Guidelines for Resolving Web Services Permissions Problems
Microsoft BizTalk Server makes extensive use of Web services for use with the SOAP adapter and when publishing orchestrations as Web services. This topic provides some general guidelines for minimizing Web services permissions problems and steps that you can follow to troubleshoot Web services permissions problems that affect BizTalk Server.
General Guidelines
Setting user accounts: Ensure that the IIS application host process identity associated with the virtual directory that hosts the Web service is set to a specific user account and ensure that this user account is added to the following groups:
BizTalk Isolated Host Users (domain or local group)
IIS_WPG (local group)
Membership in these 2 groups is required to grant the Web service created by the BizTalk Web Service Publishing Wizard the appropriate rights to publish a SOAP request message into the BizTalk MessageBox database which will in turn activate the subscribing orchestration. For more information about determining or setting the IIS application host process identity, see the Setting IIS Application Host Process Identity section of Guidelines for Resolving IIS Permissions Problems.
Setting permissions on the folder specified by the TEMP environment variable: Ensure that the IIS application host process identity for the virtual directory that hosts the Web service has read and write permissions to the folder specified by the TEMP environment variable. To determine the folder that is specified by the TEMP environment variable open a command prompt on the BizTalk Server, type the following command, and then press ENTER:
echo %TEMP%The folder specified by the TEMP environment variable is where the Web service is Just In Time (JIT) compiled into a dynamic link library (dll) file and therefore must be accessible with read and write permissions by this user account.
Sending credentials in the SOAP method call: Ensure that the Web service client is sending credentials in the SOAP method call. By default IIS 7.0 in Windows Server 2008 SP2 requires windows authentication. When testing a Web service with Internet Explorer, the credentials of the user who is currently logged on are automatically sent which is why the Web service may work from Internet Explorer but fail from another client. If the Web service client does not add credentials to the SOAP method call a SOAP exception will be generated due to an authentication failure. For more information about sending credentials in a SOAP method call, go to System.Net.Http: HttpClient Class.
Troubleshooting errors calling a Web service: If errors occur when calling a Web service, check the Application log, or message event and service instance tracking through the BizTalk Server Administration Group Hub page. For more information about the possible causes of the error, see Monitoring BizTalk Server and Using the Group Hub Page.
Collecting debugging information: To obtain detailed debugging information, follow the steps outlined in the topic Debugging Published Web Services if following the steps above does not resolve the issue.
See Also
Troubleshooting BizTalk Server Permissions Guidelines for Resolving IIS Permissions Problems
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for