Welcome to MSDN Blogs Sign in | Join | Help

MSDTC must run under NT AUTHORITY\NetworkService account

Starting with Windows XP and continuing with Windows Server 2003, the account under which MSDTC service runs must be "NT AUTHORITY\NetworkService" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgdtc_admin_7gkz.asp).

If you change the account to something else than NetworkService, your distributed transactions will fail because MSDTC will not be able to do mutual authentication with the other parties (transaction managers, resource managers, clients) involved in the transaction. In some cases, even the local transactions will fail.

 

If in NT4 or Windows 2000, you used to change the default MSDTC account to a domain account so that MSDTC can use Windows authentication when performing recovery with XA databases like Oracle, you can't do it anymore on XP and 2003 (at least not in a secure way). Instead you need to give to the NetworkService account from the machine where MSDTC is running, the permissions and roles needed to perform XA recovery on the XA database. The exact method of doing this is specific to each database but the simple story is that you need to add the "machine account" of the machine where MSDTC is running to the list of users that can do recovery on the XA database. Also, take a look at http://blogs.msdn.com/florinlazar/archive/2003/12/04/41370.aspx for more troubleshootings on MSDTC and XA.

Published Friday, January 02, 2004 3:02 PM by florinlazar
Filed under: ,

Comments

# XA transactions and Windows Server 2003

Friday, January 02, 2004 6:15 PM by Florin Lazar's WebLog

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 3:24 PM by Robert Hurlbut
Florin -- thanks for the info.

I have seen this related to my problem above, and this user is already set up. The question I have, though, is that I didn't have to do any of this with Windows XP, and everything worked fine, no changes. Is this a Windows 2003 issue only??

# MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 6:32 PM by Sam Gentile's Blog

# MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 6:36 PM by Sam Gentile's Blog

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 3:48 PM by Florin Lazar
Robert, the XADLL registry key requirement is a Windows Server 2003 only.
Did you add NetworkService permissions to the folder where your XA dll is located? (http://support.microsoft.com/default.aspx?scid=kb;en-us;816633)

Can you verify also if your xa dll is loaded in the msdtc.exe process?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 3:58 PM by Sam Gentile
I just add him add NetworkService permissions to the folder where your XA dll is located

We're looking at your xa dll is loaded in the msdtc.exe process?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 4:00 PM by Sam Gentile
I am having him use Process Explorer to look on the loading issue as it still fails with the NetworkService account having "FullControl" privs on the ENTIRE Oracle tree

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 4:08 PM by Robert Hurlbut
I am not seeing that file "heteroxa9.dll" loaded anywhere in the mtdtc.exe process. The problem is also trying to determine what is the XA manager with Oracle 9.2 (with Oracle 7.3 it was xa73.dll, and with Oracle 8.x it was xa80.dll). One of the Oracle guys here pointed to that file, but its not being loaded. I had also thought it might be oraclient9.dll (which IS being loaded in the msdtc.exe process) only because it is the OracleXaLib key value under \MTxOCI (not by default, but according to Oracle docs, this is what it should be).

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 7:31 PM by Florin Lazar
I guess you already enabled "Network DTC transactions" (http://weblogs.asp.net/florinlazar/archive/2003/12/04/41371.aspx)?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, January 02, 2004 9:37 PM by Sam Gentile
Yes

# XA transactions and Windows Server 2003

Friday, January 09, 2004 10:25 PM by Florin Lazar's WebLog

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Thursday, January 22, 2004 1:25 PM by Jeff
How do I change the network service account to the DTC service ( its been Changed ), the pc its on is a domain controller, I get an error when it is started with any other account ?


Please help

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Wednesday, February 11, 2004 3:51 AM by Enrico Sabbadin
I'm having no luck with distributed transactions (no matter what DB) .. the error is
"You made a method call on a COM+ component that has a transaction that ..." well you know .. this happens during the construction phase .. I newver get to call a method.

I read the info in this blog post,
anyother things i should be aware ?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Wednesday, April 14, 2004 1:05 AM by Florin Lazar
Jeff,

To change the MSDTC account back to NetworkService I recommend you to use the following steps:
1. Stop the MSDTC service if it's running. You can use "net stop msdtc" to do this.
2. Change the account using the MSDTC UI accessible from Control Panel\Administrative Tools\Component Services MMC.

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, April 23, 2004 6:13 AM by bug
I've a problem in WinXP i can't work with Oracle which is locate on another machine(Win2K), it says New transaction cannot enlist in the specified transaction coordinator.
I've set DTC account to NetworkService but the nothing changed. What should i do ?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Sunday, June 06, 2004 9:53 AM by robin
nt authority system needs to close down

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Friday, August 06, 2004 7:58 AM by Derek
Florin,

What if the MSDTC UI will not work after changing the service account for DTC in Services?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Tuesday, August 23, 2005 9:24 AM by DJ
What is the password for the AUTHORITY\NetworkService?? I can't change the service back to using it without the password.

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Monday, August 29, 2005 1:08 AM by florinlazar
To: DJ

The password for NetworkService is blank (no characters).

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Saturday, March 04, 2006 4:15 AM by Khateeb
MSDTC does not work using NetworkServices account but works fine with a local administrator account! Why is this?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Saturday, March 04, 2006 2:49 PM by florinlazar
To: Khateeb
You might encounter some permission issues. What errors do you get? Do you see anything in the event log?
Are you using XA? What database are you talking to?

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Sunday, March 05, 2006 1:22 AM by Khateeb
I am using a Microsoft SQL2000 and I don't think I use XA. Here is a sample error:

MS DTC was unable to determine the state of the cluster service on this machine.  MS DTC cannot continue to startup.  Please contact Microsoft Product Support. Error Specifics: d:\nt\com\complus\dtc\shared\mtxclu\mtxclusetuphelper.cpp:498, Pid: 1804, CmdLine: C:\WINDOWS\system32\msdtc.exe

I am quite sure this is a permission problem. But I am not sure how to fix it.

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Thursday, March 16, 2006 6:35 PM by florinlazar
To: Khateeb

Oh, so you are on a cluster. What OS?
Is MSDTC configured to run as clustered resource?

I also recommend posting your issue at our transactions forum at http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=388&SiteID=1 for a faster response. Thanks.

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Monday, April 03, 2006 7:51 PM by tsramkumar
To:florinlazar
I am having similar issues with MS-DTC and DB2 (on Z/OS Mainframe). I am not having this in win xp sp1. However, in sp2, I did follow the steps to verify all the required options are checked in the security configuration tab of MS-DTC. I have Network DTC transactions enabled, Enable XA Transactions is checked, and the DTC Logon account is NT AUTHORITY\NetworkService.
Also, I did create a registry key for the DB2 XA manager (DB2APP.dll). I didnt find any key XADLL under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC.

But I created one and did follow the steps (also listed in the following link).
http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&q1=windows+2003+XA+transaction+MSDTC&uid=swg21188896&loc=en_US&cs=utf-8〈=en

I still keep getting the same ERROR [58005] [IBM][DB2] SQL0998N Error occurred during transaction or heuristic processing. Reason Code = "16". Subcode = "2-80004005". SQLSTATE=58005
which as per the IBM manual is pointing me to microsoft for examining the subcode.

I am not sure howw to grant permission to NT AUTHORITY\NetworkService to that folder containing DB2APP.dll as I am not able to find this user int he list of users.

Any suggestions?

Thanks

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Wednesday, August 02, 2006 4:23 AM by neol
@tsamkumar I am not sure howw to grant permission to NT AUTHORITY\NetworkService to that folder containing DB2APP.dll as I am not able to find this user int he list of users. Type this from command prompt: CACLS "%DIR%" /C /E /G "NT AUTHORITY\NetworkService":F %DIR% = selected folder path :F = Full control permision

# re: MSDTC must run under NT AUTHORITY\NetworkService account

Tuesday, October 03, 2006 8:32 PM by florinlazar

To: tsramkumar

In XP, NT AUTHORITY\NetworkService shows up as "NETWORK SERVICE". It is part of "Built-in security principals" object type.

Anonymous comments are disabled
 
Page view tracker