Microsoft KB Archive/930220

From BetaArchive Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Knowledge Base


Error message when you modify the "Impersonate a client after authentication" policy setting in Windows Server 2003 with Service Pack 1: "There are no more endpoints available from the endpoint mapper"

Article ID: 930220

Article Last Modified on 1/18/2007


APPLIES TO

  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)


Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry


SYMPTOMS

After you install Microsoft Windows Server 2003 Service Pack 1 (SP1) or when you modify the Impersonate a client after authentication policy setting in Windows Server 2003 with SP1, you may experience one or more of the following symptoms:

  • Incoming and outgoing network communication fails.

  • Error messages that resemble the following are generated in the System log:

    Error message 1

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: SAM
    Event ID: 12291
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    SAM failed to start the TCP/IP or SPX/IPX listening thread.

    Error message 2

    Date: Date
    Time: Time
    Event Type: Warning
    Event Source: LsaSrv
    Event ID: 32777
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed.

    Error message 3

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: IPSec
    Event ID: 4292
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer.

    Error message 4

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: Service Control Manager
    Event ID: 7023
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The Task Scheduler service terminated with the following error: The endpoint mapper database entry could not be created.

    Error message 5

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: Service Control Manager
    Event ID: 7022
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The COM+ Event System service hung on starting.

  • When you use the Group Policy Object Editor to modify the Impersonate a client after authentication policy setting, you may receive the following error message:

    There are no more endpoints available from the endpoint mapper.


CAUSE

This issue occurs because the logon account for the Remote Procedure Call (RPC) service is changed from the Local System account to the NetworkService account in Windows Server 2003 with SP1. When the RPC service runs under the NetworkService account, the Impersonate a client after authentication policy must include the Administrators group account and the SERVICE group account.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, follow these steps:

  1. Use an account that has administrative credentials to log on to Windows Server 2003.
  2. Try to add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting. To do this, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. In the console tree, locate and then expand the following node:

      Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    3. Locate and then double-click Impersonate a client after authentication.
    4. Click Add User or Group.

      Note If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings.
    5. In the Enter the object names to select box, type Administrators, and then click OK.
    6. Repeat step d through e for the SERVICE group account.
    7. Click OK to close the Impersonate a client after authentication Properties dialog box.
    8. On the File menu, click Exit.
    9. Restart the computer.
    If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer. The issue will be resolved. If you cannot modify the policy and you still experience network communication issues, follow steps 3 through 5.
  3. Change the logon account for the RPC service from the NT AUTHORITY\NetworkService account to the Local System account, and then restart the computer. After you follow this step, network communication is restored. However, you must now follow steps 4 through 5 to reconfigure the RPC service to run under the NetworkService account. To modify the logon account for the RPC service, follow these steps:
    1. Click Start, click Run, type Services.msc, and then click OK.
    2. Locate and then double-click Remote Procedure Call (RPC).
    3. Click the Log On tab, click Local System account, and then click OK.
    4. On the File menu, click Exit to close the Services snap-in.
    5. Restart the computer.
  4. Add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, and then update Group Policy. To do this, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. In the console tree, locate and then expand the following node:

      Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    3. Locate and then double-click Impersonate a client after authentication.
    4. In the Impersonate a client after authentication Properties dialog box, click Add User or Group.

      Note If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that are applicable to this computer, and then make the policy changes in the appropriate Group Policy settings.
    5. In the Enter the object names to select box, type Administrators, and then click OK.
    6. Repeat step d through e for the SERVICE group account.
    7. Click OK.
    8. On the File menu, click Exit.
    9. Click Start, click Run, type gpupdate /force to update Group Policy.
    10. Use the Group Policy Object Editor to make sure that the Impersonate a client after authentication policy includes the Administrators group and SERVICE group accounts.
  5. Use Registry Editor to modify the logon account settings for the RPC service so that it uses the NT Authority\NetworkService account. This is the default configuration for Windows Server 2003 with SP1. To do this, follow these steps.
    1. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs

      Note Make sure that you make a copy of the registry subkey before you modify any settings.
    2. Double-click ObjectName.
    3. In the Value data box, type NT Authority\NetworkService.
    4. Click OK.
    5. On the File menu, click Exit.
    6. Restart the computer.


Keywords: kbexpertiseinter kbtshoot KB930220



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/930220&oldid=226640
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki