locked
Domain user account Biztalk multi computer environment RRS feed

  • Question


  • ->Earlier we had Biztalk server2006R2 and sql server 2005 installed on a single server.
    ->So we used a local user account to run biztalk host instance and
    ->this local user account is used for configuring X509 certificate and also Application pool on IIS associated with Biztalk HTTP     Receive location
    ->Recently we transitioned to a multi computer environment where biztalk server 2010 is installed on one sever and sql server2008R2 on another server
    ->So since it's a multi computer environment now,we switched to a domain user account to run the host instance.

    My question#1 is: Can x509 certificates(private/public) be configured under the domain user account?
    I was under the assumption that X509 certificates should be installed and configured only under local user account. Is this assumption wrong? Can I configure it under the domain user account and will I have any issues with it?

    My question#2 is: Can IIS application pool be associated with Biztalk HTTP receive location can also be configured under the domain user account?

    Appreciate any inputs. Thanks!

    Tuesday, January 29, 2013 9:30 PM

Answers

  • #1 BizTalk domain service accounts works with x509 certificates.

    See this article in MSDN.

    #2 see this article, it might help.

    Also I would recommend the article by Richard Seroter.


    Leonid Ganeline [BizTalk MVP] BizTalk: Internals: Namespaces


    Tuesday, January 29, 2013 11:13 PM
    Moderator
  • to answer your questions

    1. Yes X.509 certificates can be configured under domain user accounts. You must remember however that the domain profile is computer specific and in case the same account is being used from multiple servers, then the certificates must be installed in against the domain user account in ALL machines.
    2. Yes. The Application Pool identity is a WIndows Account local or domain does not make a difference. In case of NLB then only domain acocunts would work. Also remember that the Domain Account you use for Application pool identity should be a member of the local IIS_WPG Group and should also be a part of the BizTalk Isolated Host User group for this to work.

    Regards.

    Wednesday, January 30, 2013 4:18 AM

All replies

  • #1 BizTalk domain service accounts works with x509 certificates.

    See this article in MSDN.

    #2 see this article, it might help.

    Also I would recommend the article by Richard Seroter.


    Leonid Ganeline [BizTalk MVP] BizTalk: Internals: Namespaces


    Tuesday, January 29, 2013 11:13 PM
    Moderator
  • to answer your questions

    1. Yes X.509 certificates can be configured under domain user accounts. You must remember however that the domain profile is computer specific and in case the same account is being used from multiple servers, then the certificates must be installed in against the domain user account in ALL machines.
    2. Yes. The Application Pool identity is a WIndows Account local or domain does not make a difference. In case of NLB then only domain acocunts would work. Also remember that the Domain Account you use for Application pool identity should be a member of the local IIS_WPG Group and should also be a part of the BizTalk Isolated Host User group for this to work.

    Regards.

    Wednesday, January 30, 2013 4:18 AM
  • Thanks all for your responses.

    ShankyCheil, in case I am using same domain account for Dev, Test and Prod servers, then can I configure three X509 private keys in the personal store of the same domain account? Isn't there any limitation such as only one private key in personal store of a given account?

    Wednesday, January 30, 2013 5:01 PM
  • As long as there are different physical servers associated with each of your environment you can use the same certificates (as there is no restrictions on where the individual X.509 certificates may be used).

    I would however recommend that you setup a internal CA (Windows Certificate Services running in standalone mode) for X.509 certificates used within the Development & Test environments. Depending on your use of the Test Environment (only System Integration Testing or more from a QA standpoint a.k.a pre-production and UAT) you could coose to go with the production certificates or the internal certificates.

    Regards.

    Thursday, January 31, 2013 4:46 AM