Running MMC as the BizTalk Service User

I guess you have, at some point, installed a certificate for the the BizTalk service user. The ability for BizTalk to use certificate to encrypt/decrypt messages is very powerful in some scenarios.

The recommended way of doing this is to simply log on to the machine as the service account. This is not always possible due to policies and restrictions at the client; so an intense mail conversation might ensue. It is usually resolved in some way.

One way to resolve it might be to try to us “runas” to execute mmc as the BizTalk service user.

runas /profile /user:BtsUsr “C:\Windows\SysWOW64\mmc.exe”

However, this is not possible as the following error is presented: “740: The requested operation requires elevation.”

The solution to this might be to disable the UAC on the machine, but that is usually not possible either.

The solution I found to be the best is the following:

  1. Add the BizTalk Service User the Local Admin group.
  2. Then navigate to the appropriate system-folder (System32 or SysWow64).
  3. Find and select MMC.exe, hold down shift and right-click to get the “Run as different user” option.
  4. Choose to run as different user and supply the credentials for the BizTalk Service user.
  5. Click Ok to elevate the process and boom you are in!
  6. Of course you have to remove the service account from the Local Admin group as soon as possible after installation.
  7. The strange thing is that the “runas”-approach still does not work but who cares.