Microsoft KB Archive/842423

= A call to the AuthzInitializeContextFromSid API function may fail during the delivery of an e-mail subscription =

Article ID: 842423

Article Last Modified on 12/7/2006

-

APPLIES TO


 * Microsoft SQL Server 2000 Reporting Services

-



SUMMARY
This article discusses the cause and some possible resolutions for a problem that may occur when you try to create and to process an e-mail subscription by using a domain user account. The problem occurs when an AuthzInitializeContextFromSid API function call in the Authz.dll file does not succeed.

The resolutions that are discussed in this article are as follows:
 * How to configure the SQL Server 2000 Reporting Services Windows service to run under a domain user account. If this does not resolve the problem, you must also use one of the following methods:
 * Grant the read permission for the domain user account on all the user objects and all the group objects of the domain.
 * Grant the read permission for the domain user account specifically on the user account or on the group that the user is a member of.



INTRODUCTION
This article discusses a problem that is associated with the AuthzInitializeContextFromSid API function call that occurs during the delivery of an e-mail subscription. This article also discusses some possible resolutions for the problem.



MORE INFORMATION
While delivering an e-mail for an e-mail subscription, the SQL Server 2000 Reporting Services program may call the AuthzInitializeContextFromSid API function that is defined in the Authz.dll file. The SQL Server 2000 Reporting Services program may call the AuthzInitializeContextFromSid API function if one of the following conditions is true:
 * A report is embedded in the e-mail.
 * A report is attached to the e-mail.

If you create and process the e-mail subscription by using a domain user account that is different from the service logon account of the SQL Server 2000 Reporting Services Windows service, the AuthzInitializeContextFromSid API function call may fail.

If the function call fails, you may have to configure the settings on the domain of the computer that is running Microsoft SQL Server 2000 Reporting Services to resolve the problem.

The SQL Server 2000 Reporting Services program calls the AuthzInitializeContextFromSid API function to verify whether the user account that was used to create the subscription still has the correct permissions to view the report. This verification is not required when the e-mail contains only a link, a URL, to the report because SQL Server 2000 Reporting Services performs user permissions verification when the user tries to access the report by using the URL.

The AuthzInitializeContextFromSid API function call reads the tokenGroupsGlobalAndUniversal (TGGAU) attribute of the security identification number (SID) that is specified in the AuthzInitializeContextFromSid API function call to determine Windows group membership information for the current user. SQL Server 2000 Reporting Services calls the AuthzInitializeContextFromSid API function by using the security context of the service logon account of the SQL Server 2000 Reporting Services Windows service. Therefore, the user account that you use to run the SQL Server 2000 Reporting Services Windows service must have sufficient permissions to read the TGGAU attribute on the user account that is used to create and to process the e-mail subscriptions.

If the computer is not configured correctly to access and to run the AuthzInitializeContextFromSid API function call in the Authz.dll file, you may receive an error message. Additionally, an error message may be written to the SQL Server 2000 Reporting Services log file. To determine what error occurred, follow these steps:  Open the ReportServerService_ .log file. Search for the word &quot;authz&quot;.

Note By default, the ReportServerService_ .log file is located in the :\Program Files\Microsoft SQL Server\ \Reporting Services\Logfiles folder.

In the ReportServerService_ .log file, you may notice error messages that are similar to the following:

Error message 1

ReportingServicesService!library!718!06/16/2004-00:00:03:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files, AuthzInitializeContextFromSid: Win32 error: 5; possible reason - service account doesn't have rights to check domain user SIDs.; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files.

Error message 2

ReportingServicesService!library!7e4!05/24/2004-10:00:22:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files, AuthzInitializeContextFromSid: Win32 error: 1722; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The Report Server has encountered a configuration error; more details in the log files.

 Modify the e-mail subscription that caused the error message. Do not embed or attach a report in the e-mail. Use a link to the report. After you process the modified subscription, if you do not receive an error message, you can confirm that the error occurred because the AuthzInitializeContextFromSid API function call failed.



RESOLUTION
To resolve this problem, use one of the following methods.

You can use Method 1 if the following conditions are true:
 * The SQL Server 2000 Reporting Services Windows service is running under the Network Service account.
 * You do not want to change the account that the SQL Server 2000 Reporting Services Windows service is running under.

You can use Method 2 for a general resolution. If Method 2 does not resolve the problem, use Method 3.

Method 1

 * 1) Add the Windows account to the Pre-Windows 2000 Compatibility Access group by using the Active Directory Users and Computers snap-in.
 * 2) Add the Windows account to the Windows Authorization Access group by using the Active Directory Users and Computers snap-in.
 * 3) Restart the computer that is running SQL Server 2000 Reporting Services.

Note
 * The Windows account in step 1 and in step 2 is the account that you use to run SQL Server 2000 Reporting Services.
 * After you add the account to these groups, it is guaranteed that SQL Server 2000 Reporting Services can access the TGGAU attribute.
 * This method does not require you to modify permissions on any objects.

Method 2
Configure the SQL Server 2000 Reporting Services Windows service to run under a domain user account.

Note An error message may be written to the SQL Server 2000 Reporting Services trace log when you try to change the user account that is used to run the SQL Server 2000 Reporting Services Windows service.

For more information about the error message, click the following article number to view the article in the Microsoft Knowledge Base:

842421 You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service

Method 3
Configure the settings on the domain of the computer that is running SQL Server 2000 Reporting Services. To do this, use one of the following methods.

Grant the read permission on all the user objects and all the group objects in the domain
You may be able to resolve the problem by granting read permissions for the user account that you use to run the SQL Server 2000 Reporting Services Windows service to read the TGGAU attribute on all the user objects and all the group objects in the domain. To do this, use the information in one of the following sections, depending on the operating system you are using.

For a Microsoft Windows 2000 domain

If the domain is in a pre-Windows 2000 compatibility access mode, the EVERYONE group has read permission on the TGGAU attribute for all the user account objects and all the computer account objects. Therefore, the user account that you use to run the SQL Server 2000 Reporting Services Windows service has access to the TGGAU attribute on the user account that SQL Server 2000 Reporting Services uses to create the e-mail subscription.

If the domain is not in a pre-Windows 2000 compatibility access mode, also known as Native mode, you must grant read permission for the user account that is used to run the SQL Server 2000 Reporting Services Windows service so that it can read the TGGAU attribute on the user account that SQL Server 2000 Reporting Services uses to create the subscription. You can create a domain local group that simulates the pre-Windows 2000 compatibility group, add the user account that you use to run the SQL Server 2000 Reporting Services Windows service to this group, and then grant read permissions for the group on all the user objects. To do this, follow these steps:

Note You must have administrator permissions on the domain to follow these steps.


 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the Active Directory Users and Computers window, in the left pane, expand the.
 * 3) Right-click Users, point to New, and then click Group.
 * 4) In the New Object - Group dialog box, type MyAuthZGrp in the Group name box.
 * 5) Under Group scope, select the Domain local option, and then click OK. The MyAuthZGrp group may appear in the right pane.
 * 6) In the left pane of the Active Directory Users and Computers window, right-click the Users folder, and then click Properties.
 * 7) In the Users Properties dialog box, click the Security tab.
 * 8) Click Add.
 * 9) In the Select Users, Computers or Groups dialog box, select the group that you created in step 5.
 * 10) Click Add, and then click OK.
 * 11) Grant Read permission to the user account that you selected in step 9.



For a Microsoft Windows Server 2003 domain

If the domain is in a pre-Windows 2000 compatibility access mode, the EVERYONE group has read access to the TGGAU attribute for all the user account objects and all the computer account objects. Therefore, the user account that you use to run the SQL Server 2000 Reporting Services Windows service has access to the TGGAU attribute on the user account that SQL Server 2000 Reporting Services uses to create the e-mail subscription.

If the domain is not in a pre-Windows 2000 compatibility access mode, add the user account that you use to run the SQL Server 2000 Reporting Services Windows service to the Windows Authorization Access Group (WAA group). By default, the WAA group has read access to the TGGAU attribute on the user objects and on the computer objects in new installations of Windows Server 2003. Therefore, the user account that you use to run the SQL Server 2000 Reporting Services Windows service has access to the TGGAU attribute on the user account that SQL Server 2000 Reporting Services uses to create the e-mail subscription.

Grant the read permission on the user object or the group object that SQL Server 2000 Reporting Services uses to create the subscription
You must specifically provide read permissions for the SQL Server 2000 Reporting Services Windows service account to the TGGAU attribute on the user account that SQL Server 2000 Reporting Services uses to create the subscription. For example, if the user account that SQL Server 2000 Reporting Services uses to create the subscription is a member of the Enterprise Admins group on the domain, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the Active Directory Users and Computers window, in the left pane, expand the , and then expand Users.
 * 3) Right-click Enterprise Admins, and then click Properties.
 * 4) In the Enterprise Admins Properties dialog box, click Add.
 * 5) In the Select Users, Computers or Groups dialog box, select the user account that you use to run the SQL Server 2000 Reporting Services Windows service.
 * 6) Click Add, and then click OK.
 * 7) Grant Read permission to the user account that you selected in step 5.

Note The changes may not take effect immediately.



How to configure the domain settings on the computer
The configuration of the domain depends on the operation mode of the Microsoft Windows domain. Additionally, you must turn on the advanced features on the Windows domain. To find the domain operation mode on the domain controller, and to turn on the advanced features, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In the Active Directory Users and Computers window, in the left pane, right-click the , and then click Properties.
 * 3) In the   Properties dialog box, see the Domain operation mode text box on the General tab.

The Domain operation mode text box shows what domain operation mode the domain is currently using.
 * 1) In the left pane of the Active Directory Users and Computers window, click the.
 * 2) On the View menu, click Advanced Features.

For more information about the APIs that require access to authorization on account objects, click the following article number to view the article in the Microsoft Knowledge Base:

331951 Some applications and APIs require access to authorization information on account objects

Additional query words: SRS AD authenticate

Keywords: kbdll kbdomain kbserver kbreport kbauthentication kbuser kbhowto kbinfo KB842423

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.