Recently we changed password for our BizTalk Service Account and updated it BizTalk Host Instances, ENTSSO, APP Pools and Windows Task programmatically, refer below article for more details – https://prashantbiztalkblogs.wordpress.com/2020/06/12/programmatically-change-service-accounts-password-for-windows-services-iis-app-pools-and-scheduled-tasks/
However, BAM Portal started throwing below error –
Server Error in ‘/BAM/BAMManagementService’ Application.
Configuration Error –
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system ‘The user name or password is incorrect.’
From the error message it was clear that there is someplace where password change hasn’t reflected, and clearly it was not using the App Pool Credentials(as we updated the app pool credentials and it was working fine).
We also found below article which uses – aspnet_setreg.exe which we couldn’t find.
After lots of troubleshooting we found the root cause and solution.
Root Cause –
While configuring BAM Portal, it asks for two credentials –
- One for the APP Pool to Run BAM Portal – BAMAppPool
- Another for BAM Portal(Website) – This is stored in registry in encrypted format. It’s even mentioned in the error message.
So, even after changing the password for App Pools it throws error the for credentials stored in registry for this BAM Portal.
Follow below steps to solve this issue –
- In Primary Server or Single Server Configuration
- Open BizTalk Configuration Wizard, it will show the error image for Portal. Double click will show the login error
- Change the account with correct credentials and “Apply Configuration”
Note – This action can only be performed in primary server. In secondary servers this option will be disabled for already configured BizTalk Server.
2. For Secondary Servers
- Take Back-up of web. Config file under <BizTalkServerInstallDir>\BAMPortal\BAMQueryService
- Remove the Identity Tag completely from that Original file (web.config). The below part should be removed. Save the file.
- Take Back-up of web. Config file under <BizTalkInstallDir>\BAMPortal\BAMManagementService
- Remove the Identity Tag completely from that Original file (web.config) as like step 2
- Go to IIS (as ADMIN) -> Sites -> Default web Site -> BAM -> BAM Management Service -> Configuration Editor (as per below screenshot)
- Under Section Menu, Choose System.web -> Identity
- Provide the new password and user name and click Apply. (Apply option will be present in Right side Top)
- Perform the same password change activity for BAM Query Service => Go to IIS (as ADMIN) -> Sites -> Default web Site -> BAM -> BAM Query Service -> Configuration Editor => Change password and apply.
- Recycle the App Pool = > BAMAppPool
This activity will change the password, but it will be present in clear text, which may be a security threat.
So, it’s important to encrypt the credentials using – aspnet_regiis.exe
- Run Command Prompt as ADMIN and Navigate to the path “C:\Windows\Microsoft.NET\Framework\v4.0.30319”
- Run the below 2 Queries after changing the correct path for BizTalkInstallDir in below queries –
- aspnet_regiis.exe -pef “system.web/identity” “<BizTalkInstallDir>\BAMPortal\BAMQueryService” -prov “DataProtectionConfigurationProvider”
- aspnet_regiis.exe -pef “system.web/identity” “<BizTalkInstallDir>\BAMPortal\BAMManagementService” -prov “DataProtectionConfigurationProvider”
Note – The location of aspnet_regiis.exe may change with .Net Framework version
Restart the app pool and browse the service.
You may also get below error after this change –
Error: Configuration section encryption is not supported
This error occurs because the credentials are encrypted and validation settings are not appropriate to decrypt it.
- To be able to unencrypt the sytem.web/identity section you must have this entry as the last line of your section.
2. Or add it from UI as shown below –
BAMQueryService => Configuration => Syste.webServer => Validation
validateIntegratedModelConfiguration = False
Hope this helps.