Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error message when you modify the "Impersonate a client after authentication" policy setting in Windows Server 2003 with Service Pack 1: "There are no more endpoints available from the endpoint mapper"

Error message when you modify the "Impersonate a client after authentication" policy setting in Windows Server 2003 with Service Pack 1: "There are no more endpoints available from the endpoint mapper"

View products that this article applies to.

Symptoms

After you install Microsoft Windows Server 2003 Service Pack 1 (SP1) or when you modify the Impersonate a client after authentication policy setting in Windows Server 2003 with SP1, you may experience one or more of the following symptoms:
  • Incoming and outgoing network communication fails.
  • Error messages that resemble the following are generated in the System log:

    Error message 1

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: SAM
    Event ID: 12291
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    SAM failed to start the TCP/IP or SPX/IPX listening thread.

    Error message 2

    Date: Date
    Time: Time
    Event Type: Warning
    Event Source: LsaSrv
    Event ID: 32777
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed.

    Error message 3

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: IPSec
    Event ID: 4292
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer.

    Error message 4

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: Service Control Manager
    Event ID: 7023
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The Task Scheduler service terminated with the following error: The endpoint mapper database entry could not be created.

    Error message 5

    Date: Date
    Time: Time
    Event Type: Error
    Event Source: Service Control Manager
    Event ID: 7022
    Event Category: None
    User: N/A
    Computer: ComputerName
    Description:
    The COM+ Event System service hung on starting.

  • When you use the Group Policy Object Editor to modify the Impersonate a client after authentication policy setting, you may receive the following error message:
    There are no more endpoints available from the endpoint mapper.

↑ Back to the top

Cause

This issue occurs because the logon account for the Remote Procedure Call (RPC) service is changed from the Local System account to the NetworkService account in Windows Server 2003 with SP1. When the RPC service runs under the NetworkService account, the Impersonate a client after authentication policy must include the Administrators group account and the SERVICE group account.

↑ Back to the top

Resolution

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To resolve this issue, follow these steps:
  1. Use an account that has administrative credentials to log on to Windows Server 2003.
  2. Try to add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting. To do this, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. In the console tree, locate and then expand the following node:
      Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
    3. Locate and then double-click Impersonate a client after authentication.
    4. Click Add User or Group.

      Note If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings.
    5. In the Enter the object names to select box, type Administrators, and then click OK.
    6. Repeat step d through e for the SERVICE group account.
    7. Click OK to close the Impersonate a client after authentication Properties dialog box.
    8. On the File menu, click Exit.
    9. Restart the computer.
    If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer. The issue will be resolved. If you cannot modify the policy and you still experience network communication issues, follow steps 3 through 5.
  3. Change the logon account for the RPC service from the NT AUTHORITY\NetworkService account to the Local System account, and then restart the computer. After you follow this step, network communication is restored. However, you must now follow steps 4 through 5 to reconfigure the RPC service to run under the NetworkService account. To modify the logon account for the RPC service, follow these steps:
    1. Click Start, click Run, type Services.msc, and then click OK.
    2. Locate and then double-click Remote Procedure Call (RPC).
    3. Click the Log On tab, click Local System account, and then click OK.
    4. On the File menu, click Exit to close the Services snap-in.
    5. Restart the computer.
  4. Add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, and then update Group Policy. To do this, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. In the console tree, locate and then expand the following node:
      Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
    3. Locate and then double-click Impersonate a client after authentication.
    4. In the Impersonate a client after authentication Properties dialog box, click Add User or Group.

      Note If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that are applicable to this computer, and then make the policy changes in the appropriate Group Policy settings.
    5. In the Enter the object names to select box, type Administrators, and then click OK.
    6. Repeat step d through e for the SERVICE group account.
    7. Click OK.
    8. On the File menu, click Exit.
    9. Click Start, click Run, type gpupdate /force to update Group Policy.
    10. Use the Group Policy Object Editor to make sure that the Impersonate a client after authentication policy includes the Administrators group and SERVICE group accounts.
  5. Use Registry Editor to modify the logon account settings for the RPC service so that it uses the NT Authority\NetworkService account. This is the default configuration for Windows Server 2003 with SP1. To do this, follow these steps.
    1. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
      Note Make sure that you make a copy of the registry subkey before you modify any settings.
    2. Double-click ObjectName.
    3. In the Value data box, type NT Authority\NetworkService.
    4. Click OK.
    5. On the File menu, click Exit.
    6. Restart the computer.

↑ Back to the top

Keywords: KB930220, kbtshoot, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 930220
Revision : 3
Created on : 1/18/2007
Published on : 1/18/2007
Exists online : False
Views : 272