How to fix ENTSSO “Access is Denied” warnings on Biztalk Server



 


Problem Description


=================


 


In this situation, there are two ENTSSO warnings as below, which are always occurring at the same time (as a pattern) in the application log.


 


 


Event Type:   Warning


Event Source: ENTSSO


Event Category:       Enterprise Single Sign-On


Event ID:       10536


Date:            16/04/2009


Time:            1:04:00 p.m.


User:            N/A


Computer:     AAAA183


Description:


SSO AUDIT


 Function: GetConfigInfo ({9494BA4B-CB0A-4C8C-8A29-E6AA848BD665})


 Tracking ID: d0e06038-cce5-401d-95c6-ce63a14148a6


 Client Computer: aaaa183.bbbbb.cccc.dd (wmiprvse.exe:2504)


 Client User: AAAA\AAAA183$


 Application Name: {06E0DD2B-3550-465A-AD77-DF903144289C}


 Error Code: 0x80070005, Access is denied.


 


Event Type:   Warning


Event Source: ENTSSO


Event Category:       Enterprise Single Sign-On


Event ID:       11042


Date:            16/04/2009


Time:            1:04:00 p.m.


User:            N/A


Computer:     AAAA183


Description:


Access denied. The client user must be a member of one of the following accounts to perform this function.


 SSO Administrators: AAAA\AaaaGrSSOAdministrators


 SSO Affiliate Administrators: AAAA\AaaaGrSSOAffiliateAdministrators


 Application Administrators: AAAA\AaaaGrBizTalkServerAdministrators


 Application Users: –


 Additional Data: AAAA\AAAA183$ {06E0DD2B-3550-465A-AD77-DF903144289C} FILE_TL_BizTalkNbrsMoh


 


 


Problem Analysis


===============


 


The error means there is an application using ‘local system’ account to try to access the ENTSSO. In our case, the application is the SCOM agent.


 


The trouble shooting steps are:


 


1.       Stop the OpsMgr health Service on this BizTalk computer, to check whether the error will disappear. If it does, that means the SCOM is the application with problem. We can go to the next step.


 


2.       Check the “BizTalk Server Monitoring Account” & “BizTalk Server Discovery Account” under “Run As Profiles” in SCOM console, if it is empty, not configured., So SCOM agent which is on BizTalk side will use default action account “local system” as the account to monitor BizTalk Server.


 


Problem Solution


===============


 


1.    Stop the OpsMgr health Service on this BizTalk computer


2.    Create a new action account which has access to BizTalk Server, this account should be the member of some BizTalk Group then it will has the permission to access the ENTSSO or other BizTalk resource.


Also, use one existing account, e.g. Domain\BTSADM.


3.    In the SCOM console, give this account to “BizTalk Server Monitoring Account” & “BizTalk Server Discovery Account” under “Run As Profiles” for the client computer (AAAA183).


4.    Go back to the BizTalk machine, using the account which is added to “BizTalk Server Monitoring Account” & “BizTalk Server Discovery Account” to run OpsMgr health Service.


5.    Start the OpsMgr health Service.


 


Regards,


 


Jarod Huang

Comments (2)

  1. Joe Zee says:

    Thank you for this wonderful post. Microsoft Premier Support actually shared this post with us but one piece was missing… instead of OpsMgr health Service our offender was System Center Management service. I guess an easy workaround is to run that MOM/SCOM service with a BizTalk admin account and the error may go away.

Skip to main content