FIX: MTS Trusted Impersonators Group Name Is Too Long

ID: Q181775

The information in this article applies to:
  • Microsoft Transaction Server 2.0

SYMPTOMS

Unexpected behavior may occur when you access Microsoft Transaction Server (MTS) components that have package security enabled from Internet Information Server 4.0 Active Server Pages on a backup domain controller (BDC) with the latest Windows NT QFE hotfix installed. Users who should have access may be denied access and users who do not have access may be allowed. In addition, the ISecurityProperty information can be incorrect. The group name has been changed to "MTS Impersonators" to accommodate the 20-character limitation. This hotfix contains those changes. Windows NT 4.0 Service Pack 4 and later also contain the changes.

To work around this problem with the current release, perform the following the procedure:

  1. Shut down the Internet Information Server (IIS) and/or the MTS Administrative console.


  2. Open a command window.


  3. At a command prompt, run net stop iisadmin /y to shut down the IIS services.


  4. At a command prompt, run net stop msdtc to shut down the Microsoft Distributed Transaction Coordinator (DTC) service.


  5. At a command prompt, run Mtxstop.exe to stop all MTS server processes.


  6. Copy I0545a.exe (i386) or A0545a.exe (Alpha) to an empty directory and run it.


  7. In the \WinnNT\System32 directory, rename the Mtxex.dll file to Mtxex.dll.old (or some other name).


  8. Replace the Mtxex.dll in the \WinNT\System32 directory.


  9. From the command prompt, run Usrmgr.exe to start User Manager for Domains.


  10. Create a new local group named "MTS Impersonators".


  11. Add the IWAM_<MachineName> account to the local group.


  12. Close User Manager for Domains.


  13. At a command prompt, run net start mstdc to restart the DTC service.


  14. At a command prompt, run net start w3svc to restart the IIS services.


Removing the Invalid Group

The group can be removed in User Manager for Domains or with the NET command on all stand-alone servers. However, it can not be removed on Primary Domain Controllers (PDCs) and BDCs because the name is invalid. To remove the group follow theses steps:
  1. Obtain the Addusers.exe utility from the Windows NT 4.0 Resource Kit.


  2. At the command prompt on the PDC, run Addusers.exe /d Mtsgrp.txt. The Users & Group list will be dumped to the text file.


  3. Edit the text file Mtsgrp.txt There will be three sections 
    
   [User]
   [Global]
   [Local]
    Remove all lines but the [Global] and the line that includes the "MTS Trusted Impersonators". group.


  4. At the command prompt, run Addusers /e Mtsgrp.txt.



CAUSE

When Microsoft Transaction Server (or Internet Information Server version 4.0) is installed on a BDC, a global group is created instead of a local group. The "MTS Trusted Impersonators" group name's length (25 characters) exceeds the maximum length allowed for a global group name. The global group name has a 20-character limit, but the local group name can have up to 256 characters.


STATUS

Microsoft has confirmed this to be a problem in Microsoft Transaction Server version 2.0.

A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Additional query words:

Keywords : kbMTS kbMTS200 kbGrpCom kbDSupport kbbug2.00 TSrvSecurity
Version : winnt:2.0
Platform : winnt
Issue type : kbbug


Last Reviewed: October 8, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.