none
SSO Service Login Failure - Service failed to Start

    Question

  • I have installed BizTalk Server 2009 in multi-server environment, in that, BizTalk is on one box, the database is on another. I have configured everything and DTC is running.

    HOwever, the Enterprise SSO service and BizTalKServerApplication service will not start. When I try to start teh service I get the error:

    Windows could not start the Enterprise Single Sign-on Service service on xxxxxx. Error 1069: The service did not start due to a logon failure.

    The account I am running the service under is a domain account, and following the "Installing BizTalk Server 2009 in a MultiServer environment" document, the account is an administrator on the BizTalk box. The user also belongs to the SSO Administrators group on the BizTalk box AND the SQL box. The user also has a login in SQL Server (we even gave the user sysadmin permissions to test).

    For further testing, I created a local account on both boxes (same name and passwords on both boxes), added the user to the admin group (and to the SSO Admin group on the BizTalk box), added the user as a login on the SQL box (also sysadmin) AND WITH THAT THE ENTERPRISE SSO SERVICE STARTED.

    What would cause the domain account to not work?

    Thanks,

    Thursday, March 25, 2010 10:33 PM

Answers

  • Hi,

    You are running BizTalk 2009, so I assume you are running on W2K3 (R2). Therefore you will have to look to this link W2K3: http://support.microsoft.com/kb/327545. Link is similar to Raja's (W2K). I doubt if this explains why domain account does not work. I was wondering if you performed this step: http://msdn.microsoft.com/en-us/library/aa560670(BTS.10).aspx. This is referenced on page 14 of installation guide for multi-server environment.

    Regards,

    Steef-Jan Wiggers
    MCTS BizTalk Server
    http://soa-thoughts.blogspot.com/
    If this answers your question please mark it accordingly


    BizTalk
    Friday, March 26, 2010 11:48 AM
    Moderator
  • Hi Scott,

    Please note the account must have 'logon as a service' privilage in GPO. Also try repro the error again and check the server/DC's security event log. There should be corresponding logon failure events audited which will show you a detailed reason.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, April 06, 2010 7:19 AM
    Moderator
  • Can you try again with the domain account after you successfully started the ENT SSO service with a local account. Usually if everything is configured correctly and SSO service is fine you need to give the password again for the domain account. The message appears that the domain account has given the right on the Service and then you can restart the service.

    Since you were able to start it with a local account there must be nothing wrong with the configurations. You are also sure that the domain account was also the part of the SSO administrators and had the rights over the SQL server box and the databases. Its my guess that the domain user's password must have been expired or changed. Double check on this.


    Abdul Rafay - MVP & MCTS BizTalk Server
    blog: http://abdulrafaysbiztalk.wordpress.com/
    Please mark this as answer if it helps.
    Tuesday, April 06, 2010 7:35 AM

All replies

  • The Service Does not look at neither of the 2 groups on the BizTalk nor the SQL it looks at the group on the Domain Controller so you have to have an SSO group on the DC and add the user to it, it checks the account on the local group only if you're working with local accounts like you did in the later trial

    Regards...

    Ahmed Zakaria

    VTSP Microsoft BizTalk Server 

    Friday, March 26, 2010 12:11 AM
  • This behavior can occur for any of the following reasons:
    • The password is changed on the account the service is configured to use to log on.
    • The password data in the registry is damaged.
    • The right to log on as a service is revoked for the specified user account.

    http://support.microsoft.com/kb/259733


    Thanks, Raja
    Friday, March 26, 2010 4:31 AM
  • it may happen if your password for that biztalk user is expired or your BizTalk ESSO databse is corrupted. normally second option is not so often occurs.

    can u try with updating the UserId and Password within the LogOn tab in the E SSO services of window.

    regards

    joon

    Friday, March 26, 2010 11:09 AM
  • Hi,

    You are running BizTalk 2009, so I assume you are running on W2K3 (R2). Therefore you will have to look to this link W2K3: http://support.microsoft.com/kb/327545. Link is similar to Raja's (W2K). I doubt if this explains why domain account does not work. I was wondering if you performed this step: http://msdn.microsoft.com/en-us/library/aa560670(BTS.10).aspx. This is referenced on page 14 of installation guide for multi-server environment.

    Regards,

    Steef-Jan Wiggers
    MCTS BizTalk Server
    http://soa-thoughts.blogspot.com/
    If this answers your question please mark it accordingly


    BizTalk
    Friday, March 26, 2010 11:48 AM
    Moderator
  • Hi Steef-Jan,

    Thanks for the feedback. We are running BizTalk 2009, but we are running on W2K8. I will re-read page 14, I am sure I missed something.

    Scott

    Friday, March 26, 2010 3:20 PM
  • Hi Scott,

    Please note the account must have 'logon as a service' privilage in GPO. Also try repro the error again and check the server/DC's security event log. There should be corresponding logon failure events audited which will show you a detailed reason.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, April 06, 2010 7:19 AM
    Moderator
  • Can you try again with the domain account after you successfully started the ENT SSO service with a local account. Usually if everything is configured correctly and SSO service is fine you need to give the password again for the domain account. The message appears that the domain account has given the right on the Service and then you can restart the service.

    Since you were able to start it with a local account there must be nothing wrong with the configurations. You are also sure that the domain account was also the part of the SSO administrators and had the rights over the SQL server box and the databases. Its my guess that the domain user's password must have been expired or changed. Double check on this.


    Abdul Rafay - MVP & MCTS BizTalk Server
    blog: http://abdulrafaysbiztalk.wordpress.com/
    Please mark this as answer if it helps.
    Tuesday, April 06, 2010 7:35 AM