How to fix ENTSSO “Access is Denied” warnings on Biztalk Server
Problem Description
=================
In this situation, there are two ENTSSO warnings as below, which are always occurring at the same time (as a pattern) in the application log.
Event Type: Warning
Event Source: ENTSSO
Event Category: Enterprise Single Sign-On
Event ID: 10536
Date: 16/04/2009
Time: 1:04:00 p.m.
User: N/A
Computer: AAAA183
Description:
SSO AUDIT
Function: GetConfigInfo ({9494BA4B-CB0A-4C8C-8A29-E6AA848BD665})
Tracking ID: d0e06038-cce5-401d-95c6-ce63a14148a6
Client Computer: aaaa183.bbbbb.cccc.dd (wmiprvse.exe:2504)
Client User: AAAA\AAAA183$
Application Name: {06E0DD2B-3550-465A-AD77-DF903144289C}
Error Code: 0x80070005, Access is denied.
Event Type: Warning
Event Source: ENTSSO
Event Category: Enterprise Single Sign-On
Event ID: 11042
Date: 16/04/2009
Time: 1:04:00 p.m.
User: N/A
Computer: AAAA183
Description:
Access denied. The client user must be a member of one of the following accounts to perform this function.
SSO Administrators: AAAA\AaaaGrSSOAdministrators
SSO Affiliate Administrators: AAAA\AaaaGrSSOAffiliateAdministrators
Application Administrators: AAAA\AaaaGrBizTalkServerAdministrators
Application Users: -
Additional Data: AAAA\AAAA183$ {06E0DD2B-3550-465A-AD77-DF903144289C} FILE_TL_BizTalkNbrsMoh
Problem Analysis
===============
The error means there is an application using ‘local system’ account to try to access the ENTSSO. In our case, the application is the SCOM agent.
The trouble shooting steps are:
1. Stop the OpsMgr health Service on this BizTalk computer, to check whether the error will disappear. If it does, that means the SCOM is the application with problem. We can go to the next step.
2. Check the "BizTalk Server Monitoring Account" & "BizTalk Server Discovery Account" under "Run As Profiles" in SCOM console, if it is empty, not configured., So SCOM agent which is on BizTalk side will use default action account “local system” as the account to monitor BizTalk Server.
Problem Solution
===============
1. Stop the OpsMgr health Service on this BizTalk computer
2. Create a new action account which has access to BizTalk Server, this account should be the member of some BizTalk Group then it will has the permission to access the ENTSSO or other BizTalk resource.
Also, use one existing account, e.g. Domain\BTSADM.
3. In the SCOM console, give this account to "BizTalk Server Monitoring Account" & "BizTalk Server Discovery Account" under "Run As Profiles" for the client computer (AAAA183).
4. Go back to the BizTalk machine, using the account which is added to "BizTalk Server Monitoring Account" & "BizTalk Server Discovery Account" to run OpsMgr health Service.
5. Start the OpsMgr health Service.
Regards,
Jarod Huang
Comments
- Anonymous
May 13, 2009
PingBack from http://asp-net-hosting.simplynetdev.com/how-to-fix-entsso-%e2%80%9caccess-is-denied%e2%80%9d-warnings-on-biztalk-server/ - Anonymous
February 10, 2012
Thank you for this wonderful post. Microsoft Premier Support actually shared this post with us but one piece was missing... instead of OpsMgr health Service our offender was System Center Management service. I guess an easy workaround is to run that MOM/SCOM service with a BizTalk admin account and the error may go away.