- This topic has 3 replies, 1 voice, and was last updated 9 years, 3 months ago by
.
-
Posts
-
-
Hi All
I would like to know if anyone can give me some advice on what to look out for when changing the Domain Membership of a BizTalk 2004 Server Running Enterprise Single Sign-On.
I have already converted the production BizTalk Server into a Virtual Machine to play around with. After joining the server to the new Active Directory Domain, I recieved the following error:
“Could not retrieve transport type data for Primary Transport of Send Port ‘wsEntity_SERVERNAME’ from config store. Both SSO Servers (Primary=’SERVERNAME_DR’ and Backup=’SERVERNAME’) failed.
Backup server failure: No secrets were found in the registry of the master secret server. Use the configuration tools to generate a master secret.”I hope that someone can help me understand the Master Secret Server a bit better, what exactly is contained within the Master Secret Server (Username? Computer Name? Domain Name?)
Thank you
-
I’m not sure that’s a supported scenario at all. I’m pretty sure your entire configuration will just go to hell, and will require significant work to get up and running (if at all possible). It’s not just the SSO; remember that all the security configuration in biztalk is tied to your domain, so you’ll need to fix all the database security roles in the biztalk dbs, fix up all the security groups used by hosts and other service processes used by biztalk, IIS AppPools, etc.
Regarding the SSO stuff, you need to remember that the SSO master secret is stored in the registry, protected by windows, in a location and encryption mechanism tied to the user account the SSO service is configured to run as. At the least, you’ll need to restore the SSO master secret to all your SSO servers (or only one, if all you’ve got is a single biztalk server) after you switch the accounts…. (you do have a backup of your master secret, right?)
-
I only have one Biztalk 2004 Server, and I do have a backup of the SSO Master Secret.
For the first stage, I just want to change the domain membership of the Computer Account from Domain1 to Domain2, and leave all the Active Directory Service Accounts in Domain1.
Thereafter, I’ll try to change the service accounts to Domain2.
Do you know if the SIDs of the Service Account and Computer Account of the BizTalk server is stored within the SSO Master Secret?
-
I don’t know much about what’s actually stored internally in SSO, since it’s completely undocumented. If you’re using SSO yourself for credential mapping, then I would say you can be pretty sure it is storing account SIDs in there. Also, notice that SSO applications are secured (i.e. they have permissions created either explicitly, or implicitly by biztalk when it stores sensitive information in the SSO DB, like adapter settings), and those probably use SIDs directly.
As for the change, I doubt you can make it in those two steps and still keep everything working in between (authentication won’t work very well).
-
-
-
- The forum ‘BizTalk 2004 – BizTalk 2010’ is closed to new topics and replies.