How to fix ENTSSO “Access is Denied” warnings on Biztalk Server
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
NOTE: This article is migrated from Blog AsiaTech
Date: 2009-5-14 9:31 AM
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
Problem Description
=================
In this situation, there are two ENTSSO warnings as below, which are always occurring at the same time (as a pattern) in the application log.
Event Type: Warning
Event Source: ENTSSO
Event Category: Enterprise Single Sign-On
Event ID: 10536
Date: 16/04/2009
Time: 1:04:00 p.m.
User: N/A
Computer: AAAA183
Description:
SSO AUDIT
Function: GetConfigInfo ({9494BA4B-CB0A-4C8C-8A29-E6AA848BD665})
Tracking ID: d0e06038-cce5-401d-95c6-ce63a14148a6
Client Computer: aaaa183.bbbbb.cccc.dd (wmiprvse.exe:2504)
Client User: AAAA\AAAA183$
Application Name: {06E0DD2B-3550-465A-AD77-DF903144289C}
Error Code: 0x80070005, Access is denied.
Event Type: Warning
Event Source: ENTSSO
Event Category: Enterprise Single Sign-On
Event ID: 11042
Date: 16/04/2009
Time: 1:04:00 p.m.
User: N/A
Computer: AAAA183
Description:
Access denied. The client user must be a member of one of the following accounts to perform this function.
SSO Administrators: AAAA\AaaaGrSSOAdministrators
SSO Affiliate Administrators: AAAA\AaaaGrSSOAffiliateAdministrators
Application Administrators: AAAA\AaaaGrBizTalkServerAdministrators
Application Users: -
Additional Data: AAAA\AAAA183$ {06E0DD2B-3550-465A-AD77-DF903144289C} FILE_TL_BizTalkNbrsMoh
Problem Analysis
===============
The error means there is an application using ‘local system’ account to try to access the ENTSSO. In our case, the application is the SCOM agent.
The trouble shooting steps are:
1. Stop the OpsMgr health Service on this BizTalk computer, to check whether the error will disappear. If it does, that means the SCOM is the application with problem. We can go to the next step.
2. Check the "BizTalk Server Monitoring Account" & "BizTalk Server Discovery Account" under "Run As Profiles" in SCOM console, if it is empty, not configured., So SCOM agent which is on BizTalk side will use default action account “local system” as the account to monitor BizTalk Server.
Problem Solution
===============
1. Stop the OpsMgr health Service on this BizTalk computer
2. Create a new action account which has access to BizTalk Server, this account should be the member of some BizTalk Group then it will has the permission to access the ENTSSO or other BizTalk resource.
Also, use one existing account, e.g. Domain\BTSADM.
3. In the SCOM console, give this account to "BizTalk Server Monitoring Account" & "BizTalk Server Discovery Account" under "Run As Profiles" for the client computer (AAAA183).
4. Go back to the BizTalk machine, using the account which is added to "BizTalk Server Monitoring Account" & "BizTalk Server Discovery Account" to run OpsMgr health Service.
5. Start the OpsMgr health Service.
Regards,
Jarrod Huang