Windows Groups and User Accounts in BizTalk Server on single Computer (Sandbox)
The Configuration Manager creates the necessary Windows group and user accounts for you by default if you install BizTalk Server and all prerequisite software on a single computer. BizTalk Server supports local group and user accounts only in single computer configurations. BizTalk Server gives you the ability to configure your server in one of two modes, Basic or Custom. Basic configuration is targeted for developers setting up single server installations for development preferable a sandbox virtual machine. What will happen is that the following will occur:
· All database names are generated by BizTalk Server under account provided that needs to have sysadmin rights in SQL Server database;
· All applicable database logon information is run under the account provided.
· All BizTalk Server services are generated by BizTalk Server.
· All BizTalk Server services run under the account provided. The configuration process grants this account the necessary security permissions on the server and objects in SQL Server
· All features are configured based on the prerequisite software you have installed on the computer.
· The Default Web Site in Internet Information Services (IIS) is used for any feature that requires IIS.
· The logged on user must be a member of the OLAP Administrators group on the OLAP server.
Custom configuration allows you to configure the server using advanced configuration options. With custom configuration, you can selectively configure or un-configure each feature.
Sysadmin rights for configuration
For single- or multibox installation of BizTalk you will need sysadmin rights for instance to set up the BizTalk Group. Danger this option is that you as a developer may not be aware when configuring BizTalk in a different environment than your development. For a test, acceptance and deployment of a production environment in a multi-computer environment you will be encountered with Active Directory. Then you do not use local groups, but domain groups and these will not be created for you and need to be done yourself. Once you have succeeded at this you have to create accounts for host instances, arrange for access to databases and so on. You may be tempted as a developer for simple solution and risky way to choose an account with too many rights on the SQL Server.
It is recommended that you study the following resources closely to get a sense of how to handle installation and configuration of BizTalk in different environments and security in mind. It also helps to gain some routine through setting up a sandbox environment and applying these practices. I use a BizTalk Setup User account to setup BizTalk and configure the environment. After this exercise I disable this account.
In picture above you will also notice that I created more user accounts for different services like Host Instances, BRE, SSO and Database Services.
Minimum security rights: http://msdn.microsoft.com/en-us/library/aa559845(BTS.10).aspx
Installation manuals: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9c697e02-d1bc-4684-8748-28b3a292d5bf
Basic Configuration: http://msdn.microsoft.com/en-us/library/aa578006(BTS.10).aspx
Local groups: http://msdn.microsoft.com/en-us/library/aa548071(BTS.10).aspx
Technorati: BizTalkBizTalk 2006 R2BizTalk Server 2009
Windows Groups and User Accounts in BizTalk Server on single Computer (Sandbox)