Microsoft KB Archive/930220

= Error message when you modify the &quot;Impersonate a client after authentication&quot; policy setting in Windows Server 2003 with Service Pack 1: &quot;There are no more endpoints available from the endpoint mapper&quot; =

Article ID: 930220

Article Last Modified on 1/18/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Standard Edition (32-bit x86) 

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
After you install Microsoft Windows Server 2003 Service Pack 1 (SP1) or when you modify the Impersonate a client after authentication policy setting in Windows Server 2003 with SP1, you may experience one or more of the following symptoms:  Incoming and outgoing network communication fails.</li>  Error messages that resemble the following are generated in the System log:

Error message 1 Date:

Time:

Event Type: Error

Event Source: SAM

Event ID: 12291

Event Category: None

User: N/A

Computer:

Description:

SAM failed to start the TCP/IP or SPX/IPX listening thread. Error message 2 Date:

Time:

Event Type: Warning

Event Source: LsaSrv

Event ID: 32777

Event Category: None

User: N/A

Computer:

Description:

The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed. Error message 3 Date:

Time:

Event Type: Error

Event Source: IPSec

Event ID: 4292

Event Category: None

User: N/A

Computer:

Description:

The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. Error message 4 Date:

Time:

Event Type: Error

Event Source: Service Control Manager

Event ID: 7023

Event Category: None

User: N/A

Computer:

Description:

The Task Scheduler service terminated with the following error: The endpoint mapper database entry could not be created. Error message 5 Date:

Time:

Event Type: Error

Event Source: Service Control Manager

Event ID: 7022

Event Category: None

User: N/A

Computer:

Description:

The COM+ Event System service hung on starting. </li> When you use the Group Policy Object Editor to modify the Impersonate a client after authentication policy setting, you may receive the following error message:

There are no more endpoints available from the endpoint mapper.

</li></ul>

<div class="cause_section">

CAUSE
This issue occurs because the logon account for the Remote Procedure Call (RPC) service is changed from the Local System account to the NetworkService account in Windows Server 2003 with SP1. When the RPC service runs under the NetworkService account, the Impersonate a client after authentication policy must include the Administrators group account and the SERVICE group account.

<div class="resolution_section">

RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, follow these steps: <ol> Use an account that has administrative credentials to log on to Windows Server 2003.</li> Try to add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type gpedit.msc, and then click OK.</li> In the console tree, locate and then expand the following node:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

</li> Locate and then double-click Impersonate a client after authentication.</li> Click Add User or Group.

Note If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings.</li> In the Enter the object names to select box, type Administrators, and then click OK.</li> Repeat step d through e for the SERVICE group account.</li> Click OK to close the Impersonate a client after authentication Properties dialog box.</li> On the File menu, click Exit.</li> Restart the computer.</li></ol>

If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer. The issue will be resolved. If you cannot modify the policy and you still experience network communication issues, follow steps 3 through 5.</li> Change the logon account for the RPC service from the NT AUTHORITY\NetworkService account to the Local System account, and then restart the computer. After you follow this step, network communication is restored. However, you must now follow steps 4 through 5 to reconfigure the RPC service to run under the NetworkService account. To modify the logon account for the RPC service, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type Services.msc, and then click OK.</li> Locate and then double-click Remote Procedure Call (RPC).</li> <li>Click the Log On tab, click Local System account, and then click OK.</li> <li>On the File menu, click Exit to close the Services snap-in.</li> <li>Restart the computer.</li></ol> </li> <li>Add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, and then update Group Policy. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type gpedit.msc, and then click OK.</li> <li>In the console tree, locate and then expand the following node:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

</li> <li>Locate and then double-click Impersonate a client after authentication.</li> <li>In the Impersonate a client after authentication Properties dialog box, click Add User or Group.

Note If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that are applicable to this computer, and then make the policy changes in the appropriate Group Policy settings.</li> <li>In the Enter the object names to select box, type Administrators, and then click OK.</li> <li>Repeat step d through e for the SERVICE group account.</li> <li>Click OK.</li> <li>On the File menu, click Exit.</li> <li>Click Start, click Run, type gpupdate /force to update Group Policy.</li> <li>Use the Group Policy Object Editor to make sure that the Impersonate a client after authentication policy includes the Administrators group and SERVICE group accounts.</li></ol> </li> <li>Use Registry Editor to modify the logon account settings for the RPC service so that it uses the NT Authority\NetworkService account. This is the default configuration for Windows Server 2003 with SP1. To do this, follow these steps. <ol style="list-style-type: lower-alpha;"> <li>Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs

Note Make sure that you make a copy of the registry subkey before you modify any settings.</li> <li>Double-click ObjectName.</li> <li>In the Value data box, type NT Authority\NetworkService .</li> <li>Click OK.</li> <li>On the File menu, click Exit.</li> <li>Restart the computer.</li></ol> </li></ol>

Keywords: kbexpertiseinter kbtshoot KB930220

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.