November 2010 - Posts

(Not) Using Built-in Service Accounts for BizTalk Server
15 November 10 09:25 PM | Johan Hedberg | 1 comment(s)

Recently I tried installing BizTalk Server 2010 in a pretty locked down environment – as in no accounts except a few domain accounts were given the “log on as a service” right. Thus as a first go I was left trying to use the default accounts on the machine.

These are my short summarized findings trying to run BizTalk using built-in accounts:

  • SQL Server – Can run as Local System or Network Service. NOT as Local Service.
  • SQL Server Agent – Can run as Local System or Network Service. NOT as Local Service.
  • For more SQL Server account info see this link.
  • The SSO service - can NOT run as Local Service or as Local System.
    imageimage
    It can run as Network Service, although there are some special requirements – namely: the SSO Administrators group must be pre-created, the Network Service account added to it and the computer restarted.
    image
  • BizTalk Server Runtime – Can NOT run as a any form of local built-in account.
    image
  • At this point I guess I could have gone on to try the other sub-services as well, like BRE, but why bother… Lesson learned. You cannot configure BizTalk Server using only the built-in accounts. Also this link from the BizTalk documentation clearly states that these accounts are not supported, though it is non-specific.

Quoted info on what these built-in accounts mean:

Local Service Account

The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE".

Network Service Account

The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE".

Local System Account

Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM".

This Blog

News

    Messenger

    Twitter Updates

      Follow me on twitter

      Visitors

      Feedburner Subscribers

      Locations of visitors to this page

      Disclaimer

      All material is provided AS IS voiding any thinkable or unthinkable effect it might have for any use whatsoever. There... is that clear enough ;)

      Pages

    Syndication