You cannot start transactions in an application running without administrative privileges on a Windows 2003 clustered Server

  • Article

On a Windows 2003 Cluster environment, if you have an application (e.g. COM+, winforms etc) which runs under a non-administrative account and trys to start Distributed Transactions (using MSDTC), you may find it will fail. Below are a few of the errors you could see:

-Event ID 4426 MSDTC Client

-Event ID 4376 MSDTC Client

-Event ID 4691 COM+

-DtcGetTransactionManagerEx(): hr = 0x80070005

-DtcGetTransactionManagerEx(): hr = 0x8004d027
 

Explaination

1) DtcGetTransactionManagerEx API initializes the MSDTC proxy, before making the connection to the MSDTC resource on the cluster. In order to figure out the running MSDTC instance, the proxy makes several cluster API calls that require the user calling this API to have "Full Control" access to the Cluster.

2) In addition, the proxy queries the Cluster API for Virtual Server that owns the MSDTC resource. When Kerberos is enabled, access to some of the registry parameters of this resource are removed from the Authenticated users and this results in the failure to get the Virtual Server Name that owns the MSDTC resource.

Possible Workaround:

1) In cluster administrator it is possible to “right click” on the cluster name and select “properties”. Under the "Security" tab it is possible to add the specific non-administrative account to the permissions list and give them permissions on the cluster.

Alternatively this step can be undertaken using the following command line:
Cluster ClusterName /prop "security descriptor"= DOMAIN\USER ,grant,f:security
Further details of this step can be found at: https://support.microsoft.com/default.aspx?id=316881

2) Install SubInACL (https://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en0).

-From a command line please use the following two commands:

a) subinacl.exe /service MSDTC /grant="DOMAIN\USER"="Q"
b) subinacl.exe /service ClusSvc /grant="DOMAIN\USER"="QSEIL"

-Run the following from a command window:
sc sdset SCMANAGER D:(A;;CCGR;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

 3) This step is only required if your "network name" resource for the group containing the MSDTC has the parameter property set for "Enable Kerberos Authentication".
- If possible this setting should be disabled, however if this is not the case then you need to open the registry and make a change to the permissions on a specific key.

Under the "My Computer\HKEY_LOCAL_MACHINE\Cluster\Resources\" there are a number of registry keys named as a GUID. Each of these corresponds to a resource configured within the cluster and contains a "name" property which will allow it to be identified. You need to locate the name of the resource which corresponds to the "network name" resource used by MSDTC. This key should be further expanded and you will find a sub-key names "Parameters". Right click on this key to select the "permissions". You need to add “Read” access for the Authenticated User group (or more specifically the user identity calling the DtcGetTransactionManagerEx API).

 

Chris Forster