The Enterprise Single Sign-On Service and associated BizTalk Server 2004 services fail after you install Windows XP Service Pack 2 (SP2) (841893)


The information in this article applies to:

  • Microsoft BizTalk Server 2004 Developer Edition
  • Microsoft BizTalk Server 2004 Enterprise Edition
  • Microsoft BizTalk Server 2004 Partner Edition
  • Microsoft BizTalk Server 2004 Standard Edition
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article discusses registry changes that you must make if you install Microsoft Windows XP Service Pack 2 (SP2) and Microsoft BizTalk Server 2004 on the same computer. You must complete these registry changes for the Enterprise Single Sign-On Service to run correctly.

SYMPTOMS

You receive one or more of the following errors on a computer that is running BizTalk Server 2004 after you install Windows XP SP2:
  • The BizTalk Configuration Framework Wizard (Configframework.exe) fails and you receive an error message that is similar to the following:

    Failed to generate the master secret (error code 0x800706BF)
    If you click Retry, you receive the same error message. If you click Cancel, the Configuration Framework rolls back any configuration options that have been applied when you ran the BizTalk Configuration Framework Wizard.
  • If you try to start the Enterpise Single Sign-On (ENTSSO) service, it will not start and evan error message that is similar to the following is logged in the application event log:

    Event Type: Error
    Event Source: ENTSSO
    Event Category: Enterprise Single Sign-On
    Event ID: 10555
    Computer: BIZTALKSERVER
    Description: Secret server access denied. Client User: Domain\UserName
    For more information, see Help and Support Center at http://support.microsoft.com.
    Note In this error message, BIZTALKSERVER is a placeholder for the name of the BizTalk Server where you receive the error message and Domain\UserName is a placeholder for the domain name and user name of the account that the ENTSSO service is configured to run as.
  • . Any component that tries to access the ENTSSO service or the BizTalk Server runtime services receives an "Access denied" error message. When you receive the "Access denied" error message, no corresponding error is written to the BizTalk Server event log.

CAUSE

Behavior of the Remote Procedure Call (RPC) protocol is changed after you apply Windows XP SP2 in the following ways:
  • By default, the behavior of RPC clients in Windows XP and Windows XP SP2 is to request endpoints from the RPC Endpoint Mapper anonymously.
  • By default, the behavior of the RPC protocol in Windows XP is to permit anonymous requests to the RPC Endpoint Mapper.
  • After you install Windows XP SP2, the RPC protocol does not permit anonymous requests to the RPC Endpont Mapper but requires client requests to be authenticated.
  • Because, by default, RPC client requests to the Endpoint Mapper are made anonymously, these client requests fail after you install Windows XP SP2.
The failure of anonymous RPC client requests to the RPC Endpoint Mapper creates an inability to use the RPC protocol. This inability prevents the ENTSSO service and the BizTalk Application Service from starting. This behavior occurs because the ENTSSO service depends on the RPC protocol and the BizTalk Application Service depends on the ENTSSO service.

RESOLUTION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To allow client requests to the RPC Endpoint Mapper to succeed, you must require client calls to the RPC Endpoint Mapper to be authenticated. You can enforce authenticated client calls to the RPC Endpoint Mapper by running the Group Policy Object Editor or by creating a registry entry. Use one of the following methods to require client calls to the RPC Endpoint Mapper to be authenticated.

Use the Group Policy Object Editor to enforce the use of authenticated client calls to the RPC Endpoint Mapper

  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, click Remote Procedure Call, and then click RPC Endpoint Mapper Client Authentication.
  3. Change the value for RPC Endpoint Mapper Client Authentication to Enabled.

Use Registry Editor to enforce the use of authenticated client calls to the RPC Endpoint Mapper

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

  3. Look for a subkey that is named RPC. If this key exists, click the RPC subkey, and then go to step 6. If this key does not exist, go to step 4.
  4. On the Edit menu, point to New, and then click Key.
  5. While the new key is selected, type RPC, and then press ENTER.
  6. On the Edit menu, point to New, and then click DWORD Value.
  7. Type EnableAuthEpResolution, and then press ENTER.
  8. On the Edit menu, click Modify.
  9. In the Value data box, type the number 1. Click OK.

    Note If you want to disable this functionality, set the EnableAuthEpResolution registry entry to 0 (zero).
  10. Quit Registry Editor.
After you create this registry value, you must restart your computer for the registry value to take effect. After this registry change is implemented, client calls to the RPC Endpoint Mapper will be made with authentication. This behavior allows the ENTSSO service to start.

Things to consider for Windows XP computers that are part of a Microsoft Windows NT 4.0 domain or that must work with remote applications that are running on Windows NT 4.0 computers

If you have installed Windows XP SP2 on a computer that is part of a Windows NT 4.0 domain or that must work with remote applications that are running on Windows NT 4.0 computers, you must also disable the RestrictRemoteClients setting that is enforced by the RPC protocol. Disabling this restriction has security implications and you must understand what these implications are before you perform this operation. For more information about the security implications of disabling the RestrictRemoteClients setting, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/security/productinfo/XPSP2/default.aspx?pull=/library/en-us/dnwxp/html/securityinxpsp2.asp

You can disable the RestrictRemoteClients setting that is enforced by the RPC protocol by running the Group Policy Object Editor or by creating a registry entry. Use one of the following procedures to disable the RestrictRemoteClients setting that is enforced by the RPC protocol.

Use the Group Policy Object Editor to disable the RestrictRemoteClients setting that is enforced by the RPC protocol

  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, click Remote Procedure Call, and click Restrictions for Unauthenticated RPC Clients.
  3. Change the value for Restrictions for Unauthenticated RPC Clients to Disabled.

Use Registry Editor to disable the RestrictRemoteClients setting that is enforced by the RPC protocol

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

  3. Look for a subkey that is named RPC. If this key exists, click the RPC subkey, and then go to step 7. If this key does not exist, go to step 4.
  4. On the Edit menu, point to New, and then click Key.
  5. While the new key is selected, type RPC, and then press ENTER.
  6. On the Edit menu, point to New, and then click DWORD Value.
  7. Type RestrictRemoteClients, and then press ENTER.
  8. On the Edit menu, click Modify.
  9. In the Value data box, type 0, and then click OK.

    Note If you want to enable this functionality, set the RestrictRemoteClients registry entry to 1 (one).
  10. Quit Registry Editor.
After you create this registry value, you must restart your computer for the registry value to take effect.

STATUS

This behavior is by design.

MORE INFORMATION

For more information about BizTalk Server 2004, visit the following Microsoft Web Site:

http://www.microsoft.com/biztalk

For more information about Windows XP SP2, visit the following Microsoft Web Site:

http://www.microsoft.com/WindowsXP/sp2/default.asp

Modification Type:MajorLast Reviewed:9/22/2006
Keywords:kbprb KB841893 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.