Exception SSO MMC Snap In : Access Denied.

This article is to resolve access denied issue with the SSO Application in BizTalk. The back ground is, I am working on one of our client project, there is a need to encrypt the PGP messages before sending it to the SFTP server. We need to create a Pipeline Component, which does the encryption. For security reason we store the passphrase and private keys into SSO application. This can be done following the below steps.

1- Download SSO Application Snap In from here. Install Snap In by running the SSOMMCSnapInSetup.

2- Open “SSO Application Configuration” MMC snap In.


3- Right Click “Auckland Airport SSO Application Configuration” -> Click Add Application. Rename “_NewApplication” to “EncryptDecrypt.Pipelines”.

4- Right Click application “EncryptDecrypt.Pipelines” -> Click “Add Key Value Pair”. Here you can add as many key pair as required. And Save the application.

I followed the link <BizTalk: Sample: PGP Encryption/Decryption Pipeline Components> to create pipeline component. Once you deployed the solution and create relevant artifacts/ports on BizTalk Admin and try to execute the pipeline component it exception out with the below error message

There was a failure executing the send pipeline: “AIA.BT.ACSFileMovers.Pipelines.SndDecryptACS, AIA.BT.ACSFileMovers.Pipelines, Version=, Culture=neutral, PublicKeyToken=f1407f88bec5bc29” Source: “Unknown ” Send Port: “DecryptACS.FF” URI: “C:\BizTalk\ACS\Out\%MessageId%” Reason: Access denied. See the event log (on computer ‘UAT-BT-SRV01’) for more details.

I noticed that there were 2 warning messages in the event log:

Access denied. The client user must be a member of one of the following accounts to perform this function.
SSO Administrators: QABTSSSOAdministrators
SSO Affiliate Administrators: QABTSSSOAffiliateAdministrators
Application Administrators: QABTSSSOAdministrators
Application Users: QABTSSSOAffiliateAdministrators
Additional Data: \btshostQA .EncryptDecrypt.Pipelines EncryptDecrypt.Pipelines Configuration Data

Function: GetConfigInfo (ConfigProperties)
Tracking ID: 6bb5bb92-dbf9-4868-ab96-40a282c05a4a
Client Computer: UAT-BT-SRV01.aial.co.nz (BTSNTSvc.exe:7460)
Client User: AKLISN\btshostQA
Application Name: Datacom.EncryptDecrypt.Pipelines
Error Code: 0x80070005, Access is denied.

The above warning clearly suggest that the issue is with the host user which is not a part of the specific groups. We do not intend to include host user in the administration group. So to give the permission and access to the new created application “EncryptDecrypt.Pipelines” we need to do the following:

1- Open SSO Administration. Goto All Program->Microsoft Enterprice Single Sign-on.


2- Right click on Affilate Application. Goto View->Config Store. Find the application “EncryptDecrypt.Pipelines” (it shall be at the bottom of the screen. )

3- Right Click and open properties.


4- Open Account tab. Click on ADD in “Apllication Users”. Add the domain user “BtsHostProd”.

This will resolve the above exception and the encrypt/decrypt will work as normal.  There is very good article about usage of SSO Application Configuration MMC written by my colleague Johann here.

Many Thanks.