services from SSO, and has SSO Events in the Event Log, etc. Recently I traced the SQL statements and the code and suddenly realized that the host instance were calling an Administrative API in SSO during startup and would fail. Specifically, the BizTalk Host Instances call the ISSOConfigStore::GetConfigInfo and that interface requires the account to be a member of the SSO Affiliate Administrators group. That has been historically missing from the documentation, but has been recently corrected due to the hard work of the documentation team.


How did we end up here?

My theory is that it was not originally needed in earlier builds of BizTalk Server, but over time, this call was added, but didn't get caught because most installations tend to give the Host Instance accounts too many rights.

After reading the SSO Documentation I could see why this was needed, pretty evident that it requires elevated privileges: Using Enterprise Single Sign-On Tools and APIs and specifically see: ISSOConfigStore Interface

Provides administration functions for the Enterprise Single Sign-On (SSO) configuration store.


How can you tell you are impacted by this?

Here is the Event Log Warning showing the ISSOService::GetConfigInfo Error that you will see when this is not configured correctly:

Function: GetConfigInfo ({62599773-0329-4EFC-B344-COB90D617FAID})
Tracking ID: edi53e5c-dOc2-417d-bbd3-02177f9cOdbf
Client Computer: SomeCoolPRODComputer.Domain.AD
Client User: DOM\btshost-inst


During my troubleshooting, I added the Host Groups for the accounts to the SSO Affiliate Administrators accounts to demonstrate the relationship and the requirement. Using this work around (I didn't have direct access to the SSO Groups in the domain) allowed me to confirm my theory.




Where are we today?

After collaboration with the Documentation Team, the online documentation has been updated at: Windows Groups and User Accounts in BizTalk Server

The documentation now says the following: 


User Description

Group Affiliation

Enterprise Single Sign-On Service

Service account used to run Enterprise Single Sign-On Service which accesses the SSO database.

SSO Administrators

BizTalk Host Instance Account

Service account used to run BizTalk In-Process host instance which access In-Process BizTalk host instance (BTNTSVC).

BizTalk Application Users

SSO Affiliate Administrators

BizTalk Isolated Host Instance Account

Service account used to run BizTalk Isolated host instance (HTTP/SOAP).

BizTalk Isolated Host Users

SSO Affiliate Administrators


Comments (1) -

  • Accountingweb

    4/18/2016 6:08:27 AM | Reply

    This much of pure technology information recently I'm seeing from this blog only. Thumbs up!!


Privacy Policy  |  Contact  |  Careers

2009-2017 Phidiax, LLC - All Rights Reserved