ACL Problem with the MSDTC service?


If you have a Resource Manager (for example SQL Server) that is failing to communicate with MSDTC (that you can see is started and working well), you maybe wondering the best way to troubleshoot such a problem?


One possible issue could be that the account under which the SQL Server (or other resource Manager) is running does not have permission on the MSDTC Service.


This can be checked in the ACL (Access Control List) using the tool named "subinacl" and downloaded from:
http://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en


The command for checking the permissions on the msdtc service is:
 "subinacl.exe /Service msdtc"


This command should output a number of different accounts or account groups. You must identify the permission for the account that the problematic resource manager is running.


From the Subinacl Readme file you can see the possible Service Permission options:


PACE Description
-F -> Full Control
-R -> Generic Read
-W -> Generic Write
-X -> Generic eXecute
-L -> Read controL
-Q -> Query Service Configuration
-S -> Query Service Status
-E -> Enumerate Dependent Services
-C -> Service Change Configuration
-T -> Start Service
-O -> Stop Service
-P -> Pause/Continue Service
-I -> Interrogate Service 
-U -> Service User-Defined Control Commands


If you are missing a permission, normally the command to add the missing ACL is something like this:


subinacl /service msdtc /grant=<"DOMAIN\ACCOUNT" IN QUOTES>="QSETIL"


e.g.


subinacl /service msdtc /grant="Domain\SQLServiceAccount"="QSETIL"


 


Chris Forster

Comments (4)
  1. Anonymous says:

    Thanks!

    On a cluster. Do you run the subinacl command on both nodes? Do you need to run it when MSDTC is active on both nodes?

    Is it needed to add the user in security for the cluster group as well?

    Are there any other security changes required in cluster scenarios? (E g BizTalk + MSDTC in one cluster and SQL + MSDTC in another cluster)

  2. SQL Instance cannot register with MSDTC – Follow-up

    First you must ensure you are hitting this permissions problem, as per the main blog. If this is confirmed then proceed with the SubInACL action plan, otherwise you can also consider enabling “CM” MSDTC tracing as per article: http://support.microsoft.com/?id=899115

    The subinacl tool works for the service instances themselves, therefore on a cluster the permission should normally be set on each node where MSDTC is installed.

    It is not a requirement for msdtc to be online to make the change; therefore it can be applied to passive as well as active nodes.

    If SQL itself comes online, I do not believe you need to add the user to the cluster service, normally it will be there already.

    Please be aware that Subinacl also work on user groups as well as individual users. For example the “Authenticated User” group can be useful.

    The output from “subinacl.exe /Service msdtc” should be clear to whether this group has permissions on the service.

    Finally, from your question: “Are there any other security changes required in cluster scenarios?” I would like to point out that this is not something everyone has to do for it to work. Normally the permissions are applied correctly, especially if you are using domain user for the SQL account. However there are circumstances in some environment depending on setup where this issue can be seen.

     

  3. Anonymous says:

    Chris,

    Another good tool to use to view and set the ACLs on services like MSDTC is the native SC.exe command on Windows XP, Windows 2003 and higher.

    The psservice tool from SysInternals.com (now a part of Microsoft) also provides a great way to view the config in a human readable way.

    psservice security msdtc

    …will provide a very readable option

Comments are closed.

Skip to main content