FIX: Error Message: "Timeout expired" Occurs When You Connect to SQL Server Over TCP/IP and the Kerberos MaxTokenSize is Greater Than 0xFFFF (313661)



The information in this article applies to:

  • Microsoft SQL Server 7.0

This article was previously published under Q313661
BUG #: 102105 (sqlbug_70)

SYMPTOMS

When all of the following conditions are true, you may not be able to connect to SQL Server 7.0 and may receive a "Timeout expired" error message when you try to log on:
  • You are using Microsoft Windows 2000, or later, as the platform for servers and clients, and you are using Kerberos as the network authentication protocol.
  • The computer that is running SQL Server is using Kerberos.dll version 5.0.2195.2530, or later.
  • The Kerberos registry parameter MaxTokenSize is set to a value greater than 0xFFFF (65535 decimal) in accordance with the following Microsoft Knowledge Base article:

    263693 Group Policy May Not Be Applied to Users Belonging to Many Groups

  • You are using SQL Server Integrated security.
  • You are using TCP/IP sockets as the SQL Server network library.
Notes

  • The problem described in this article does not apply when you connect to SQL Server 2000.
  • There are many causes for a "Timeout expired" error message. The information in this article applies only to scenarios where all of the conditions listed in the "Symptoms" section are true. In particular, the MaxTokenSize parameter referred to in the third bullet item must be set on the computer that is running SQL Server.
In an ODBC application, the error message is similar to:
SQLState: S1T00 Native Error: 0
Info. Message: [Microsoft][ODBC SQL Server Driver]Timeout expired

CAUSE

SQL Server 7.0 Open Data Services (ODS) was not designed to handle Kerberos Security Support Provider Interface (SSPI) token sizes larger than 0xFFFF.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 7.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301511 INF: How to Obtain the Latest SQL Server 7.0 Service Pack

NOTE: The following hotfix was created prior to Microsoft SQL Server 7.0 Service Pack 4.

The English version of this fix should have the following file attributes or later:
   Date          Time    Version     Size             File name
   --------------------------------------------------------------

   27-Nov-2001   02:16   7.00.1014   160,016 bytes   Opends60.dll
				
NOTE: Because of file dependencies, the most recent hotfix or feature that contains the preceding files may also contain additional files.

WORKAROUND

To work around this problem you can either:
  • Upgrade your server to SQL Server 2000.
  • Use another network library to connect to SQL Server 7.0. For example, use Named Pipes.
  • Use SQL Server standard security.
  • Reduce the setting of the MaxTokenSize Kerberos parameter to a value less than 65535. You may need to reduce the number of group memberships as well. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

    263693 Group Policy May Not Be Applied to Users Belonging to Many Groups

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft SQL Server 7.0 Service Pack 4.

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

263693 Group Policy May Not Be Applied to Users Belonging to Many Group

269643 Internet Explorer Kerberos Authentication Does Not Work Because of an Insufficient Buffer Connecting to IIS

300367 DCOM Client May Put Memory on the Wire

217098 Basic Overview of Kerberos User Authentication Protocol in Windows 2000


Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbSQLServ700preSP4fix KB313661