AIF security concepts for BizTalk adapter
This topic describes how BizTalk adapter and BizTalk server determine different users for a data exchange. For a comprehensive and step-by-step guidance to exchange data with AIF using BizTalk Server, see Application Integration Framework (AIF) BizTalk adapter configuration for data exchange.
Source endpoint user
The BizTalk adapter uses the following process to determine the source endpoint user:
If the message has an envelope, get the source endpoint user from envelope header.
If the message header is missing, get the source endpoint user from the BizTalk message context (DynamicsAx5.SourceEndpointUser).
If the user is configured in neither the header nor the BizTalk message context, use the submitting user as the source endpoint user.
The submitting user is always set by the BizTalk Server. If you view the message details using the BizTalk Server administration console, the submitting user is the value of the Originator Security ID message property. This value is not configurable. For information about the security features that BizTalk Server uses to authenticate the inbound messages, see Inbound Message Authentication. For information about the security features BizTalk Server uses to authenticate messages between processes, see Authentication of Messages Between Processes.
The gateway user is used by the BizTalk adapter for asynchronous messaging when the messages are sent and received from the AIF gateway queue. Asynchronous messaging occurs when the send and the receive ports are one way ports. The gateway user must be an internal user with the permission so the gateway queue. The gateway user is usually the Admin user. In the BizTalk orchestration, use the Microsoft Dynamics AX 2009 Transport Properties window to configure the gateway user.
The proxy user setting has no dependency on the endpoint user, submitting user or gateway user. The Business Connector proxy account is a Microsoft Windows domain account that enables the Business Connector to act on behalf of Microsoft Dynamics AX users when the users authenticate with the Application Object Server (AOS) via a BizTalk application. The proxy user account must be same as the user account in the Business Connector Proxy section of the System service accounts form. The configuration of the Microsoft Dynamics AX 2009 Transport Properties window in the BizTalk Server administration console determines how the BizTalk adapter selects the proxy user.
If the Authentication Type field is Host User, the service account for the BizTalk Server is used as the proxy user.
If the Authentication Type field is Proxy User, the values of the Proxy User and Proxy Password fields from the Microsoft Dynamics AX 2009 Transport Properties window are used as the proxy user.
If the authentication type is single sign on (SSO), the proxy user is not used as the Microsoft Dynamics AX authentication is done using the SSO user credentials. For more information on SSO, refer to the BizTalk Server documentation.