MSDTC must run under NT AUTHORITYNetworkService account

  • Article

Starting with Windows XP and continuing with Windows Server 2003, the account under which MSDTC service runs must be "NT AUTHORITY\NetworkService" (https://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgdtc_admin_7gkz.asp).

If you change the account to something else than NetworkService, your distributed transactions will fail because MSDTC will not be able to do mutual authentication with the other parties (transaction managers, resource managers, clients) involved in the transaction. In some cases, even the local transactions will fail.

 

If in NT4 or Windows 2000, you used to change the default MSDTC account to a domain account so that MSDTC can use Windows authentication when performing recovery with XA databases like Oracle, you can't do it anymore on XP and 2003 (at least not in a secure way). Instead you need to give to the NetworkService account from the machine where MSDTC is running, the permissions and roles needed to perform XA recovery on the XA database. The exact method of doing this is specific to each database but the simple story is that you need to add the "machine account" of the machine where MSDTC is running to the list of users that can do recovery on the XA database. Also, take a look at https://blogs.msdn.com/florinlazar/archive/2003/12/04/41370.aspx for more troubleshootings on MSDTC and XA.

Comments

  • Anonymous
    January 02, 2004
    Florin -- thanks for the info.

    I have seen this related to my problem above, and this user is already set up. The question I have, though, is that I didn't have to do any of this with Windows XP, and everything worked fine, no changes. Is this a Windows 2003 issue only??
  • Anonymous
    January 02, 2004
    Robert, the XADLL registry key requirement is a Windows Server 2003 only.
    Did you add NetworkService permissions to the folder where your XA dll is located? (http://support.microsoft.com/default.aspx?scid=kb;en-us;816633)

    Can you verify also if your xa dll is loaded in the msdtc.exe process?
  • Anonymous
    January 02, 2004
    I just add him add NetworkService permissions to the folder where your XA dll is located

    We're looking at your xa dll is loaded in the msdtc.exe process?
  • Anonymous
    January 02, 2004
    I am having him use Process Explorer to look on the loading issue as it still fails with the NetworkService account having "FullControl" privs on the ENTIRE Oracle tree
  • Anonymous
    January 02, 2004
    I am not seeing that file "heteroxa9.dll" loaded anywhere in the mtdtc.exe process. The problem is also trying to determine what is the XA manager with Oracle 9.2 (with Oracle 7.3 it was xa73.dll, and with Oracle 8.x it was xa80.dll). One of the Oracle guys here pointed to that file, but its not being loaded. I had also thought it might be oraclient9.dll (which IS being loaded in the msdtc.exe process) only because it is the OracleXaLib key value under MTxOCI (not by default, but according to Oracle docs, this is what it should be).
  • Anonymous
    January 02, 2004
    I guess you already enabled "Network DTC transactions" (http://weblogs.asp.net/florinlazar/archive/2003/12/04/41371.aspx)?
  • Anonymous
    January 02, 2004
    Yes
  • Anonymous
    January 22, 2004
    How do I change the network service account to the DTC service ( its been Changed ), the pc its on is a domain controller, I get an error when it is started with any other account ?


    Please help
  • Anonymous
    February 10, 2004
    The comment has been removed
  • Anonymous
    April 13, 2004
    Jeff,

    To change the MSDTC account back to NetworkService I recommend you to use the following steps:
    1. Stop the MSDTC service if it's running. You can use "net stop msdtc" to do this.
    2. Change the account using the MSDTC UI accessible from Control PanelAdministrative ToolsComponent Services MMC.
  • Anonymous
    April 22, 2004
    I've a problem in WinXP i can't work with Oracle which is locate on another machine(Win2K), it says New transaction cannot enlist in the specified transaction coordinator.
    I've set DTC account to NetworkService but the nothing changed. What should i do ?
  • Anonymous
    June 06, 2004
    nt authority system needs to close down
  • Anonymous
    August 05, 2004
    Florin,

    What if the MSDTC UI will not work after changing the service account for DTC in Services?
  • Anonymous
    August 23, 2005
    What is the password for the AUTHORITYNetworkService?? I can't change the service back to using it without the password.
  • Anonymous
    August 28, 2005
    To: DJ

    The password for NetworkService is blank (no characters).
  • Anonymous
    March 03, 2006
    MSDTC does not work using NetworkServices account but works fine with a local administrator account! Why is this?
  • Anonymous
    March 04, 2006
    To: Khateeb
    You might encounter some permission issues. What errors do you get? Do you see anything in the event log?
    Are you using XA? What database are you talking to?
  • Anonymous
    March 04, 2006
    I am using a Microsoft SQL2000 and I don't think I use XA. Here is a sample error:

    MS DTC was unable to determine the state of the cluster service on this machine.  MS DTC cannot continue to startup.  Please contact Microsoft Product Support. Error Specifics: d:ntcomcomplusdtcsharedmtxclumtxclusetuphelper.cpp:498, Pid: 1804, CmdLine: C:WINDOWSsystem32msdtc.exe

    I am quite sure this is a permission problem. But I am not sure how to fix it.
  • Anonymous
    March 16, 2006
    To: Khateeb

    Oh, so you are on a cluster. What OS?
    Is MSDTC configured to run as clustered resource?

    I also recommend posting your issue at our transactions forum at http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=388&SiteID=1 for a faster response. Thanks.
  • Anonymous
    April 03, 2006
    To:florinlazar
    I am having similar issues with MS-DTC and DB2 (on Z/OS Mainframe). I am not having this in win xp sp1. However, in sp2, I did follow the steps to verify all the required options are checked in the security configuration tab of MS-DTC. I have Network DTC transactions enabled, Enable XA Transactions is checked, and the DTC Logon account is NT AUTHORITYNetworkService.
    Also, I did create a registry key for the DB2 XA manager (DB2APP.dll). I didnt find any key XADLL under HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTC.

    But I created one and did follow the steps (also listed in the following link).
    http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&q1=windows+2003+XA+transaction+MSDTC&uid=swg21188896&loc=en_US&cs=utf-8〈=en

    I still keep getting the same ERROR [58005] [IBM][DB2] SQL0998N Error occurred during transaction or heuristic processing. Reason Code = "16". Subcode = "2-80004005". SQLSTATE=58005
    which as per the IBM manual is pointing me to microsoft for examining the subcode.

    I am not sure howw to grant permission to NT AUTHORITYNetworkService to that folder containing DB2APP.dll as I am not able to find this user int he list of users.

    Any suggestions?

    Thanks
  • Anonymous
    August 01, 2006
    @tsamkumarI am not sure howw to grant permission to NT AUTHORITYNetworkService to that folder containing DB2APP.dll as I am not able to find this user int he list of users. Type this from command prompt:CACLS "%DIR%" /C /E /G "NT AUTHORITYNetworkService":F%DIR% = selected folder path:F = Full control permision
  • Anonymous
    October 03, 2006
    To: tsramkumar In XP, NT AUTHORITYNetworkService shows up as "NETWORK SERVICE". It is part of "Built-in security principals" object type.