XP SP2 and Transactions


The preview (RC2) of Windows XP Service Pack 2 is available for download at http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx


The general info about it can be found at http://msdn.microsoft.com/security/productinfo/XPSP2/default.aspx and http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx More info about the changes in MSDTC is also available at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx#EBAA and http://support.microsoft.com/?id=899191


 


In this post I will cover what changes are introduced in this SP for distributed transactions, what is the impact on your applications and how can you re-enable your scenarios.


 


When you install XP SP2, all network MSDTC transactions will be disabled, even if network transactions had been previously enabled. This means that if you are using COM+ or Enterprise Services (or simple OleTx clients and resource managers) to flow transactions from or into the box, you will need to follow the steps defined below to re-enable your scenarios.


 


The first step is to enable network transactions in the Security Configuration dialog for MSDTC. To do this, open Control Panel\Administrative Tools\Component Services. Then select Component Services\Computer\My Computer, right-click and choose Properties. On the MSDTC tab, press “Security Configuration…” button and then select what you need. You will notice that the old checkbox “Network Transactions” has been replaced with a new group of settings named “Transaction Manager Communication”. This group contains two new checkboxes and 3 radio buttons, defined below.


 


Allow Inbound” when enabled will allow a remote computer to flow transactions to the local computer; this is typically needed on the box hosting the MSDTC for a resource manager like Microsoft SQL Server. When enabled, “Allow Outbound” will allow the local computer to flow transactions to a remote computer; this is typically needed on the “client” box, where the transaction is initiated.


 


When “Mutual Authentication Required” is selected, the local MSDTC (proxy or service) will communicate with a remote MSDTC service using only encrypted messages and mutual authentication (Windows Domain authentication). If a secure communication cannot be established with the remote system, the communication will be denied. “Incoming Caller Authentication Required” means that if mutual authentication cannot be established, but the incoming caller can be authenticated, then the communication will be allowed. Currently only Windows 2003 Server and XP SP2 support the first two options. “No Authentication Required” means that the MSDTC communication on the network can fallback to a non authenticated and non encrypted communication if the attempts to start a secure communication will fail. The “no authentication required” option is for compat communications with previous OSes (W2K, XP RTM and XP SP1); this setting needs also to be used when the computers involved are located in two untrusted Windows domains or in a Windows workgroup. If your XP SP2 box is talking to a Windows 2003 system that has disabled it’s RPC security for MSDTC (using TurnOffRpcSecurity registry key – see http://blogs.msdn.com/florinlazar/archive/2004/03/02/82916.aspx for more info), then you will need to use this third option on the XP SP2 box to enable network transactions between the two systems.


 


The second step in enabling network transactions is related to the firewall. By default, after installing XP SP2, the Windows Firewall will be on. To enable network transactions through the firewall, you will need to add the msdtc.exe to the exception list of the firewall on all the machines involved in the transactions. You can do this using the UI in Control Panel\Windows Firewall or you can use this command: “netsh firewall set allowedprogram %windir%\system32\msdtc.exe MSDTC enable”.


 


Another configuration setting that you need to be aware (although I consider it to be an uncommon scenario) is RestrictRemoteClients registry key. If the value of this key is set to 2 (RPC_RESTRICT_REMOTE_CLIENT_HIGH) then MSDTC network transactions will not be able to work properly. MSDTC supports only RPC_RESTRICT_REMOTE_CLIENT_NONE (0) and RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1) values. See http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#XSLTsection128121120120 for more info on RestrictRemoteClients.


 


I recommend and I encourage you to give a try to this release candidate for XP SP2 on your test systems and send your feedback to the XP SP2 preview newsgroups: http://communities.microsoft.com/newsgroups/default.asp?icp=xpsp2&slcid=us . Thanks!


 


[Updated Sep 20, 2004] 

Comments (54)

  1. Florian Lazar on DTC Transactions and Windows XP SP2. I’ll definitely need this more often than not….

  2. Yeah, so I am restarting blogging with some updates on XP SP2 security. It seems Microsoft has made significant changes to how COM objects are accessed over the network in XP SP2. Official details are here. Also, check out Florin…

  3. Ken Cowan says:

    I read the docs on MSDN awhile ago and don’t remember any mention of MSDTC. If this material isn’t there, can you get this up there?

    KC

  4. Florin Lazar says:

    Ken,

    Are you referring to MSDTC documentation in general? If so, you can find it at http://msdn.microsoft.com/library/?url=/library/en-us/cossdk/htm/dtc_toplevel_6vjm.asp?frame=true

  5. Ken Cowan says:

    MSDN has a ton of material on XP SP2 changes for both admins and developers. The way they wrote it, their list was everything one needs to know about SP2. Your blog post is important information that (I think) is missing.

    I remember seeing the gory details about DCOM and RPC changes. I don’t remember seeing anything about MSDTC changing.

    KC

  6. Ken, the information from this post will be added to MSDN.

  7. Angel says:

    http://weblogs.asp.net/angelsb/archive/2004/07/12/180833.aspx

    Great information on setting up the operating system! Thanks

  8. Que les puedo decir, el SP1 de Windows 2K3 tambien afecta a BizTalk de la misma forma que lo hace el…

  9. Que les puedo decir, el SP1 de Windows 2K3 también afecta a BizTalk de la misma forma que lo hace el…

  10. In order to allow Windows XP SP2 or Windows Server 2003 SP1 to talk to a remote MSDTC located in a cluster,…

  11. James White says:

    Oh thank God. I’ve been dealing with this issue FOREVER and every solution I’ve heard mentions changing the Windows Server 2003 config, but never the Windows XP MSDTC options. It finally works. You rock!

  12. Thomas Mathews says:

    I have enabled the Network DTC Access and XA Transactions. Modified the Firewall Configuration to exclude MSDTC, still my COM+ components fail to initiate. My machine hosts an Website (on Win XP), uses COM+ components and Oracle 8i Client. If I try to use insert, update or delete functionality, it raises [Microsoft][ODBC driver for Oracle]Failure in DTC: not able to validate open information.

    Could some help me out?

  13. P Velasquez says:

    I am having the same issue Thomas. I have enabled the Network DTC Access {Allow Remote Clients, Allow Remote Administration, Transaction Manager Communcation — Allow Inbound, Allow Outbound and No Authentication Required} and Enable XA Transactions on the XP SP2 with DTC Logon Account NT AUTHORITIY. Modified the Firewall Configuration to exclude MSDTC, still my COM+ components fail to initiate. My machine hosts an Website (on Win XP), uses COM+ components and Oracle 9 Client with registry settings of [HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTCMTxOCI …OracleXaLib set oraclient9.dll, OracleSqlLib set orasql9.dll, OracleOciLib set oci.dll]. I get [Microsoft][ODBC driver for Oracle]Failure in DTC: not able to validate open information.

    I checked the trace file for the DTC and the events appear to be in order – TRANSACTION_BEGN, RM_ENLISTED_IN_TRANSACTION, RM_VOTED_COMMIT, RM_ISSUED_COMMIT, RM_ACKNOWLEDGED_COMMIT.

    I am thinking it is the XA DLL I see information suggesting to create a registry key for the "mtxoci.dll" [HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTCXADLL] keyname: mtxoci.dll data:c:Sindowssystem32mtxoci.dll Would you agree?????

  14. P Velasquez says:

    SOLUTION…[Microsoft][ODBC driver for Oracle]Failure in DTC: not able to validate open information.

    I added the key as I mentioned above and it works. [HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTCXALL]

    The error only happens when in the VB6 app the MTSTransactionMode is set to 2.

  15. Sean says:

    Thanks so much for this, our admin did an upgrade and I have been trying to track this issue down!

  16. In today’s world, security hardening is causing many headaches to software developers and admins. Especially…

  17. Henrik says:

    Thanks a lot. Very good descriptions. It solved my MSDTC problems in Windows Server 2003.

  18. Monica says:

    Any other/or more ideas?This’s not solved my problem, and I’m still receiving errors when opening site from Windows Xp SP2 ..such like session variables which return empty etc..I’m sure the site’s ok, as tt’s still running in a Windows 2000 OS.. thx

  19. Monica says:

    I Solved! IIS could not solve my address, I tried with IP Address and now everything it’s ok!

  20. ali says:

    I have done exaclty as you have instructed but still i’m facing the same problem. When I’m running an application that requires COM+ component on Windows 2003 it’s bringing up a Runtime Error "Permission Denied" 70. Please Advice at your earliest please.

  21. florinlazar says:

    To: ali

    What version of Windows 2003 are you running? Web Edition by chance?

  22. Viv says:

    Problem still there!

    I have done exactly as mentioned by you and the error message still says the transcation manager is disabled. I am using windows xp professional sp 2.

    I have also turn my firewall off and exclud the msdtc.exe.

    My application is running .net 1.1 with com+ iis authentication set to windows integrated. IE is set to prompt for password and uid. Domain userid is entered when running the pages.

    Any idea??!!!

  23. florinlazar says:

    To: Viv

    Where do you see this error message? If you do a "net stop msdtc" and then a "net start msdtc" do you any entry created in Event Viewer (Application and System)? I also recommend posting your issue at our transactions forum at http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=388&SiteID=1 for a faster response. Thanks.

  24. //This content applies to windows 2003,sp1 and windows xp,sp2 machines

    Microsoft introduced MSDTC security…

  25. jd says:

    thanks! 2 days googling around without any result and the only problem was Windows Firewall. Frustrating, but you helped a lot.

  26. I have an environment with BizTalk 2004 and the MQSeries Adapter which I’m upgrading to BizTalk 2006….

  27. Sujit Sakre says:

    This information is very good. I have used it to resolve cloned server issue (windows 2003 servers). Right now I am facing an issue with windows XP SP2 machine calling a database server (windows 2003 server). The error is the usual
    “New transaction cannot enlist in specified transaction coordinator” and “Error 8004d00a. Distributed Transaction error”

    I have tried diagnozing with DTCPing.exe as suggested; I am getting the following error with DTCPing;
    The error is:

    Problem:fail to invoke remote RPC method
    Error(0x5) at dtcping.cpp @303
    –>RPC pinging exception
    –>5(Access is denied.)
    RPC test failed

    The error I am getting is when windows 2003 server tries the DTCPing to communicate with XP SP2 machine; although the communication from XP SP2 to windows 2003 server is successful.

    I have tried the solutions suggested,
    1) The correct security configuration for MSDTC on both machines(No Authentication Rquired)
    2) Adding MSDTC.exe as an exception in the windows firewall
    3) RestrictRemoteClients key: this key is not present in my registry although I am running windows XP service pack2 machine.

    Can you help me with this error?

  28. Nitin says:

    How to solve the following problem on WIndows 2000 Professional

    My program uses DTC, when a stored procedure is executed, i get the following error

    “New transaction cannot enlist in the Specified transaction coordinator”

  29. Ritesh Shah says:

    I have enabled the Network DTC Access and XA Transactions. Firewall is disabled, still my COM+ components fail to initiate. My machine hosts an Website (on Win XP), uses COM+ components and SQL Server 2005. If I try to use insert, update or delete functionality, it raises Error HRESULT E_FAIL has been returned from a call to a COM component

  30. ido says:

    i have a client & com+ application installed on a XP SP2, but i can’t get the Transaction To Work – i use Oracle 9i Client.
    I’ve Done Everything:
    Allowed everything in the MSDTC Security,
    Added the oracle Dll to the HKLM…XADLL,
    Allowed The msdtc.exe in the firewall
    Gave the Network service user permissions on the Oracle Client Directory,
    and still transactions Won’t Work – Any Suggestions ?

  31. Problem Description After upgrading an application server or database server to Windows 2003 SP1, the

  32. The Windows Server 2003 Service Pack 1 Release Candidate is available for download at http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx

  33. In order to allow Windows XP SP2 or Windows Server 2003 SP1 to talk to a remote MSDTC located in a cluster,

  34. vinay pugalia says:

    I want help of you guys in solving an issue related to MSDTC. I am developing a multiuser DB application with MS SQL Server 2005 and .Net 2005. Both my DB Server and client machine are having XP Prof. with SP2.

    I am using System.Transactions to maintain Distributed Transactions. I do not face any problems when I execute my code on the DB server itself. But when I try to execute the same code from any client machine, the following error is fired : "Communication with the underlying transaction manager has failed."

    I am really stuck because of this issue. Its a blocker for me.

    I have also made the following configuration on my system :

    1.MSDTC on both Server and Client :

     a.Network DTC Access – Checked

     b.Allow Remote clients – checked

     c.Allow inbound and Allow outbound – checked

     d.Mutual authentication required – selected

    2.Added the following keys in the registry:

     a. HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTRPC – EnableAuthEpResolution 1

     b. HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTRPC – RestrictRemoteClients 0

    3. I have disabled the firewall and also added msdtc.exe in the exceptions.

    please help me….

  35. I have an environment with BizTalk 2004 and the MQSeries Adapter which I’m upgrading to BizTalk 2006.