Best practice around service user

Topics: Technical Questions
May 7, 2009 at 7:33 AM
Edited May 7, 2009 at 7:34 AM
Could anyone please provide me with some best practice or helpful insights for running MSE in a hosted environment? We will be using MSE on a machine dedicated to integration (including BizTalk) with another machine hosting the SQL instance for both BizTalk and MSE, among other servers/services in the landscape. I need some guidance in how to set up the service user for MSE with the appropriate access.


May 7, 2009 at 3:37 PM

I assume that when you say "hosted" you will be hitting these "Integration services" on the cloud (via the internet).

the MSE is a great addition to the Service Oriented Infrastructure and can be used in this scenario as an on-ramp to BizTalk.
the Virtual (published) endpoints in the MSE should be able to configure external incoming communications, most likely thru firewalls, so an HTTP binding is best suited for this.
Once you are in the DMZ in the "hosted" facility, you can switch to a different type of binding such as named pipes / TCP.  of course your Biztalk components will need to be published as WCF Services selecting the appropriate Adapter (Transport type)
remember to setup the MSE with least privileged accounts to minimize risks. if you do this you will also have to reserve URLs as required by WCF when used in the context of least privileged accounts.  let me know if you need help with this, I can send you some information on the topic.

other things to consider...
What are you availability/scalability requirements?  will a single-server installation be sufficient?  
based on the answer to the previous question,  and just as a reminder... SQL Server can be installed in a fail-over cluster.  you should probably have at least 2 servers, probably more depending on the expected availability/scalability.
The MSE can be configured in a multi-server setting  where you can have a "Messenger" and a "Broker/Dispatcher". The messenger is where the externally accessible endpoint listeners are available.
Load balancing in either case, single or multi-server configuration.

Jun 4, 2009 at 3:31 PM

Sorry for the delay in reply - the notification missed me :).

'Hosted' meant an outsourced server system. I've recently been made aware that this is quite uncommon outside of Norway, so sorry for not giving more detail. A customer typically goes to a operations provider. This provider buys hardware and operates it (OS, server backups etc). Application management is the customer's responsibility. The environment is therefore remote from the customer site (aka, my word hosted), but not in the cloud, and often with dedicated lines between server environment and customer workstations.

My question, which I still haven't found a good answer for can be further detailed now after some trial and error:

  • We have one machine with integration software, and one machine with SQL (transparent failover in production). I am installing MSE on the integration server. For simplicity, lets call this 'ServerA', and the SQL box 'ServerB'.
    • What should be used as 'Cataloge Service Account' in this setting (best practice)? I hope the answers involve 'AD' and which rights the service needs on ServerA and ServerB
    • Same question for 'Runtime Service Account'

Hopefully the answer to these questions will help me with some pipe problems I am having. If not, I will create a new post.


Jun 5, 2009 at 5:09 PM

The best practice for any Windows Service (such as the MSE Catalog and the MSE Runtime) is to use a least privileged account.  basically you need to create a domain account specifically for these windows services.  and of course these accounts must be granted "Run as a Service" rights.

also, since these will be running in a least priviliged account then you will need to use HTTPCFG to give specific access/permissions to the namespaces used by the endpoint.  you can do it via the command line with HTTPCFG or use this tool (

The namespace reservations that you need to add look like this:


don't forget that the domain account used for the MSE Catalog Service must be granted access to the MSE_Repository