Security Requirements
| Retired Content |
|---|
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
To meet the security requirements for the ESB Guidance, you must review configuration settings to support Kerberos authentication, for the BizTalk security account groups, and for the ESB BizTalk Operations Web service.
Kerberos Support
The Microsoft ESB Guidance includes several key ESB Web services and a management portal sample. Some of these services require processing across machine boundaries. To support integrated security for "double hop" scenarios, you must enable Kerberos authentication on the servers running the ESB Web services, ESB Management Portal, and on servers that may be running registry or repository components (such as UDDI or those exposed by WS-MetadataExchange).
To enable Kerberos authentication for Internet Information Services (IIS), see the following articles in the Microsoft Knowledge Base:
- "How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication"
- “How to enable IIS to use Kerberos authentication on a computer that is not a domain controller"
To enable trust delegation for the IIS server running the ESB Web services and ESB Management Portal, see "Allow a computer to be trusted for delegation" on Microsoft TechNet.
To enable SQL Server to participate in Kerberos authentication, ensure the SQL Server service is running under the LOCAL SYSTEM or NETWORK SERVICE account. To troubleshoot SQL Server/Kerberos issues, see “How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005."
BizTalk Security Groups
By default, the Microsoft ESB Guidance uses the Default BizTalk Application Users and BizTalk Server Administrators groups to control security access wherever possible, specifically in regards to the BizTalk Operations, Resolver, and UDDI Web Services and the ESB Management Portal. Only authenticated users that are members of the BizTalk Server Administrators group can perform administrative tasks.
BizTalk Operations Web Service Security Configuration
The BizTalk Operations Web Service obtains and updates BizTalk-related information in several different ways. In some cases, to maximize performance, it directly queries database tables in the BizTalk Message Box database and the BizTalk Management database.
For successful execution of these operations, you must grant the following rights to the BTS_HOST_USERS database role in the relevant databases. You can use Microsoft SQL Server Management Studio to accomplish these tasks:
- Grant the following rights to the BTS_HOST_USERS database role in the BizTalkManagement database:
Table name
Rights
adm_hostInstance
SELECT
adm_Server2HostMapping
SELECT
- Grant the following rights to the BTS_HOST_USERS database role in the BizTalk MessageBox database:
Table name
Rights
ProcessHeartbeat
SELECT