We are currently experiencing a bit of pain at my current client trying to configure BizTalk 2006 in a multiserver environment. The Active Directory configuration that this installation must adhere to consists of two forests. One of these contains all the production accounts, the other which is trusted by the first. Accounts from the domain in the first forest are put into domain local groups in the second.
This has all worked fine in our BizTalk 2004 installations, we have never experienced issues related to this set-up. However, while attempting to run through the configuration in BizTalk 2006 there have been numerous issues when defining the account to use for the Windows Service and/or the group assigned against the BizTalk role. The error messages have been similar to the following:
Error: Failed to add the user ‘DOMAIN1\INSTALL_USER to the domain group ‘DOMAIN2\SSO_ADMINISTRATORS_GROUP’. To add members to domain groups you must have sufficient permissions in the domain (SSO)
Additional Information:- 0x000008AC The group name could not be found
- DOMAIN1 = Domain in forest where accounts are held
- DOMAIN2 = Domain in other forest where groups are held
- INSTALL_USER = Account of user undertaking the configuration
- SSO_ADMINISTRATORS_GROUP = Domain group set-up for use as SSO Administrators
Now, the error would lead you to believe that either the account or group doesn’t exist, or that the account isn’t a member of the group. However this is not the case and there is ongoing dialog between us and Microsoft as to what is the cause of the issue. It seems there have been problems realting to cross domain local group Active Directory configurations and I will be posting a follow-up when a solution or workaround has been found. This is just a heads up that if you are going to be using such a configuration, be wanred that you may obtain a headache rather quickly.
We did manage to get past the checking that occurs during the Enterprise SSO configuration by entering a debug registry key entry that will turn the Error you get in this scenario into a Warning. Errors stop you from continuing with any further configuration steps, whereas a warning will not. This is achieved by entering the following:
- Create the following reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO\Debug
- Create the following DWORD value under this ConfigWarningsOnly
- Set the value to 1
- Restart the Configuration Wizard
Although this allowed us to progress, it didn’t allow us to complete the configuration as a similar issue occurs when you enter the BizTalk Runtime configuration. Another check occurs here between the accounts and groups you enter, and as they are also using the same AD configuration as the SSO account and group the same problem arises.
As I said, I will keep you posted on the outcome of this and as usual note that this has been experienced with beta 2 of the product and may not be an issue in later releases.