Article ID: 313661
Article Last Modified on 9/26/2005
APPLIES TO
- Microsoft SQL Server 7.0 Standard Edition
This article was previously published under Q313661
BUG #: 102105 (sqlbug_70)
SYMPTOMS
When all of the following conditions are true, you may not be able to connect to SQL Server 7.0 and may receive a "Timeout expired" error message when you try to log on:
- You are using Microsoft Windows 2000, or later, as the platform for servers and clients, and you are using Kerberos as the network authentication protocol.
- The computer that is running SQL Server is using Kerberos.dll version 5.0.2195.2530, or later.
- The Kerberos registry parameter MaxTokenSize is set to a value greater than 0xFFFF (65535 decimal) in accordance with the following Microsoft Knowledge Base article:
263693 Group Policy May Not Be Applied to Users Belonging to Many Groups
- You are using SQL Server Integrated security.
- You are using TCP/IP sockets as the SQL Server network library.
Notes
- The problem described in this article does not apply when you connect to SQL Server 2000.
- There are many causes for a "Timeout expired" error message. The information in this article applies only to scenarios where all of the conditions listed in the "Symptoms" section are true. In particular, the MaxTokenSize parameter referred to in the third bullet item must be set on the computer that is running SQL Server.
In an ODBC application, the error message is similar to:
CAUSE
SQL Server 7.0 Open Data Services (ODS) was not designed to handle Kerberos Security Support Provider Interface (SSPI) token sizes larger than 0xFFFF.
RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft SQL Server 7.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
301511 INF: How to Obtain the Latest SQL Server 7.0 Service Pack
NOTE: The following hotfix was created prior to Microsoft SQL Server 7.0 Service Pack 4.
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------------------
27-Nov-2001 02:16 7.00.1014 160,016 bytes Opends60.dll
NOTE: Because of file dependencies, the most recent hotfix or feature that contains the preceding files may also contain additional files.
WORKAROUND
To work around this problem you can either:
- Upgrade your server to SQL Server 2000.
- Use another network library to connect to SQL Server 7.0. For example, use Named Pipes.
- Use SQL Server standard security.
- Reduce the setting of the MaxTokenSize Kerberos parameter to a value less than 65535. You may need to reduce the number of group memberships as well. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
263693 Group Policy May Not Be Applied to Users Belonging to Many Groups
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft SQL Server 7.0 Service Pack 4.
REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
263693 Group Policy May Not Be Applied to Users Belonging to Many Group
269643 Internet Explorer Kerberos Authentication Does Not Work Because of an Insufficient Buffer Connecting to IIS
300367 DCOM Client May Put Memory on the Wire
217098 Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Keywords: kbbug kbfix kbsqlserv700presp4fix kbqfe kbhotfixserver KB313661
