FIX: A hotfix is available that lets you manage BizTalk RFID in Microsoft BizTalk Server 2006 R2 or in Microsoft BizTalk Server 2009 by using an account that is not a local administrator

Article translations Article translations
Article ID: 970493 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

A hotfix is available that lets you use an account that is not a local administrator account to perform administrative operations in BizTalk RFID in Microsoft BizTalk Server 2006 R2 or in Microsoft BizTalk Server 2009. This lets you centralize the management of a large RFID deployment, such as when you want to use a domain account to manage a large RFID deployment.

Without this hotfix, BizTalk RFID requires a user to be in the Windows local Administrators group to perform administrative operations, such as loading a provider or adding a device on BizTalk RFID.

MORE INFORMATION

To enable the feature that is described in this article, follow these steps.

Note To successfully apply the update, you must perform these steps on the BizTalk RFID server as a local administrator.
  1. Extract the hotfix package to a local temporary folder. Apply the update by running the Setup.exe file.
  2. Create a user group that is named RFID_ADMIN, and then add the users who have to perform BizTalk RFID-related administrative operations to this group.

    Note After a user is added to this group, the user has permissions to perform all operations that are provided by BizTalk RFID.
  3. Grant the Full Control permission to the RFID_ADMIN group for the following directories:
    • %RFIDINSTALLDIR%
    • %RFIDINSTALLDIR%\bin
    • %RFIDDATADIR%
    • %RFIDDATADIR%\Processes
    • %RFIDDATADIR%\Providers
    • %RFIDDATADIR%\Logs
    Note You must explicitly grant permissions to the RFID_ADMIN group for these directories. This is because the sub-directories do not inherit permissions from their parent directories.
  4. If you use Business Rules Engine (BRE), you must modify SQL Server to let you use the Rule Engine Policy Executor that is included with BizTalk RFID. To do this, follow these steps:
    1. On the instance of SQL Server that hosts the BizTalk Rule Engine database, create a SQL Server “RFID_ADMIN” logon that uses Windows Authentication.

      Note BRE does not support the rule engine database if the rule engine database is located on a remote computer.
    2. Add the RFID_ADMIN logon to the BizTalk Rule Engine database. By default, the name of the database is "BizTalkRuleEngineDb."
    3. Add the RFID_ADMIN logon to the RE_HOST_USERS database role in the BizTalk Rule Engine database.

Managing RFID server from a remote computer

If you must manage the RFID server from a remote computer, you must perform the following additional steps. These steps involve several command prompt commands, the PsGetSid tool, and some string editing that you can perform in Notepad.
  1. Download and install the PsGetSid tool. This tool will retrieve the SID of the RFID_ADMIN group that you created earlier. To obtain the PsGetSid tool, visit the following Microsoft TechNet Web site:
    http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
  2. Open a Command Prompt window. At the command prompt, type the following command, and then press ENTER:
    psgetsid RFID_ADMIN
    This command outputs the SID of the RFID_ADMIN group. The SID is located on the last non-empty line of the output. For this example, we'll use the <SID of RFID_ADMIN> placeholder for the SID. Copy the SID into Notepad.
  3. At the command prompt, type the following command, and then press ENTER:
    sc sdshow msbiztalkrfid
    This Command outputs the Security Descriptor of the BizTalk RFID service in SDDL. Copy the descriptor into Notepad.
  4. Add permissions for the RFID_ADMIN group.

    The SDDL string is typically a concatenation of a DACL and an SACL. Every ACL is a concatenation of ACEs. The SDDL string is a concatenation of these two parts in the following format:
    D:(<DACE_1>)(<DACE_2>)…S:(<SACE_1>)…
    Note In this string, D represents the DACL, and S represents the SACL.

    To add permissions for the RFID_ADMIN group, follow these steps:
    1. Compose the DACE that you want to add for the RFID_ADMIN group. For example, the DACE string of "A;;GR;;;<SID of RFID_ADMIN>" is the DACE to grant the RFID_ADMIN group "Generic Read" access to the service.

      This access is enough to query the status of the service from any computer. This process will work by connecting to the RFID Service from a remote RFID Manager. However, if you have to enable members of the RFID_ADMIN group to also start, stop, or configure the service, you must grant this group full access. To do this, use the following DACE string:
      A;;GA;;;<SID of RFID_ADMIN>
      You can vary the string to grant different kinds of access to the RFID_ADMIN group to the BizTalk RFID service. In this example, the DACE string that you have selected is represented by using the <RFID_ADMIN_DACE> placeholder.

      Note The semicolons in the DACE string are important. You should replace only the SID and Access mask parts of the string. Do not change any other parts of the string.
    2. Add the DACL that you created in step a to the end of the list of DACLs in the SDDL string. This will prepare a new SDDL string. The new string should resemble the following:
      D:(<DACE_1>)(<DACE_2>)…(<RFID_ADMIN_DACE>)S:(<SACE_1>)…
      Note The parentheses around the <RFID_ADMIN_DACL> placeholder are important.
    3. At a command prompt, type the following command, and then press ENTER:
      sc sdset msbiztalkrfid <The SDDL string prepared in step b>
      This command applies the new permissions to the BizTalk RFID Service object.

Deploying RFID processes

An RFID process must be deployed before it can be started.

Note Deployment is usually a one-time process that may require special permissions. You should deploy the RFID process as a user who has elevated permissions. After an RFID process is deployed successfully, it can be started and stopped by members of the RFID_ADMIN group.

To deploy a process that uses the Out-Of-Box event-handler components that are provided with BizTalk RFID, you must have permissions as shown in the following table:
Collapse this tableExpand this table
Event-Handler Component NameRequired Permissions
SQL Server SinkYou must have "sysadmin" permissions for the installation of SQL Server where the rfidsink database is deployed.
Rule Engine Policy ExecutorYou must have "securityadmin" permissions for the installation of SQL Server where the BizTalk Rule Engine database is deployed. Additionally, you must have administrator permissions on the computer that is running BizTalk RFID.

How to enable or disable a process deployment in RFID Manager

RFID Manager tries to deploy an RFID process every time that a user tries to start a process. Therefore, when a user who is a member of the RFID_ADMIN group tries to start a process from RFID Manager, RFID Manager first tries to deploy the RFID process. However, this deployment will fail if the user does not have appropriate permissions. Therefore, the process will not start. To work around this issue, you must change the RFIDTools.config file so that RFID Manager skips the deployment step.

The RFIDTools.config file contains a new AutoDeployProcessesOnStart flag. If this flag is set to false, the deployment step is skipped. Therefore, you can successfully start an RFID process in RFID Manager by using an account that is a member of the RFID_ADMIN group. To do this, after you apply the hotfix, set the <AutoDeployProcessesOnStart> element under the <RFIDToolsConfig> section of the RFIDTools.config file as follows:
<AutoDeployProcessesOnStart>false</AutoDeployProcessesOnStart>
Notes
  • The RFIDTools.config file is located in the %RFIDINSTALLDIR%\bin directory.
  • The <AutoDeployProcessesOnStart> flag may be missing from RFIDTools.config file after you apply this hotfix. In this case, RFID Manager will deploy the RFID process before the process is started.
  • RFID Manager must be restarted for any changes to the RFIDTools.config file to take effect.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Microsoft BizTalk RFID 2006 R2 or Microsoft BizTalk Server RFID 2009 installed to apply this hotfix.

Restart requirement

You may have to restart the computer after you apply this hotfix if the affected files are being used during the installation.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.rfid.util.dll3.6.5028.087,91222-Apr-200914:07x86
Microsoft.rfid.util.dll3.6.5028.087,91222-Apr-200914:07x86
Rfideventmessages.dll3.6.5028.032,61622-Apr-200914:07x86
Rfidservices.exe3.6.5028.0354,13622-Apr-200914:07x86
Rfidtools.dll3.6.5028.02,828,12022-Apr-200914:07x86
Note Because of file dependencies, the most recent hotfix that contains these files may also contain additional files.

REFERENCES

For more information about how to install and configure BizTalk RFID, download the Installation Guide for BizTalk RFID.htm file by visiting the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=df2e8a88-fb23-49a4-9ac7-d17f72517d12&DisplayLang=en


For more information about how to manage BizTalk RFID, download a copy of the BizTalk RFID 2006 R2 Help file by visiting the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=22b2e8d9-8cda-44f8-8f4e-b372c7660989&DisplayLang=en

Properties

Article ID: 970493 - Last Review: March 1, 2010 - Revision: 3.1
APPLIES TO
  • Microsoft BizTalk Server 2009 Standard
  • Microsoft BizTalk Server 2009 Enterprise
  • Microsoft BizTalk Server 2009 Developer
  • Microsoft BizTalk Server 2009 Branch
  • Microsoft BizTalk Server 2006 R2 Standard Edition
  • Microsoft BizTalk Server 2006 R2 Enterprise Edition
  • Microsoft BizTalk Server 2006 R2 Developer Edition
  • Microsoft BizTalk Server 2006 R2 Branch Edition
Keywords: 
kbsurveynew kbautohotfix kbbiztalk2006r2sp1fix kbexpertiseinter kbhotfixserver kbqfe KB970493

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com