Windows Accounts for a Secure Distributed BizTalk Server Deployment
For complete information about the system architecture for BizTalk Server deployment, see Sample BizTalk Server Architectures.
This section provides recommendations for creating Windows groups and accounts in a distributed BizTalk Server environment. The group and account names are suggestions based on the function of the groups and accounts. You can choose the name of these groups and accounts. For more information about distributed BizTalk Server architectures, see Large Distributed Architecture.
Windows Groups for a Secure Distributed BizTalk Server Deployment
The following list describes the recommended Windows groups for the domain administrator to create in the domain controller in the data tier.
SSO Administrators
SSO Affiliate Administrators
BizTalk Server Administrators
BizTalk Server Operators
For complete information about the Windows groups that BizTalk Server uses, see Windows Groups and User Accounts in BizTalk Server.
In addition to the previous domain groups, the following table lists additional groups specific to secure deployment for the domain administrator to create in the domain controller in the data tier.
| Group name (suggested) | Purpose |
|---|---|
| BizTalk Processing Host Users 1 | Group for the host instances of a specific in-process host that you use for processing messages. Create a group for each in-process host that you use for processing messages in your BizTalk Server environment. |
| BizTalk Send Host Users 1 | Group for the host instance of a specific in-process host that you use for sending messages. Create a group for each in-process host that you use for sending messages in your BizTalk Server environment. |
| BizTalk Receive Host Users 1 | Group for the host instance of a specific in-process host that you use for receiving messages. Create a group for each in-process host that you use for receiving messages in your BizTalk Server environment. |
| BizTalk Tracking Host Users | Group for the BizTalk host that you dedicate for tracking. |
| BizTalk SOAP Users | Group for the host instances of the isolated host you use for the SOAP adapter. |
| BizTalk HTTP Users | Group for the host instances of the isolated hosts you use for the HTTP adapter. |
The domain administrator must create the following groups in the domain controller of the service interfaces domain:
- BizTalk BAM Portal Users
Windows User or Service Accounts for a Secure Distributed BizTalk Server Deployment
The following table lists the recommended accounts for the domain administrator to create in the domain controller of the data domain. The domain administrator must ensure the accounts are members of the groups indicated.
For complete information about the user accounts that BizTalk Server uses, see Windows Groups and User Accounts in BizTalk Server.
| Account name (example) | Type | Member of group |
|---|---|---|
| SSO administrator | User | SSO Administrators |
| SSO service | Service | SSO Administrators |
| SSO master secret | Service | SSO Administrators |
| BizTalk administrator | User | BizTalk Administrators SSO Affiliate Administrators |
| BizTalk operator | User | BizTalk Operators |
| BizTalk Processing 1 | Service | BizTalk Processing Host Users 1 |
| BizTalk Processing 2 Note: You can create multiple accounts for each processing host in your environment. | Service | BizTalk Processing Host Users 1 |
| BizTalk Tracking | Service | BizTalk Tracking Host Users |
| SOAP adapter | Service | BizTalk SOAP Users |
| HTTP adapter | Service | BizTalk HTTP Users |
| Rule Engine Update Service | Service | |
| Installation | User | SSO Administrators (only for configuring the master secret server) local Administrators sysadmin SQL Server Role OLAP Administrator |
| BAM Application pool | Service | IIS_WPG |
| BAM Management | Service | IIS_WPG |
| BAM Notification | Service | SQLServer2005NotificationServicesUser$<ComputerName> |
The following table lists the recommended accounts for the domain administrator to create in the domain controller of the corporate domain.
| Account name | Type |
|---|---|
| SharePoint administrator | User |
| SharePoint Site credential | User |
See Also
Large Distributed Architecture
Minimum Security User Rights
Windows Groups and User Accounts in BizTalk Server
Sample BizTalk Server Architectures