MSDTC must run under NT AUTHORITYNetworkService account


Starting with Windows XP and continuing with Windows Server 2003, the account under which MSDTC service runs must be “NT AUTHORITY\NetworkService” (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgdtc_admin_7gkz.asp).


If you change the account to something else than NetworkService, your distributed transactions will fail because MSDTC will not be able to do mutual authentication with the other parties (transaction managers, resource managers, clients) involved in the transaction. In some cases, even the local transactions will fail.


 


If in NT4 or Windows 2000, you used to change the default MSDTC account to a domain account so that MSDTC can use Windows authentication when performing recovery with XA databases like Oracle, you can’t do it anymore on XP and 2003 (at least not in a secure way). Instead you need to give to the NetworkService account from the machine where MSDTC is running, the permissions and roles needed to perform XA recovery on the XA database. The exact method of doing this is specific to each database but the simple story is that you need to add the “machine account” of the machine where MSDTC is running to the list of users that can do recovery on the XA database. Also, take a look at http://blogs.msdn.com/florinlazar/archive/2003/12/04/41370.aspx for more troubleshootings on MSDTC and XA.

Comments (26)

  1. Florin — thanks for the info.

    I have seen this related to my problem above, and this user is already set up. The question I have, though, is that I didn’t have to do any of this with Windows XP, and everything worked fine, no changes. Is this a Windows 2003 issue only??

  2. Florin Lazar says:

    Robert, the XADLL registry key requirement is a Windows Server 2003 only.

    Did you add NetworkService permissions to the folder where your XA dll is located? (http://support.microsoft.com/default.aspx?scid=kb;en-us;816633)

    Can you verify also if your xa dll is loaded in the msdtc.exe process?

  3. Sam Gentile says:

    I just add him add NetworkService permissions to the folder where your XA dll is located

    We’re looking at your xa dll is loaded in the msdtc.exe process?

  4. Sam Gentile says:

    I am having him use Process Explorer to look on the loading issue as it still fails with the NetworkService account having "FullControl" privs on the ENTIRE Oracle tree

  5. I am not seeing that file "heteroxa9.dll" loaded anywhere in the mtdtc.exe process. The problem is also trying to determine what is the XA manager with Oracle 9.2 (with Oracle 7.3 it was xa73.dll, and with Oracle 8.x it was xa80.dll). One of the Oracle guys here pointed to that file, but its not being loaded. I had also thought it might be oraclient9.dll (which IS being loaded in the msdtc.exe process) only because it is the OracleXaLib key value under MTxOCI (not by default, but according to Oracle docs, this is what it should be).

  6. Jeff says:

    How do I change the network service account to the DTC service ( its been Changed ), the pc its on is a domain controller, I get an error when it is started with any other account ?

    Please help

  7. Enrico Sabbadin says:

    I’m having no luck with distributed transactions (no matter what DB) .. the error is

    "You made a method call on a COM+ component that has a transaction that …" well you know .. this happens during the construction phase .. I newver get to call a method.

    I read the info in this blog post,

    anyother things i should be aware ?

  8. Florin Lazar says:

    Jeff,

    To change the MSDTC account back to NetworkService I recommend you to use the following steps:

    1. Stop the MSDTC service if it’s running. You can use "net stop msdtc" to do this.

    2. Change the account using the MSDTC UI accessible from Control PanelAdministrative ToolsComponent Services MMC.

  9. bug says:

    I’ve a problem in WinXP i can’t work with Oracle which is locate on another machine(Win2K), it says New transaction cannot enlist in the specified transaction coordinator.

    I’ve set DTC account to NetworkService but the nothing changed. What should i do ?

  10. robin says:

    nt authority system needs to close down

  11. Derek says:

    Florin,

    What if the MSDTC UI will not work after changing the service account for DTC in Services?

  12. DJ says:

    What is the password for the AUTHORITYNetworkService?? I can’t change the service back to using it without the password.

  13. florinlazar says:

    To: DJ

    The password for NetworkService is blank (no characters).

  14. Khateeb says:

    MSDTC does not work using NetworkServices account but works fine with a local administrator account! Why is this?

  15. florinlazar says:

    To: Khateeb

    You might encounter some permission issues. What errors do you get? Do you see anything in the event log?

    Are you using XA? What database are you talking to?

  16. Khateeb says:

    I am using a Microsoft SQL2000 and I don’t think I use XA. Here is a sample error:

    MS DTC was unable to determine the state of the cluster service on this machine.  MS DTC cannot continue to startup.  Please contact Microsoft Product Support. Error Specifics: d:ntcomcomplusdtcsharedmtxclumtxclusetuphelper.cpp:498, Pid: 1804, CmdLine: C:WINDOWSsystem32msdtc.exe

    I am quite sure this is a permission problem. But I am not sure how to fix it.

  17. florinlazar says:

    To: Khateeb

    Oh, so you are on a cluster. What OS?

    Is MSDTC configured to run as clustered resource?

    I also recommend posting your issue at our transactions forum at http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=388&SiteID=1 for a faster response. Thanks.

  18. tsramkumar says:

    To:florinlazar

    I am having similar issues with MS-DTC and DB2 (on Z/OS Mainframe). I am not having this in win xp sp1. However, in sp2, I did follow the steps to verify all the required options are checked in the security configuration tab of MS-DTC. I have Network DTC transactions enabled, Enable XA Transactions is checked, and the DTC Logon account is NT AUTHORITYNetworkService.

    Also, I did create a registry key for the DB2 XA manager (DB2APP.dll). I didnt find any key XADLL under HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTC.

    But I created one and did follow the steps (also listed in the following link).

    http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&q1=windows+2003+XA+transaction+MSDTC&uid=swg21188896&loc=en_US&cs=utf-8〈=en

    I still keep getting the same ERROR [58005] [IBM][DB2] SQL0998N Error occurred during transaction or heuristic processing. Reason Code = "16". Subcode = "2-80004005". SQLSTATE=58005

    which as per the IBM manual is pointing me to microsoft for examining the subcode.

    I am not sure howw to grant permission to NT AUTHORITYNetworkService to that folder containing DB2APP.dll as I am not able to find this user int he list of users.

    Any suggestions?

    Thanks

  19. neol says:

    @tsamkumar
    I am not sure howw to grant permission to NT AUTHORITYNetworkService to that folder containing DB2APP.dll as I am not able to find this user int he list of users.

    Type this from command prompt:
    CACLS “%DIR%” /C /E /G “NT AUTHORITYNetworkService”:F

    %DIR% = selected folder path
    :F = Full control permision

  20. florinlazar says:

    To: tsramkumar

    In XP, NT AUTHORITYNetworkService shows up as "NETWORK SERVICE". It is part of "Built-in security principals" object type.