XP SP2 and Transactions

The preview (RC2) of Windows XP Service Pack 2 is available for download at https://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

The general info about it can be found at https://msdn.microsoft.com/security/productinfo/XPSP2/default.aspx and https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx More info about the changes in MSDTC is also available at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx#EBAA and https://support.microsoft.com/?id=899191

In this post I will cover what changes are introduced in this SP for distributed transactions, what is the impact on your applications and how can you re-enable your scenarios.

When you install XP SP2, all network MSDTC transactions will be disabled, even if network transactions had been previously enabled. This means that if you are using COM+ or Enterprise Services (or simple OleTx clients and resource managers) to flow transactions from or into the box, you will need to follow the steps defined below to re-enable your scenarios.

The first step is to enable network transactions in the Security Configuration dialog for MSDTC. To do this, open Control Panel\Administrative Tools\Component Services. Then select Component Services\Computer\My Computer, right-click and choose Properties. On the MSDTC tab, press "Security Configuration..." button and then select what you need. You will notice that the old checkbox “Network Transactions” has been replaced with a new group of settings named “Transaction Manager Communication”. This group contains two new checkboxes and 3 radio buttons, defined below.

Allow Inbound” when enabled will allow a remote computer to flow transactions to the local computer; this is typically needed on the box hosting the MSDTC for a resource manager like Microsoft SQL Server. When enabled, “Allow Outbound” will allow the local computer to flow transactions to a remote computer; this is typically needed on the “client” box, where the transaction is initiated.

When “Mutual Authentication Required” is selected, the local MSDTC (proxy or service) will communicate with a remote MSDTC service using only encrypted messages and mutual authentication (Windows Domain authentication). If a secure communication cannot be established with the remote system, the communication will be denied. “Incoming Caller Authentication Required” means that if mutual authentication cannot be established, but the incoming caller can be authenticated, then the communication will be allowed. Currently only Windows 2003 Server and XP SP2 support the first two options. “No Authentication Required” means that the MSDTC communication on the network can fallback to a non authenticated and non encrypted communication if the attempts to start a secure communication will fail. The “no authentication required” option is for compat communications with previous OSes (W2K, XP RTM and XP SP1); this setting needs also to be used when the computers involved are located in two untrusted Windows domains or in a Windows workgroup. If your XP SP2 box is talking to a Windows 2003 system that has disabled it’s RPC security for MSDTC (using TurnOffRpcSecurity registry key - see https://blogs.msdn.com/florinlazar/archive/2004/03/02/82916.aspx for more info), then you will need to use this third option on the XP SP2 box to enable network transactions between the two systems.

The second step in enabling network transactions is related to the firewall. By default, after installing XP SP2, the Windows Firewall will be on. To enable network transactions through the firewall, you will need to add the msdtc.exe to the exception list of the firewall on all the machines involved in the transactions. You can do this using the UI in Control Panel\Windows Firewall or you can use this command: “netsh firewall set allowedprogram %windir%\system32\msdtc.exe MSDTC enable”.

Another configuration setting that you need to be aware (although I consider it to be an uncommon scenario) is RestrictRemoteClients registry key. If the value of this key is set to 2 (RPC_RESTRICT_REMOTE_CLIENT_HIGH) then MSDTC network transactions will not be able to work properly. MSDTC supports only RPC_RESTRICT_REMOTE_CLIENT_NONE (0) and RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1) values. See https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#XSLTsection128121120120 for more info on RestrictRemoteClients.

I recommend and I encourage you to give a try to this release candidate for XP SP2 on your test systems and send your feedback to the XP SP2 preview newsgroups: https://communities.microsoft.com/newsgroups/default.asp?icp=xpsp2&slcid=us . Thanks!

 

[Updated Sep 20, 2004]