Microsoft KB Archive/913327

= Error message when you try to make a remote connection to the registry of a Windows-based computer from a Windows Server 2003 SP1-based computer: &quot;Access denied&quot; =

Article ID: 913327

Article Last Modified on 4/25/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When you try to make a remote connection to the registry of a Microsoft Windows-based computer from a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based computer, you receive the following error message:

Access denied

This issue may prevent you from using the following programs to deploy agents or clients:
 * Microsoft Systems Management Server (SMS) 2003 Service Pack 1 (SP1)
 * The original release version of SMS 2003
 * SMS 2.0
 * The original release version of Microsoft Operations Manager (MOM) 2005



CAUSE
This issue occurs because of security changes that are included in Windows Server 2003 SP1.



Service pack information
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Prerequisites
You must be running Windows Server 2003 SP1 to apply this hotfix.

Note x64-based versions of Windows Server 2003 do not require this service pack.

Restart requirement
You must restart the computer after you apply this hotfix. Also, a restart is required after you make the registry key change that is described in the &quot;To enable the hotfix&quot; section.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Registry information
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To enable the hotfix, add the DontUseSecureNPForRemote entry to the following registry subkey. Then, set this entry to a value of 1.

To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

 On the Edit menu, point to New, and then click DWORD Value. Type DontUseSecureNPForRemote, and then press ENTER. Right-click DontUseSecureNPForRemote, and then click Modify. In the Value data box, type 1, and then click OK.</li> Exit Registry Editor.

Note If the DontUseSecureNPForRemote entry is not set to 1 after this hotfix is applied, the following event may be logged when the computer tries to connect to a clustered network name that has Kerberos enabled:

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/. The target name used was. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (childdomain.rootdomain.COM), and the client realm. Please contact your system administrator.

The client's connection attempt to a clustered network name that has Kerberos enabled succeeds even though this event is logged. Set the DontUseSecureNPForRemote entry to 1 to prevent this event from being logged.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 2.

<div class="moreinformation_section">

MORE INFORMATION
The issue that is described in the &quot;Symptoms&quot; section may affect programs that use the WnetConnection2 function to connect to a Windows-based computer from a Windows Server 2003 SP1-based computer. Specifically, this issue may occur if the following conditions are true:
 * The WnetConnection2 function uses an alternative set of credentials to connect to the IPC$ share.
 * The WnetConnection2 function takes this action before it calls the RegConnectRegistry function.

For more information about the terms that are used to describe software updates, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbwinserv2003sp2fix kbhotfixserver kbbug kbfix kbqfe kbwinserv2003presp1fix kbpubtypekc KB913327

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.