A hotfix is available that lets you use an account that is not a local administrator account to perform administrative operations in BizTalk RFID in Microsoft BizTalk Server 2006 R2 or in Microsoft BizTalk Server 2009. This lets you centralize the management of a large RFID deployment, such as when you want to use a domain account to manage a large RFID deployment.
Without this hotfix, BizTalk RFID requires a user to be in the Windows local Administrators group to perform administrative operations, such as loading a provider or adding a device on BizTalk RFID.
To enable the feature that is described in this article, follow these steps.Note
To successfully apply the update, you must perform these steps on the BizTalk RFID server as a local administrator.
- Extract the hotfix package to a local temporary folder. Apply the update by running the Setup.exe file.
- Create a user group that is named RFID_ADMIN, and then add the users who have to perform BizTalk RFID-related administrative operations to this group.
Note After a user is added to this group, the user has permissions to perform all operations that are provided by BizTalk RFID.
- Grant the Full Control permission to the RFID_ADMIN group for the following directories:
Note You must explicitly grant permissions to the RFID_ADMIN group for these directories. This is because the sub-directories do not inherit permissions from their parent directories.
- If you use Business Rules Engine (BRE), you must modify SQL Server to let you use the Rule Engine Policy Executor that is included with BizTalk RFID. To do this, follow these steps:
- On the instance of SQL Server that hosts the BizTalk Rule Engine database, create a SQL Server “RFID_ADMIN” logon that uses Windows Authentication.
Note BRE does not support the rule engine database if the rule engine database is located on a remote computer.
- Add the RFID_ADMIN logon to the BizTalk Rule Engine database. By default, the name of the database is "BizTalkRuleEngineDb."
- Add the RFID_ADMIN logon to the RE_HOST_USERS database role in the BizTalk Rule Engine database.
Managing RFID server from a remote computer
If you must manage the RFID server from a remote computer, you must perform the following additional steps. These steps involve several command prompt commands, the PsGetSid tool, and some string editing that you can perform in Notepad.
- Download and install the PsGetSid tool. This tool will retrieve the SID of the RFID_ADMIN group that you created earlier. To obtain the PsGetSid tool, visit the following Microsoft TechNet Web site:
- Open a Command Prompt window. At the command prompt, type the following command, and then press ENTER:
psgetsid RFID_ADMIN This command outputs the SID of the RFID_ADMIN group. The SID is located on the last non-empty line of the output. For this example, we'll use the <SID of RFID_ADMIN> placeholder for the SID. Copy the SID into Notepad.
- At the command prompt, type the following command, and then press ENTER:
sc sdshow msbiztalkrfid This Command outputs the Security Descriptor of the BizTalk RFID service in SDDL. Copy the descriptor into Notepad.
- Add permissions for the RFID_ADMIN group.
The SDDL string is typically a concatenation of a DACL and an SACL. Every ACL is a concatenation of ACEs. The SDDL string is a concatenation of these two parts in the following format:
D:(<DACE_1>)(<DACE_2>)…S:(<SACE_1>)…Note In this string, D represents the DACL, and S represents the SACL.
To add permissions for the RFID_ADMIN group, follow these steps:
- Compose the DACE that you want to add for the RFID_ADMIN group. For example, the DACE string of "A;;GR;;;<SID of RFID_ADMIN>" is the DACE to grant the RFID_ADMIN group "Generic Read" access to the service.
This access is enough to query the status of the service from any computer. This process will work by connecting to the RFID Service from a remote RFID Manager. However, if you have to enable members of the RFID_ADMIN group to also start, stop, or configure the service, you must grant this group full access. To do this, use the following DACE string:
A;;GA;;;<SID of RFID_ADMIN> You can vary the string to grant different kinds of access to the RFID_ADMIN group to the BizTalk RFID service. In this example, the DACE string that you have selected is represented by using the <RFID_ADMIN_DACE> placeholder.
Note The semicolons in the DACE string are important. You should replace only the SID and Access mask parts of the string. Do not change any other parts of the string.
- Add the DACL that you created in step a to the end of the list of DACLs in the SDDL string. This will prepare a new SDDL string. The new string should resemble the following:
D:(<DACE_1>)(<DACE_2>)…(<RFID_ADMIN_DACE>)S:(<SACE_1>)…Note The parentheses around the <RFID_ADMIN_DACL> placeholder are important.
- At a command prompt, type the following command, and then press ENTER:
sc sdset msbiztalkrfid <The SDDL string prepared in step b> This command applies the new permissions to the BizTalk RFID Service object.
Deploying RFID processes
An RFID process must be deployed before it can be started.Note
Deployment is usually a one-time process that may require special permissions. You should deploy the RFID process as a user who has elevated permissions. After an RFID process is deployed successfully, it can be started and stopped by members of the RFID_ADMIN group.
To deploy a process that uses the Out-Of-Box event-handler components that are provided with BizTalk RFID, you must have permissions as shown in the following table:
|Event-Handler Component Name||Required Permissions|
|SQL Server Sink||You must have "sysadmin" permissions for the installation of SQL Server where the rfidsink database is deployed.|
|Rule Engine Policy Executor||You must have "securityadmin" permissions for the installation of SQL Server where the BizTalk Rule Engine database is deployed. Additionally, you must have administrator permissions on the computer that is running BizTalk RFID.|
How to enable or disable a process deployment in RFID Manager
RFID Manager tries to deploy an RFID process every time that a user tries to start a process. Therefore, when a user who is a member of the RFID_ADMIN group tries to start a process from RFID Manager, RFID Manager first tries to deploy the RFID process. However, this deployment will fail if the user does not have appropriate permissions. Therefore, the process will not start. To work around this issue, you must change the RFIDTools.config file so that RFID Manager skips the deployment step.
The RFIDTools.config file contains a new AutoDeployProcessesOnStart flag. If this flag is set to false, the deployment step is skipped. Therefore, you can successfully start an RFID process in RFID Manager by using an account that is a member of the RFID_ADMIN group. To do this, after you apply the hotfix, set the <AutoDeployProcessesOnStart> element under the <RFIDToolsConfig> section of the RFIDTools.config file as follows:
- The RFIDTools.config file is located in the %RFIDINSTALLDIR%\bin directory.
- The <AutoDeployProcessesOnStart> flag may be missing from RFIDTools.config file after you apply this hotfix. In this case, RFID Manager will deploy the RFID process before the process is started.
- RFID Manager must be restarted for any changes to the RFIDTools.config file to take effect.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
You must have Microsoft BizTalk RFID 2006 R2 or Microsoft BizTalk Server RFID 2009 installed to apply this hotfix.
You may have to restart the computer after you apply this hotfix if the affected files are being used during the installation.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time
item in Control Panel.
|File name||File version||File size||Date||Time||Platform|
Because of file dependencies, the most recent hotfix that contains these files may also contain additional files.