Further to my previous post on the issues I was experiencing with the configuration of BizTalk 2006 with cross domain local groups, we now have a workaround that is acceptable to our client.

A temporary account should be created in the group domain that will be used for the configuration so we can get past this stage. Once the configuration is completed, the correct accounts can be set-up and the temporary account can be removed. This takes form of the following steps:

SSO Configuration

  • Configure SSO using the temporary account

  • Change the account that the SSO Service executes under to the correct, permanent account

  • Restore the master secret and restart the server (using ssoconfig or the MMC)

BizTalk Runtime Configuration

  • Configure the runtime using the temporary account

  • Change the Host Instance account to be the correct, permanent account (using BizTalk Administrator)

Note that this temporary account will need to be in the following groups

  • Isolated Host Users Group

  • Host Users Group

  • SSO Administrators Group

This issue is evident in BizTalk Server 2006 beta 2. Obviously this may be fixed prior to release, but as far as I am aware the issue is caused by an external component so I wouldn’t expect there to be a fix prior to release.