Enable Network Access Securely for MS DTC
Applies To: Windows Server 2008
Microsoft Distributed Transaction Coordinator (MS DTC) helps you control the coordination of transactions between applications and resource managers. Depending on the network topology of these components, a transaction can span multiple DTCs throughout your network.
To allow transactions to be coordinated across the network, Network DTC Access must be enabled on all MS DTC instances that are participating in the transaction. For example, if a COM+ object attempts to update a Microsoft SQL Server® database on a remote computer by using an MS DTC transaction, the transaction fails if network transactions are disabled. Similarly, if the computer hosts a SQL database that has remote applications that try to access the database by using an MS DTC transaction, those transactions also fail if Network DTC Access is disabled.
Configuring network transactions for MS DTC
If your distributed transactions fail because of network connectivity problems, this failure might be related to the configuration of the DTCs that are participating in the transactions. Check each DTC and make sure that Network MS DTC Access is enabled. You can use the following procedure to accomplish this task.
To enable Network DTC Access for MS DTC transactions
Open the Component Services snap-in.
To open Component Services, click Start. In the search box, type dcomcnfg, and then press ENTER.
Expand the console tree to locate the DTC (for example, Local DTC) for which you want to enable Network MS DTC Access.
On the Action menu, click Properties.
Click the Security tab and make the following changes:
In Security Settings, select the Network DTC Access check box.
In Transaction Manager Communication, select the Allow Inbound and Allow Outbound check boxes.
Click OK.
If you want to change these settings programmatically, you can use the registry settings in the table in the following section to directly change the registry values that correspond to the setting that you want. After you change the registry settings, you must restart the Distributed Transaction Coordinator service (MSDTC).
If you use Windows Firewall to protect the computers in your organization, you must enable the Distributed Transaction Coordinator exception in the exception list in the Windows Firewall settings. To accomplish this task, see Enable Firewall Exceptions for MS DTC.
Accessing MS DTC security settings
To open the DTC security settings properties page
Open the Component Services snap-in.
To open Component Services, click Start. In the search box, type dcomcnfg, and then press ENTER.
In the console tree, click Local DTC.
On the Action menu, click Properties.
Click the Security tab.
Security settings for the MSDTC service
The following table describes the fields on the DTC Security Settings properties page, along with the registry keys that are affected for the different settings. All the registry keys that are related to the MSDTC service are located in the following registry key:
MyComputer\HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC
| Setting | Description | Corresponding registry value |
|---|---|---|
Network DTC Access |
Determines whether MS DTC on the local computer can access the network. This setting must be enabled in combination with one of the other settings to enable network MS DTC transactions. Default setting: Off |
Security\NetworkDtcAccess 0 = Off 1 = On |
Allow inbound |
Allows a distributed transaction that originates from a remote computer to run on this computer. Default setting: Off |
To enable this setting you must set the following registry key values to 1: Security\NetworkDtcAccess Security\NetworkDtcAccessTransactions Security\NetworkDtcAccessInbound To disable this setting, set the following registry key value to 0: Security\NetworkDtcAccessInbound |
Allow Outbound |
Allows the local computer to initiate a transaction and run it on a remote computer. |
To enable this setting, you must set the following registry key values to 1: Security\NetworkDtcAccess Security\ NetworkDtcAccessTransactions Security\ NetworkDtcAccessOutbound To disable this setting, you must set the following registry key value to 0: Security\NetworkDtcAccessOutbound |
Mutual Authentication Required |
This is the highest secured communication mode and the recommended transaction mode for clients running either Windows XP Service Pack 2 (SP2), Windows Server 2003, Windows Vista or Windows Server 2008, or servers running Windows Server 2008 that are operating in a failover cluster. |
AllowOnlySecureRpcCalls = 1 FallbackToUnsecureRPCIfNecessary = 0 TurnOffRpcSecurity = 0 |
Incoming Caller Authentication Required |
Requires the local DTC to communicate with a remote DTC by using only encrypted messages and mutual authentication. We recommend that you use this setting for servers running Windows Server 2003 that are operating in a failover cluster. Only computers running Windows XP SP2, Windows Server 2003, Windows Vista, or Windows Server 2008 support this feature. Therefore, use this setting only if you know that the DTC on the remote computer is running one of these versions of the Microsoft Windows operating system. |
AllowOnlySecureRpcCalls = 0 FallbackToUnsecureRPCIfNecessary = 1 TurnOffRpcSecurity = 0 |
No Authentication Required |
Provides system compatibility between earlier versions of the Windows operating system. When you enable this setting, communication on the network between DTCs can fall back to a nonauthentication or nonencrypted communication if a secure communication channel cannot be established. Use this setting if the DTC on the remote computer is running a version of Windows 2000 or Windows XP earlier than SP2. This setting is also useful when the DTCs that are involved are located on computers that are in domains that do not have an established trust relationship or if the computers are part of a Windows workgroup. |
AllowOnlySecureRpcCalls = 0 FallbackToUnsecureRPCIfNecessary = 0 TurnOffRpcSecurity = 1 |