Hi,

I've seen this problem in other newsgroup posts but haven't been able to
find one with an answer.  Hence another question!

I've got Biztalk set up across two boxes: box1 has Biztalk and Sharepoint
and box2 has SQLServer.  I'm not using active directory and hence have had t
o
set up the same user (BTSAdmin) on both boxes and give this user access to
all of the correct groups on both boxes.  Everything works fine in BT except
for some features of HAT.  Basically I can get information in HAT about
service instances, messages, and historical transactions (including viewing
the orchstration debugger) but I can't attach to an instance that is in a
breakpoint in order to debug.  Basically when I try to attach I get the
message:

'Debugging user validation against group 'Box2\BizTalk Server
Administrators' failed with error: Debuging Client is not a BizTalk Server
Administrator.'

I've checked and double-checked and BTSAdmin is a member of BizTalk Server
Administrators on Box2.  As far as I can tell BTSAdmin is also the user that
is running HAT (from looking in the processes view of task manager).

Can anybody help me with this as I have a small error somewhere in my
orchestration but currently can't debug !

Thanks again

Ian

[ Post a follow-up to this message ]

Hi Ian, it may be the way you have the accounts setup that is causing this
issue.  When using multiple machines with BizTalk 2004 it's required to use
domain accounts and users.  We only support using local groups and users if
it's a single machine install with BizTalk, SQL, etc all on one box.
Anytime you have multiple BizTalk servers, or a component such as SQL is
remote you must use domain groups and users.

If you set the machines up in a domain and use domain users and groups does
this problem still occur?

Larry Franks

This posting is provided "AS IS" with no warranties,and confers no rights.
Subscribe at
http://support.microsoft.com/defaul...msdn/nospam.asp
&SD=msdn
--------------------
| Thread-Topic: HAT debugging issue
| thread-index: AcSXI8ieyiqCG1odSyKWKQWGyafBuA==
| X-WBNR-Posting-Host: 194.63.116.72
| From: examnotes
<ian.thomas@online.nospam>
| Subject: HAT debugging issue
| Date: Fri, 10 Sep 2004 03:49:01 -0700
| Lines: 29
| Message-ID: <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| 	charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.biztalk.tools
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4041
| X-Tomcat-NG: microsoft.public.biztalk.tools
|
| Hi,
|
| I've seen this problem in other newsgroup posts but haven't been able to
| find one with an answer.  Hence another question!
|
| I've got Biztalk set up across two boxes: box1 has Biztalk and Sharepoint
| and box2 has SQLServer.  I'm not using active directory and hence have
had to
| set up the same user (BTSAdmin) on both boxes and give this user access
to
| all of the correct groups on both boxes.  Everything works fine in BT
except
| for some features of HAT.  Basically I can get information in HAT about
| service instances, messages, and historical transactions (including
viewing
| the orchstration debugger) but I can't attach to an instance that is in a
| breakpoint in order to debug.  Basically when I try to attach I get the
| message:
|
| 'Debugging user validation against group 'Box2\BizTalk Server
| Administrators' failed with error: Debuging Client is not a BizTalk
Server
| Administrator.'
|
| I've checked and double-checked and BTSAdmin is a member of BizTalk
Server
| Administrators on Box2.  As far as I can tell BTSAdmin is also the user
that
| is running HAT (from looking in the processes view of task manager).
|
| Can anybody help me with this as I have a small error somewhere in my
| orchestration but currently can't debug !
|
| Thanks again
|
| Ian
|

[ Post a follow-up to this message ]

Larry,

Thanks for the response.  I can confirm that the accounts are domain
accounts (i.e. each box is its own domain) but they are not in an overall
domain.  However, our setup is:

- BoxA is in domain A and has a full Biztalk installation
- Box B is in domain B and has sql server installed.

Each domain has the same BTSAdmin username registered within the domain with
the same password and group memberships (i.e. on both domains BTSAdmin is in
all of the Biztalk groups).

Should that work (it seems to suggest in the docs that it should as long as
the usernames and group memberships are the same across both) or do I need t
o
setup a domain controller and make both boxes part of a single domain?

If the latter why does everything access SQL successfully bar the debugger?
To be honest I'm quite close to a big demo and so don't want to risk it for
the sake of the debugger, but also am finding it difficult fixing errors at
the moment !

Thanks again

Ian


""larry franks"" wrote:

> Hi Ian, it may be the way you have the accounts setup that is causing this
> issue.  When using multiple machines with BizTalk 2004 it's required to us
e
> domain accounts and users.  We only support using local groups and users i
f
> it's a single machine install with BizTalk, SQL, etc all on one box.
> Anytime you have multiple BizTalk servers, or a component such as SQL is
> remote you must use domain groups and users.
>
> If you set the machines up in a domain and use domain users and groups doe
s
> this problem still occur?
>
> Larry Franks
>
> This posting is provided "AS IS" with no warranties,and confers no rights.
> Subscribe at
> [url]http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp[/ur
l]
> &SD=msdn
> --------------------
> | Thread-Topic: HAT debugging issue
> | thread-index: AcSXI8ieyiqCG1odSyKWKQWGyafBuA==
> | X-WBNR-Posting-Host: 194.63.116.72
> | From: examnotes
> <ian.thomas@online.nospam>
> | Subject: HAT debugging issue
> | Date: Fri, 10 Sep 2004 03:49:01 -0700
> | Lines: 29
> | Message-ID: <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | 	charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.biztalk.tools
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4041
> | X-Tomcat-NG: microsoft.public.biztalk.tools
> |
> | Hi,
> |
> | I've seen this problem in other newsgroup posts but haven't been able to
> | find one with an answer.  Hence another question!
> |
> | I've got Biztalk set up across two boxes: box1 has Biztalk and Sharepoin
t
> | and box2 has SQLServer.  I'm not using active directory and hence have
> had to
> | set up the same user (BTSAdmin) on both boxes and give this user access
> to
> | all of the correct groups on both boxes.  Everything works fine in BT
> except
> | for some features of HAT.  Basically I can get information in HAT about
> | service instances, messages, and historical transactions (including
> viewing
> | the orchstration debugger) but I can't attach to an instance that is in 
a
> | breakpoint in order to debug.  Basically when I try to attach I get the
> | message:
> |
> | 'Debugging user validation against group 'Box2\BizTalk Server
> | Administrators' failed with error: Debuging Client is not a BizTalk
> Server
> | Administrator.'
> |
> | I've checked and double-checked and BTSAdmin is a member of BizTalk
> Server
> | Administrators on Box2.  As far as I can tell BTSAdmin is also the user
> that
> | is running HAT (from looking in the processes view of task manager).
> |
> | Can anybody help me with this as I have a small error somewhere in my
> | orchestration but currently can't debug !
> |
> | Thanks again
> |
> | Ian
> |
>
>

[ Post a follow-up to this message ]

If there are two domains then I would expect a domain trust relationship
and use accounts/groups from one domain for rights to everything BizTalk.
What it sounds like currently is that you are using passthrough accounts,
only on a domain level (each machine has a biztalksvc account with the same
password.)  I'm 90% certain this isn't a tested scenario for product
configuration.

Consider that some api's will use the domain\username when passing
credentials.  If this is the case then domaina\biztalk isn't = to
domainb\biztalk.  Passthrough authentication only works when passing
username and password, basically leaving off the domain/machine identifier
from the credentials.

I can ask the product group for clarification on this, but I'm pretty
certain the answer will be that passthrough accounts, either local or on a
domain level, are untested/unsupported.

Larry Franks

This posting is provided "AS IS" with no warranties,and confers no rights.
Subscribe at
http://support.microsoft.com/defaul...msdn/nospam.asp
&SD=msdn
--------------------
| Thread-Topic: HAT debugging issue
| thread-index: AcSXO0QXuO5E1wGFRzKoiiJ4qsbrPw==
| X-WBNR-Posting-Host: 194.63.116.72
| From: examnotes
<ian.thomas@online.nospam>
| References:  <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
<q#qMwfzlEHA.2476@cpmsftngxa10.phx.gbl>
| Subject: RE: HAT debugging issue
| Date: Fri, 10 Sep 2004 06:37:07 -0700
| Lines: 109
| Message-ID: <32DC2556-5CE6-407F-9510-F291C2E3679E@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| 	charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.biztalk.tools
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4043
| X-Tomcat-NG: microsoft.public.biztalk.tools
|
| Larry,
|
| Thanks for the response.  I can confirm that the accounts are domain
| accounts (i.e. each box is its own domain) but they are not in an overall
| domain.  However, our setup is:
|
| - BoxA is in domain A and has a full Biztalk installation
| - Box B is in domain B and has sql server installed.
|
| Each domain has the same BTSAdmin username registered within the domain
with
| the same password and group memberships (i.e. on both domains BTSAdmin is
in
| all of the Biztalk groups).
|
| Should that work (it seems to suggest in the docs that it should as long
as
| the usernames and group memberships are the same across both) or do I
need to
| setup a domain controller and make both boxes part of a single domain?
|
| If the latter why does everything access SQL successfully bar the
debugger?
| To be honest I'm quite close to a big demo and so don't want to risk it
for
| the sake of the debugger, but also am finding it difficult fixing errors
at
| the moment !
|
| Thanks again
|
| Ian
|
|
| ""larry franks"" wrote:
|
| > Hi Ian, it may be the way you have the accounts setup that is causing
this
| > issue.  When using multiple machines with BizTalk 2004 it's required to
use
| > domain accounts and users.  We only support using local groups and
users if
| > it's a single machine install with BizTalk, SQL, etc all on one box.
| > Anytime you have multiple BizTalk servers, or a component such as SQL
is
| > remote you must use domain groups and users.
| >
| > If you set the machines up in a domain and use domain users and groups
does
| > this problem still occur?
| >
| > Larry Franks
| >
| > This posting is provided "AS IS" with no warranties,and confers no
rights.
| > Subscribe at
| >
http://support.microsoft.com/defaul...msdn/nospam.asp
| > &SD=msdn
| > --------------------
| > | Thread-Topic: HAT debugging issue
| > | thread-index: AcSXI8ieyiqCG1odSyKWKQWGyafBuA==
| > | X-WBNR-Posting-Host: 194.63.116.72
| > | From: examnotes
| > <ian.thomas@online.nospam>
| > | Subject: HAT debugging issue
| > | Date: Fri, 10 Sep 2004 03:49:01 -0700
| > | Lines: 29
| > | Message-ID: <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | 	charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.biztalk.tools
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4041
| > | X-Tomcat-NG: microsoft.public.biztalk.tools
| > |
| > | Hi,
| > |
| > | I've seen this problem in other newsgroup posts but haven't been able
to
| > | find one with an answer.  Hence another question!
| > |
| > | I've got Biztalk set up across two boxes: box1 has Biztalk and
Sharepoint
| > | and box2 has SQLServer.  I'm not using active directory and hence
have
| > had to
| > | set up the same user (BTSAdmin) on both boxes and give this user
access
| > to
| > | all of the correct groups on both boxes.  Everything works fine in BT
| > except
| > | for some features of HAT.  Basically I can get information in HAT
about
| > | service instances, messages, and historical transactions (including
| > viewing
| > | the orchstration debugger) but I can't attach to an instance that is
in a
| > | breakpoint in order to debug.  Basically when I try to attach I get
the
| > | message:
| > |
| > | 'Debugging user validation against group 'Box2\BizTalk Server
| > | Administrators' failed with error: Debuging Client is not a BizTalk
| > Server
| > | Administrator.'
| > |
| > | I've checked and double-checked and BTSAdmin is a member of BizTalk
| > Server
| > | Administrators on Box2.  As far as I can tell BTSAdmin is also the
user
| > that
| > | is running HAT (from looking in the processes view of task manager).
| > |
| > | Can anybody help me with this as I have a small error somewhere in my
| > | orchestration but currently can't debug !
| > |
| > | Thanks again
| > |
| > | Ian
| > |
| >
| >
|

[ Post a follow-up to this message ]

Larry,

Thanks again.  Looks like I'll just have to give up for the moment as I
don't want to mess with my environment.  How do I set up a domain trust
relationship in case I do decide to make some changes later on? (My knowledg
e
of windows security is woeful).

Thanks again

Ian

""larry franks"" wrote:

> If there are two domains then I would expect a domain trust relationship
> and use accounts/groups from one domain for rights to everything BizTalk.
> What it sounds like currently is that you are using passthrough accounts,
> only on a domain level (each machine has a biztalksvc account with the sam
e
> password.)  I'm 90% certain this isn't a tested scenario for product
> configuration.
>
> Consider that some api's will use the domain\username when passing
> credentials.  If this is the case then domaina\biztalk isn't = to
> domainb\biztalk.  Passthrough authentication only works when passing
> username and password, basically leaving off the domain/machine identifier
> from the credentials.
>
> I can ask the product group for clarification on this, but I'm pretty
> certain the answer will be that passthrough accounts, either local or on a
> domain level, are untested/unsupported.
>
> Larry Franks
>
> This posting is provided "AS IS" with no warranties,and confers no rights.
> Subscribe at
> [url]http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp[/ur
l]
> &SD=msdn
> --------------------
> | Thread-Topic: HAT debugging issue
> | thread-index: AcSXO0QXuO5E1wGFRzKoiiJ4qsbrPw==
> | X-WBNR-Posting-Host: 194.63.116.72
> | From: examnotes
> <ian.thomas@online.nospam>
> | References:  <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
> <q#qMwfzlEHA.2476@cpmsftngxa10.phx.gbl>
> | Subject: RE: HAT debugging issue
> | Date: Fri, 10 Sep 2004 06:37:07 -0700
> | Lines: 109
> | Message-ID: <32DC2556-5CE6-407F-9510-F291C2E3679E@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | 	charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.biztalk.tools
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4043
> | X-Tomcat-NG: microsoft.public.biztalk.tools
> |
> | Larry,
> |
> | Thanks for the response.  I can confirm that the accounts are domain
> | accounts (i.e. each box is its own domain) but they are not in an overal
l
> | domain.  However, our setup is:
> |
> | - BoxA is in domain A and has a full Biztalk installation
> | - Box B is in domain B and has sql server installed.
> |
> | Each domain has the same BTSAdmin username registered within the domain
> with
> | the same password and group memberships (i.e. on both domains BTSAdmin i
s
> in
> | all of the Biztalk groups).
> |
> | Should that work (it seems to suggest in the docs that it should as long
> as
> | the usernames and group memberships are the same across both) or do I
> need to
> | setup a domain controller and make both boxes part of a single domain?
> |
> | If the latter why does everything access SQL successfully bar the
> debugger?
> | To be honest I'm quite close to a big demo and so don't want to risk it
> for
> | the sake of the debugger, but also am finding it difficult fixing errors
> at
> | the moment !
> |
> | Thanks again
> |
> | Ian
> |
> |
> | ""larry franks"" wrote:
> |
> | > Hi Ian, it may be the way you have the accounts setup that is causing
> this
> | > issue.  When using multiple machines with BizTalk 2004 it's required t
o
> use
> | > domain accounts and users.  We only support using local groups and
> users if
> | > it's a single machine install with BizTalk, SQL, etc all on one box.
> | > Anytime you have multiple BizTalk servers, or a component such as SQL
> is
> | > remote you must use domain groups and users.
> | >
> | > If you set the machines up in a domain and use domain users and groups
> does
> | > this problem still occur?
> | >
> | > Larry Franks
> | >
> | > This posting is provided "AS IS" with no warranties,and confers no
> rights.
> | > Subscribe at
> | >
> [url]http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp[/ur
l]
> | > &SD=msdn
> | > --------------------
> | > | Thread-Topic: HAT debugging issue
> | > | thread-index: AcSXI8ieyiqCG1odSyKWKQWGyafBuA==
> | > | X-WBNR-Posting-Host: 194.63.116.72
> | > | From: examnotes
> | > <ian.thomas@online.nospam>
> | > | Subject: HAT debugging issue
> | > | Date: Fri, 10 Sep 2004 03:49:01 -0700
> | > | Lines: 29
> | > | Message-ID: <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | 	charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.biztalk.tools
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4041
> | > | X-Tomcat-NG: microsoft.public.biztalk.tools
> | > |
> | > | Hi,
> | > |
> | > | I've seen this problem in other newsgroup posts but haven't been abl
e
> to
> | > | find one with an answer.  Hence another question!
> | > |
> | > | I've got Biztalk set up across two boxes: box1 has Biztalk and
> Sharepoint
> | > | and box2 has SQLServer.  I'm not using active directory and hence
> have
> | > had to
> | > | set up the same user (BTSAdmin) on both boxes and give this user
> access
> | > to
> | > | all of the correct groups on both boxes.  Everything works fine in B
T
> | > except
> | > | for some features of HAT.  Basically I can get information in HAT
> about
> | > | service instances, messages, and historical transactions (including
> | > viewing
> | > | the orchstration debugger) but I can't attach to an instance that is
> in a
> | > | breakpoint in order to debug.  Basically when I try to attach I get
> the
> | > | message:
> | > |
> | > | 'Debugging user validation against group 'Box2\BizTalk Server
> | > | Administrators' failed with error: Debuging Client is not a BizTalk
> | > Server
> | > | Administrator.'
> | > |
> | > | I've checked and double-checked and BTSAdmin is a member of BizTalk
> | > Server
> | > | Administrators on Box2.  As far as I can tell BTSAdmin is also the
> user
> | > that
> | > | is running HAT (from looking in the processes view of task manager).
> | > |
> | > | Can anybody help me with this as I have a small error somewhere in m
y
> | > | orchestration but currently can't debug !
> | > |
> | > | Thanks again
> | > |
> | > | Ian
> | > |
> | >
> | >
> |
>
>

[ Post a follow-up to this message ]

http://www.microsoft.com/windows200...fault.asp?url=/
windows2000/techinfo/reskit/en-us/deploy/dgbe_sec_ztsn.asp gives an
overview of domain trusts, and
http://www.microsoft.com/windows200....asp?url=/windo
ws2000/en/advanced/help/domadmin_create_explicit_domain_trust.htm has some
information also.  Beyond this I don't have much information.  For setting
up or troubleshooting trust issues we normally send cases to the Platform
support group.

In this case it sounds like we should be creating a trust so that at the
least the domain SQL is in trusts the BizTalk domain and can allow BizTalk
accounts to authenticate to SQL.  You may also have to modify the roles we
create in SQL since those should have the domain groups for BizTalk as
members.  Simplest scenario would be reconfiguring BizTalk from scratch
after making sure that the domain users/groups can access SQL resources.

Larry Franks

This posting is provided "AS IS" with no warranties,and confers no rights.
Subscribe at
http://support.microsoft.com/defaul...msdn/nospam.asp
&SD=msdn
--------------------
| Thread-Topic: HAT debugging issue
| thread-index: AcSXQSA9WHF+HI5dSsSxolzbjmwu3Q==
| X-WBNR-Posting-Host: 194.63.116.72
| From: examnotes
<ian.thomas@online.nospam>
| References:  <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
<q#qMwfzlEHA.2476@cpmsftngxa10.phx.gbl>
<32DC2556-5CE6-407F-9510-F291C2E3679E@microsoft.com>
<cwrzLA0lEHA.3024@cpmsftngxa10.phx.gbl>
| Subject: RE: HAT debugging issue
| Date: Fri, 10 Sep 2004 07:19:04 -0700
| Lines: 197
| Message-ID: <B654B207-A2A3-4794-A4F9-F152ECF5ACBB@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| 	charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.biztalk.tools
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4045
| X-Tomcat-NG: microsoft.public.biztalk.tools
|
| Larry,
|
| Thanks again.  Looks like I'll just have to give up for the moment as I
| don't want to mess with my environment.  How do I set up a domain trust
| relationship in case I do decide to make some changes later on? (My
knowledge
| of windows security is woeful).
|
| Thanks again
|
| Ian
|
| ""larry franks"" wrote:
|
| > If there are two domains then I would expect a domain trust
relationship
| > and use accounts/groups from one domain for rights to everything
BizTalk.
| > What it sounds like currently is that you are using passthrough
accounts,
| > only on a domain level (each machine has a biztalksvc account with the
same
| > password.)  I'm 90% certain this isn't a tested scenario for product
| > configuration.
| >
| > Consider that some api's will use the domain\username when passing
| > credentials.  If this is the case then domaina\biztalk isn't = to
| > domainb\biztalk.  Passthrough authentication only works when passing
| > username and password, basically leaving off the domain/machine
identifier
| > from the credentials.
| >
| > I can ask the product group for clarification on this, but I'm pretty
| > certain the answer will be that passthrough accounts, either local or
on a
| > domain level, are untested/unsupported.
| >
| > Larry Franks
| >
| > This posting is provided "AS IS" with no warranties,and confers no
rights.
| > Subscribe at
| >
http://support.microsoft.com/defaul...msdn/nospam.asp
| > &SD=msdn
| > --------------------
| > | Thread-Topic: HAT debugging issue
| > | thread-index: AcSXO0QXuO5E1wGFRzKoiiJ4qsbrPw==
| > | X-WBNR-Posting-Host: 194.63.116.72
| > | From: examnotes
| > <ian.thomas@online.nospam>
| > | References:  <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
| > <q#qMwfzlEHA.2476@cpmsftngxa10.phx.gbl>
| > | Subject: RE: HAT debugging issue
| > | Date: Fri, 10 Sep 2004 06:37:07 -0700
| > | Lines: 109
| > | Message-ID: <32DC2556-5CE6-407F-9510-F291C2E3679E@microsoft.com>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | 	charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.biztalk.tools
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4043
| > | X-Tomcat-NG: microsoft.public.biztalk.tools
| > |
| > | Larry,
| > |
| > | Thanks for the response.  I can confirm that the accounts are domain
| > | accounts (i.e. each box is its own domain) but they are not in an
overall
| > | domain.  However, our setup is:
| > |
| > | - BoxA is in domain A and has a full Biztalk installation
| > | - Box B is in domain B and has sql server installed.
| > |
| > | Each domain has the same BTSAdmin username registered within the
domain
| > with
| > | the same password and group memberships (i.e. on both domains
BTSAdmin is
| > in
| > | all of the Biztalk groups).
| > |
| > | Should that work (it seems to suggest in the docs that it should as
long
| > as
| > | the usernames and group memberships are the same across both) or do I
| > need to
| > | setup a domain controller and make both boxes part of a single domain?
| > |
| > | If the latter why does everything access SQL successfully bar the
| > debugger?
| > | To be honest I'm quite close to a big demo and so don't want to risk
it
| > for
| > | the sake of the debugger, but also am finding it difficult fixing
errors
| > at
| > | the moment !
| > |
| > | Thanks again
| > |
| > | Ian
| > |
| > |
| > | ""larry franks"" wrote:
| > |
| > | > Hi Ian, it may be the way you have the accounts setup that is
causing
| > this
| > | > issue.  When using multiple machines with BizTalk 2004 it's
required to
| > use
| > | > domain accounts and users.  We only support using local groups and
| > users if
| > | > it's a single machine install with BizTalk, SQL, etc all on one
box.
| > | > Anytime you have multiple BizTalk servers, or a component such as
SQL
| > is
| > | > remote you must use domain groups and users.
| > | >
| > | > If you set the machines up in a domain and use domain users and
groups
| > does
| > | > this problem still occur?
| > | >
| > | > Larry Franks
| > | >
| > | > This posting is provided "AS IS" with no warranties,and confers no
| > rights.
| > | > Subscribe at
| > | >
| >
http://support.microsoft.com/defaul...msdn/nospam.asp
| > | > &SD=msdn
| > | > --------------------
| > | > | Thread-Topic: HAT debugging issue
| > | > | thread-index: AcSXI8ieyiqCG1odSyKWKQWGyafBuA==
| > | > | X-WBNR-Posting-Host: 194.63.116.72
| > | > | From: examnotes
| > | > <ian.thomas@online.nospam>
| > | > | Subject: HAT debugging issue
| > | > | Date: Fri, 10 Sep 2004 03:49:01 -0700
| > | > | Lines: 29
| > | > | Message-ID: <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | 	charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | > | Newsgroups: microsoft.public.biztalk.tools
| > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| > | > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | > | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4041
| > | > | X-Tomcat-NG: microsoft.public.biztalk.tools
| > | > |
| > | > | Hi,
| > | > |
| > | > | I've seen this problem in other newsgroup posts but haven't been
able
| > to
| > | > | find one with an answer.  Hence another question!
| > | > |
| > | > | I've got Biztalk set up across two boxes: box1 has Biztalk and
| > Sharepoint
| > | > | and box2 has SQLServer.  I'm not using active directory and hence
| > have
| > | > had to
| > | > | set up the same user (BTSAdmin) on both boxes and give this user
| > access
| > | > to
| > | > | all of the correct groups on both boxes.  Everything works fine
in BT
| > | > except
| > | > | for some features of HAT.  Basically I can get information in HAT
| > about
| > | > | service instances, messages, and historical transactions
(including
| > | > viewing
| > | > | the orchstration debugger) but I can't attach to an instance that
is
| > in a
| > | > | breakpoint in order to debug.  Basically when I try to attach I
get
| > the
| > | > | message:
| > | > |
| > | > | 'Debugging user validation against group 'Box2\BizTalk Server
| > | > | Administrators' failed with error: Debuging Client is not a
BizTalk
| > | > Server
| > | > | Administrator.'
| > | > |
| > | > | I've checked and double-checked and BTSAdmin is a member of
BizTalk
| > | > Server
| > | > | Administrators on Box2.  As far as I can tell BTSAdmin is also
the
| > user
| > | > that
| > | > | is running HAT (from looking in the processes view of task
manager).
| > | > |
| > | > | Can anybody help me with this as I have a small error somewhere
in my
| > | > | orchestration but currently can't debug !
| > | > |
| > | > | Thanks again
| > | > |
| > | > | Ian
| > | > |
| > | >
| > | >
| > |
| >
| >
|

[ Post a follow-up to this message ]

Thanks Larry.  I'll investigate this more!

""larry franks"" wrote:

> [url]http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/[/ur
l]
> windows2000/techinfo/reskit/en-us/deploy/dgbe_sec_ztsn.asp gives an
> overview of domain trusts, and
> [url]http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo[/ur
l]
> ws2000/en/advanced/help/domadmin_create_explicit_domain_trust.htm has some
> information also.  Beyond this I don't have much information.  For setting
> up or troubleshooting trust issues we normally send cases to the Platform
> support group.
>
> In this case it sounds like we should be creating a trust so that at the
> least the domain SQL is in trusts the BizTalk domain and can allow BizTalk
> accounts to authenticate to SQL.  You may also have to modify the roles we
> create in SQL since those should have the domain groups for BizTalk as
> members.  Simplest scenario would be reconfiguring BizTalk from scratch
> after making sure that the domain users/groups can access SQL resources.
>
> Larry Franks
>
> This posting is provided "AS IS" with no warranties,and confers no rights.
> Subscribe at
> [url]http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp[/ur
l]
> &SD=msdn
> --------------------
> | Thread-Topic: HAT debugging issue
> | thread-index: AcSXQSA9WHF+HI5dSsSxolzbjmwu3Q==
> | X-WBNR-Posting-Host: 194.63.116.72
> | From: examnotes
> <ian.thomas@online.nospam>
> | References:  <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
> <q#qMwfzlEHA.2476@cpmsftngxa10.phx.gbl>
> <32DC2556-5CE6-407F-9510-F291C2E3679E@microsoft.com>
> <cwrzLA0lEHA.3024@cpmsftngxa10.phx.gbl>
> | Subject: RE: HAT debugging issue
> | Date: Fri, 10 Sep 2004 07:19:04 -0700
> | Lines: 197
> | Message-ID: <B654B207-A2A3-4794-A4F9-F152ECF5ACBB@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | 	charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.biztalk.tools
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4045
> | X-Tomcat-NG: microsoft.public.biztalk.tools
> |
> | Larry,
> |
> | Thanks again.  Looks like I'll just have to give up for the moment as I
> | don't want to mess with my environment.  How do I set up a domain trust
> | relationship in case I do decide to make some changes later on? (My
> knowledge
> | of windows security is woeful).
> |
> | Thanks again
> |
> | Ian
> |
> | ""larry franks"" wrote:
> |
> | > If there are two domains then I would expect a domain trust
> relationship
> | > and use accounts/groups from one domain for rights to everything
> BizTalk.
> | > What it sounds like currently is that you are using passthrough
> accounts,
> | > only on a domain level (each machine has a biztalksvc account with the
> same
> | > password.)  I'm 90% certain this isn't a tested scenario for product
> | > configuration.
> | >
> | > Consider that some api's will use the domain\username when passing
> | > credentials.  If this is the case then domaina\biztalk isn't = to
> | > domainb\biztalk.  Passthrough authentication only works when passing
> | > username and password, basically leaving off the domain/machine
> identifier
> | > from the credentials.
> | >
> | > I can ask the product group for clarification on this, but I'm pretty
> | > certain the answer will be that passthrough accounts, either local or
> on a
> | > domain level, are untested/unsupported.
> | >
> | > Larry Franks
> | >
> | > This posting is provided "AS IS" with no warranties,and confers no
> rights.
> | > Subscribe at
> | >
> [url]http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp[/ur
l]
> | > &SD=msdn
> | > --------------------
> | > | Thread-Topic: HAT debugging issue
> | > | thread-index: AcSXO0QXuO5E1wGFRzKoiiJ4qsbrPw==
> | > | X-WBNR-Posting-Host: 194.63.116.72
> | > | From: examnotes
> | > <ian.thomas@online.nospam>
> | > | References:  <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
> | > <q#qMwfzlEHA.2476@cpmsftngxa10.phx.gbl>
> | > | Subject: RE: HAT debugging issue
> | > | Date: Fri, 10 Sep 2004 06:37:07 -0700
> | > | Lines: 109
> | > | Message-ID: <32DC2556-5CE6-407F-9510-F291C2E3679E@microsoft.com>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | 	charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.biztalk.tools
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4043
> | > | X-Tomcat-NG: microsoft.public.biztalk.tools
> | > |
> | > | Larry,
> | > |
> | > | Thanks for the response.  I can confirm that the accounts are domain
> | > | accounts (i.e. each box is its own domain) but they are not in an
> overall
> | > | domain.  However, our setup is:
> | > |
> | > | - BoxA is in domain A and has a full Biztalk installation
> | > | - Box B is in domain B and has sql server installed.
> | > |
> | > | Each domain has the same BTSAdmin username registered within the
> domain
> | > with
> | > | the same password and group memberships (i.e. on both domains
> BTSAdmin is
> | > in
> | > | all of the Biztalk groups).
> | > |
> | > | Should that work (it seems to suggest in the docs that it should as
> long
> | > as
> | > | the usernames and group memberships are the same across both) or do 
I
> | > need to
> | > | setup a domain controller and make both boxes part of a single domai
n?
> | > |
> | > | If the latter why does everything access SQL successfully bar the
> | > debugger?
> | > | To be honest I'm quite close to a big demo and so don't want to risk
> it
> | > for
> | > | the sake of the debugger, but also am finding it difficult fixing
> errors
> | > at
> | > | the moment !
> | > |
> | > | Thanks again
> | > |
> | > | Ian
> | > |
> | > |
> | > | ""larry franks"" wrote:
> | > |
> | > | > Hi Ian, it may be the way you have the accounts setup that is
> causing
> | > this
> | > | > issue.  When using multiple machines with BizTalk 2004 it's
> required to
> | > use
> | > | > domain accounts and users.  We only support using local groups and
> | > users if
> | > | > it's a single machine install with BizTalk, SQL, etc all on one
> box.
> | > | > Anytime you have multiple BizTalk servers, or a component such as
> SQL
> | > is
> | > | > remote you must use domain groups and users.
> | > | >
> | > | > If you set the machines up in a domain and use domain users and
> groups
> | > does
> | > | > this problem still occur?
> | > | >
> | > | > Larry Franks
> | > | >
> | > | > This posting is provided "AS IS" with no warranties,and confers no
> | > rights.
> | > | > Subscribe at
> | > | >
> | >
> [url]http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp[/ur
l]
> | > | > &SD=msdn
> | > | > --------------------
> | > | > | Thread-Topic: HAT debugging issue
> | > | > | thread-index: AcSXI8ieyiqCG1odSyKWKQWGyafBuA==
> | > | > | X-WBNR-Posting-Host: 194.63.116.72
> | > | > | From: examnotes
> | > | > <ian.thomas@online.nospam>
> | > | > | Subject: HAT debugging issue
> | > | > | Date: Fri, 10 Sep 2004 03:49:01 -0700
> | > | > | Lines: 29
> | > | > | Message-ID: <E2135584-82F1-4E08-8C11-B5839E02CF32@microsoft.com>
> | > | > | MIME-Version: 1.0
> | > | > | Content-Type: text/plain;
> | > | > | 	charset="Utf-8"
> | > | > | Content-Transfer-Encoding: 7bit
> | > | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | > | Content-Class: urn:content-classes:message
> | > | > | Importance: normal
> | > | > | Priority: normal
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | > | Newsgroups: microsoft.public.biztalk.tools
> | > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> | > | > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | > | Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.tools:4041
> | > | > | X-Tomcat-NG: microsoft.public.biztalk.tools
> | > | > |
> | > | > | Hi,
> | > | > |
> | > | > | I've seen this problem in other newsgroup posts but haven't been
> able
> | > to
> | > | > | find one with an answer.  Hence another question!
> | > | > |
> | > | > | I've got Biztalk set up across two boxes: box1 has Biztalk and
> | > Sharepoint
> | > | > | and box2 has SQLServer.  I'm not using active directory and henc
e
> | > have
> | > | > had to
> | > | > | set up the same user (BTSAdmin) on both boxes and give this user
> | > access
> | > | > to
> | > | > | all of the correct groups on both boxes.  Everything works fine
> in BT
> | > | > except
> | > | > | for some features of HAT.  Basically I can get information in HA
T
> | > about
> | > | > | service instances, messages, and historical transactions
> (including
> | > | > viewing
> | > | > | the orchstration debugger) but I can't attach to an instance tha
t
> is
> | > in a
> | > | > | breakpoint in order to debug.  Basically when I try to attach I
> get
> | > the
> | > | > | message:
> | > | > |
> | > | > | 'Debugging user validation against group 'Box2\BizTalk Server
> | > | > | Administrators' failed with error: Debuging Client is not a
> BizTalk
> | > | > Server
> | > | > | Administrator.'
> | > | > |
> | > | > | I've checked and double-checked and BTSAdmin is a member of
> BizTalk
> | > | > Server
> | > | > | Administrators on Box2.  As far as I can tell BTSAdmin is also
> the
> | > user
> | > | > that
> | > | > | is running HAT (from looking in the processes view of task
> manager).
> | > | > |
> | > | > | Can anybody help me with this as I have a small error somewhere
> in my
> | > | > | orchestration but currently can't debug !
> | > | > |
> | > | > | Thanks again
> | > | > |
> | > | > | Ian
> | > | > |
> | > | >
> | > | >
> | > |
> | >
> | >
> |
>
>

[ Post a follow-up to this message ]