How to fix ENTSSO “Access is Denied” warnings on Biztalk Server

  • Article

Problem
Description

=================

In this situation, there are two ENTSSO warnings as
below, which are always occurring at the same time (as a pattern) in the
application log.

Event Type: Warning

Event Source:    ENTSSO

Event Category: Enterprise
Single Sign-On

Event ID:    10536

Date:         16/04/2009

Time:         1:04:00
p.m.

User:          N/A

Computer:   AAAA183

Description:

SSO
AUDIT

Function: GetConfigInfo
({9494BA4B-CB0A-4C8C-8A29-E6AA848BD665})

Tracking ID: d0e06038-cce5-401d-95c6-ce63a14148a6

Client Computer: aaaa183.bbbbb.cccc.dd
(wmiprvse.exe:2504)

Client User: AAAA\AAAA183$

Application Name: {06E0DD2B-3550-465A-AD77-DF903144289C}

Error Code: 0x80070005,
Access is denied.

Event Type: Warning

Event Source:    ENTSSO

Event Category: Enterprise
Single Sign-On

Event ID:    11042

Date:         16/04/2009

Time:         1:04:00
p.m.

User:          N/A

Computer:   AAAA183

Description:

Access
denied. The client user must be a member of one of the following accounts to
perform this function.

SSO Administrators: AAAA\AaaaGrSSOAdministrators

SSO Affiliate Administrators: AAAA\AaaaGrSSOAffiliateAdministrators

Application Administrators:
AAAA\AaaaGrBizTalkServerAdministrators

Application Users: -

Additional Data: AAAA\AAAA183$
{06E0DD2B-3550-465A-AD77-DF903144289C} FILE_TL_BizTalkNbrsMoh

Problem
Analysis

===============

The error means there is an application using ‘local
system’ account to try to access the ENTSSO. In our case, the application is
the SCOM agent.

The trouble shooting steps are:

1. Stop the OpsMgr
health Service on this BizTalk computer, to check whether the error will
disappear. If it does, that means the SCOM is the application with problem. We
can go to the next step.

2. Check the "BizTalk Server Monitoring Account"
& "BizTalk Server Discovery Account" under "Run As
Profiles" in SCOM console, if it is empty, not configured., So SCOM agent
which is on BizTalk side will use default action account “local system” as the
account to monitor BizTalk Server.

Problem
Solution

===============

1. Stop the OpsMgr health Service
on this BizTalk computer

2. Create a new action account which has access to BizTalk Server, this
account should be the member of some BizTalk Group then it will has the
permission to access the ENTSSO or other BizTalk resource.

Also, use one existing account, e.g. Domain\BTSADM.

3. In the SCOM console, give this account to "BizTalk Server Monitoring
Account" & "BizTalk Server Discovery Account" under
"Run As Profiles" for the client computer (AAAA183).

4. Go back to the BizTalk machine, using the account which is added to
"BizTalk Server Monitoring Account" & "BizTalk Server
Discovery Account" to run OpsMgr
health Service.

5. Start the OpsMgr health Service.

Regards,

Jarrod Huang