Blame Dan for IAS Socket Error
Tuesday, March 24, 2009
Here's the error you see in the event logs:
Only one usage of each sock address (protocol/network address/port) is normally permitted.
The whole event log looks like this:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 24/03/2009
Time: 7:13:42 AM
User: N/A
Computer: THISCOMPUTER
Description:
The Internet Authentication Service service terminated with the following error:
Only one usage of each sock address (protocol/network address/port) is normally permitted.
The issue is that your DNS server has allocated some of the ports used by the Internet Authentication Service which means that you can't log into your routers, or vpn users can't connect anymore, or whatever you were using IAS for does not work. It actually causes the IAS service to stop completely. You may have seen this when you opened the admin MMC:
There was an error getting connection to the datastore. The handle is invalid
The Fix
Straight to the workaround:
- Open up the IAS admin console (administrative tools)
- Right click on "Internet Authentication Services" and go to "Properties"
- Click on ports and write down the ports that it's using
- Open up regedit -- insert warning of death here --
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Double-click the ReservedPorts value, type the range of ports used by IAS (1645-1646)
- Save it and restart the DNS Server service (you may need to reboot the whole server but not in my case)
Now when DNS restarts it'll make sure not to use those ports that you have already allocated for IAS and you're back working.
The Background
This is all caused by Dan Kaminsky so you should email him and tell him how many problems he's caused. (Just kidding but he still might enjoy that).
The real issue was the hotfix that Microsoft released MS08-037 which fixed a flaw in DNS servers and clients and was originally discovered by Dan Kaminsky. The MS08-037 security update randomizes the DNS transaction ID's of DNS servers, changes the logic when handling DNS caching, and most importantly to this error - randomizes the socket that the DNS server uses each time. That means that when DNS is running, it could be using that socket you have reserved for another application like IAS.
External Links
http://www.capslockassassin.com/2009/01/28/ms08-037-causes-port-conflicts-with-dns-and-ias-services/ - nice write up about the issue with screen shots
http://support.microsoft.com/kb/956188/ - MS support KB about the issue
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx - MS08-037 security bulletin
Labels: Dan Kaminsky, DNS, KB956188, MS08-067, security
Here's the error you see in the event logs:
Only one usage of each sock address (protocol/network address/port) is normally permitted.
The whole event log looks like this:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 24/03/2009
Time: 7:13:42 AM
User: N/A
Computer: THISCOMPUTER
Description:
The Internet Authentication Service service terminated with the following error:
Only one usage of each sock address (protocol/network address/port) is normally permitted.
The issue is that your DNS server has allocated some of the ports used by the Internet Authentication Service which means that you can't log into your routers, or vpn users can't connect anymore, or whatever you were using IAS for does not work. It actually causes the IAS service to stop completely. You may have seen this when you opened the admin MMC:
There was an error getting connection to the datastore. The handle is invalid
The Fix
Straight to the workaround:
- Open up the IAS admin console (administrative tools)
- Right click on "Internet Authentication Services" and go to "Properties"
- Click on ports and write down the ports that it's using
- Open up regedit -- insert warning of death here --
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Double-click the ReservedPorts value, type the range of ports used by IAS (1645-1646)
- Save it and restart the DNS Server service (you may need to reboot the whole server but not in my case)
The Background
This is all caused by Dan Kaminsky so you should email him and tell him how many problems he's caused. (Just kidding but he still might enjoy that).
The real issue was the hotfix that Microsoft released MS08-037 which fixed a flaw in DNS servers and clients and was originally discovered by Dan Kaminsky. The MS08-037 security update randomizes the DNS transaction ID's of DNS servers, changes the logic when handling DNS caching, and most importantly to this error - randomizes the socket that the DNS server uses each time. That means that when DNS is running, it could be using that socket you have reserved for another application like IAS.
External Links
http://www.capslockassassin.com/2009/01/28/ms08-037-causes-port-conflicts-with-dns-and-ias-services/ - nice write up about the issue with screen shotshttp://support.microsoft.com/kb/956188/ - MS support KB about the issue
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx - MS08-037 security bulletin
Labels: Dan Kaminsky, DNS, KB956188, MS08-067, security