A call to the AuthzInitializeContextFromSid API function may fail during the delivery of an e-mail subscription (842423)


The information in this article applies to:

  • Microsoft SQL Server 2000 Reporting Services

SUMMARY

This article discusses the cause and some possible resolutions for a problem that may occur when you try to create and to process an e-mail subscription by using a domain user account. The problem occurs when an AuthzInitializeContextFromSid API function call in the Authz.dll file does not succeed.

The resolutions that are discussed in this article are as follows.

  • How to configure the Reporting Services Windows service to run under a domain user account. If this does not resolve the problem, you must also use one of the following methods:
    • Grant read permission for the domain user account on all the user objects and all the group objects of the domain.
    • Grant read permission for the domain user account specifically on the user account or on the group that the user is a member of.

INTRODUCTION

This article discusses a problem that is associated with the AuthzInitializeContextFromSid API function call that occurs during the delivery of an e-mail subscription. This article also discusses some possible resolutions for the problem.

MORE INFORMATION

While delivering an e-mail for an e-mail subscription, the Reporting Services program may call the AuthzInitializeContextFromSid API function that is defined in the Authz.dll file. The Reporting Services program may call the AuthzInitializeContextFromSid API function if one of the following conditions is true:
  • A report is embedded in the e-mail.
  • A report is attached to the e-mail.

If you create and process the e-mail subscription by using a domain user account that is different from the service logon account of the Reporting Services Windows service, the AuthzInitializeContextFromSid API function call may fail.

If the function call fails, you may have to configure the settings on the domain of the computer that is running Microsoft SQL Server 2000 Reporting Services to resolve the problem.

The Reporting Services program calls the AuthzInitializeContextFromSid API function to verify whether the user account that was used to create the subscription still has the correct permissions to view the report. This verification is not required when the e-mail contains only a link, a URL, to the report because Reporting Services performs user permissions verification when the user tries to access the report by using the URL.

The AuthzInitializeContextFromSid API function call reads the tokenGroupsGlobalAndUniversal (TGGAU) attribute of the security identification number (SID) that is specified in the AuthzInitializeContextFromSid API function call to determine Windows group membership information for the current user. Reporting Services calls the AuthzInitializeContextFromSid API function by using the security context of the service logon account of the Reporting Services Windows service. Therefore, the user account that you use to run the Reporting Services Windows service must have sufficient permissions to read the TGGAU attribute on the user account that is used to create and to process the e-mail subscriptions.


If the computer is not configured correctly to access and to run the AuthzInitializeContextFromSid API function call in the Authz.dll file, you may receive an error message. Additionally, an error message may be written to the Reporting Services log file. To determine what error occurred, follow these steps:
  1. Open the ReportServerService_Timestamp.log file. Search for the word "authz".

    Note By default, the ReportServerService_Timestamp.log file is located in the Installation drive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\Logfiles folder.

    In the ReportServerService_Timestamp.log file, you may notice error messages that are similar to the following:

    Error message 1

    ReportingServicesService!library!718!06/16/2004-00:00:03:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files, AuthzInitializeContextFromSid: Win32 error: 5; possible reason - service account doesn't have rights to check domain user SIDs.; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files.


    Error message 2

    ReportingServicesService!library!7e4!05/24/2004-10:00:22:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files, AuthzInitializeContextFromSid: Win32 error: 1722; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files.
  2. Modify the e-mail subscription that caused the error message. Do not embed or attach a report in the e-mail. Use a link to the report. After you process the modified subscription, if you do not receive an error message, you can confirm that the error occurred because the AuthzInitializeContextFromSid API function call failed.

RESOLUTION

To resolve this problem, configure the Reporting Services Windows service to run under a domain user account.

Note An error message may be written to the Reporting Services trace log when you try to change the user account that is used to run the Reporting Services Windows service.

For additional information about the error message, click the following article number to view the article in the Microsoft Knowledge Base:

842421 You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service



If configuring the Reporting Services Windows service to run under a domain user account does not resolve the problem, configure the settings on the domain of the computer that is running Reporting Services.

How to configure the domain settings on the computer

The configuration of the domain depends on the operation mode of the Microsoft Windows domain. Additionally, you must turn on the advanced features on the Windows domain. To find the domain operation mode on the domain controller, and to turn on the advanced features, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers window, in the left pane, right-click the DomainName, and then click Properties.
  3. In the DomainName Properties dialog box, see the Domain operation mode text box on the General tab.

    The Domain operation mode text box shows what domain operation mode the domain is currently using.
  4. In the left pane of the Active Directory Users and Computers window, click the DomainName.
  5. On the View menu, click Advanced Features.

After you find the domain operation mode for the domain, and you turn on the advanced features on the domain controller, use one of the following methods to resolve the problem.

Method 1


Grant read permission on all the user objects and all the group objects in the domain.

You may be able to resolve the problem by granting read permissions for the user account that you use to run the Reporting Services Windows service to read the TGGAU attribute on all the user objects and all the group objects in the domain. To do this, use the information in one of the following sections, depending on the operating system you are using.

For a Microsoft Windows 2000 domain


If the domain is in a pre-Windows 2000 compatibility access mode, the EVERYONE group has read permission on the TGGAU attribute for all the user account objects and all the computer account objects. Therefore, the user account that you use to run the Reporting Services Windows service has access to the TGGAU attribute on the user account that Reporting Services uses to create the e-mail subscription.

If the domain is not in a pre-Windows 2000 compatibility access mode, also known as Native mode, you must grant read permission for the user account that is used to run the Reporting Services Windows service so that it can read the TGGAU attribute on the user account that Reporting Services uses to create the subscription. You can create a domain local group that simulates the pre-Windows 2000 compatibility group, add the user account that you use to run the Reporting Services Windows service to this group, and then grant read permissions for the group on all the user objects. To do this, follow these steps:



Note You must have administrator permissions on the domain to follow these steps.

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers window, in the left pane, expand the DomainName.
  3. Right-click Users, point to New, and then click Group.
  4. In the New Object - Group dialog box, type MyAuthZGrp in the Group name box.
  5. Under Group scope, select the Domain local option, and then click OK. The MyAuthZGrp group may appear in the right pane.
  6. In the left pane of the Active Directory Users and Computers window, right-click the Users folder, and then click Properties.
  7. In the Users Properties dialog box, click the Security tab.
  8. Click Add.
  9. In the Select Users, Computers or Groups dialog box, select the group that you created in step 5.
  10. Click Add, and then click OK.
  11. Grant Read permission to the user account that you selected in step 9.


For a Microsoft Windows Server 2003 domain



If the domain is in a pre-Windows 2000 compatibility access mode, the EVERYONE group has read access to the TGGAU attribute for all the user account objects and all the computer account objects. Therefore, the user account that you use to run the Reporting Services Windows service has access to the TGGAU attribute on the user account that Reporting Services uses to create the e-mail subscription.

If the domain is not in a pre-Windows 2000 compatibility access mode, add the user account that you use to run the Reporting Services Windows service to the Windows Authorization Access Group (WAA group). By default, the WAA group has read access to the TGGAU attribute on the user objects and on the computer objects in new installations of Windows Server 2003. Therefore, the user account that you use to run the Reporting Services Windows service has access to the TGGAU attribute on the user account that Reporting Services uses to create the e-mail subscription.



Method 2


Grant read permission on the user object or the group object that Reporting Services uses to create the subscription.

If the resolutions that are mentioned in Method 1 or Method 2 do not resolve the problem, you must specifically provide read permissions for the Reporting Services Windows service account to the TGGAU attribute on the user account that Reporting Services uses to create the subscription. For example, if the user account that Reporting Services uses to create the subscription is a member of the Enterprise Admins group on the domain, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the Active Directory Users and Computers window, in the left pane, expand the DomainName, and then expand Users.
  3. Right-click Enterprise Admins, and then click Properties.
  4. In the Enterprise Admins Properties dialog box, click Add.
  5. In the Select Users, Computers or Groups dialog box, select the user account that you use to run the Reporting Services Windows service.
  6. Click Add, and then click OK.
  7. Grant Read permission to the user account that you selected in step 5.
Note The changes may not take effect immediately.

MORE INFORMATION

For additional information about the APIs that require access to authorization on account objects, click the following article number to view the article in the Microsoft Knowledge Base:

331951 Some applications and APIs require access to authorization information on account objects

Modification Type:MajorLast Reviewed:7/6/2005
Keywords:kbDLL kbdomain kbServer kbReport kbAuthentication kbUser kbhowto kbinfo KB842423 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.