There are a few good resources out there for setting up a clustered Master Secret Server out there:
However, I faced some issues recently setting all of this up, getting the following errors (in the event log and the configuration log):
- Creation of Adapter FILE Configuration Store entries failed. (BizTalk config log)
- Could not import a DTC transaction. Please check that MSDTC is configured correctly for remote operation. See the event log (on computer EntSSOClusterResource) (BizTalk config log)
- d:\bt\127854\private\source\setup\btscfg\btscfg.cpp(2213): FAILED hr = c0002a25 (BizTalk Config log)
- Failed to initialize the needed name objects. Error Specifics: hr = 0x80004005, com\complus\dtc\dtc\msdtcprx\src\dtcinit.cpp:575, CmdLine: “C:\Program Files\Common Files\Enterprise Single Sign-On\ENTSSO.exe”, Pid: 172 (Event log)
- Could not import a DTC transaction. Please check that MSDTC is configured correctly for remote operation. See documentation for details. Error Code: 0x80070057, The parameter is incorrect. (Event log)
DTC seemed to be culprit here (or possible EntSSO), but DTC Ping/Tester worked fine from the app server to the clustered resource (in fact, the installer had no problem configuring the Group settings with this issue – it choked on the Runtime configuration). Despite that, it still seemed like it was ultimately a DTC issue, so I started working through many of the normal DTC issues that come up. We uninstalled and reinstalled MSDTC on all involved machines (some had been imaged from a common source using the same GUIDs in the CID registry key under HKCR), and imported the following registry key to ensure that RPC wasn’t causing an issue.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC] "EnableAuthEpResolution"=dword:00000001 "RestrictRemoteClients"=dword:00000000
In the end it came down to a single setting that the ever-helpful DTC troubleshooting wiki mentions:
We had configured everything to use “No Authentication Required” to get the broadest support (for some older servers on the network if needed). This does mean that servers which don’t support this authentication will not be able to participate in DTC, but it did resolve the issue on the cluster and allow us to properly configure the BizTalk Runtime.