Access denied to SSO affiliate application
Using the BTDF 6.0 (BETA) I built a build server msi and deployed it to a test environment. After beginning testing I noticed it was failing in my very first receive pipeline. I found the following error in the event log:
Access denied. The client user must be a member of one of the following
accounts to perform this function.
SSO Administrators: OOOOOOO\TEST-BizTalk-SSO Administrators
SSO Affiliate Administrators: OOOOOOO\TEST-BizTalk-SSO
Affiliate Administrators
Application Administrators: OOOOOOO\DEV-BizTalk Server Administrators
Application Users: OOOOOOO\DEV-BizTalk Application
Users
This really confused me as the error was mentioning security groups I had configured in the development environment. This led me to suspect my environmental settings file was incorrect. Sure enough I checked the file and two of the settings SsoAppUserGroup and SsoAppAdminGroup were still using the development environmental settings.
I made the necessary changes, rebuilt the msi and redeployed the msi to the test environment.
Ran a test....
Same error.
I stumbled across the following blog which described my issues to perfection. The automatically created affiliate application that the BTDF creates had incorrect values.
So I updated the SSOX_ApplicationInfo table with the corrected group names and restarted every related service I could think of.
Same error.
It was only after I manually removed the affiliate with the below command and redeployed the msi did the error correct itself:
C:\Program Files\Common Files\Enterprise Single Sign-On\ssomanage –deleteapp OOO.Integration
Special thanks to:
Carlo Garcia-Mier and Nethra
No comments:
Post a Comment