EnableAuthEpResolution registry key is enabled

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2011-11-15

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether the remote procedure call (RPC) Interface Restrictions registry key is enabled:

HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Windows NT\RPC

If the Exchange Server Analyzer finds that the EnableAuthEpResolution registry value exists, the Exchange Server Analyzer displays a non-default configuration message. By default, the EnableAuthEpResolution value is set to 0.

RPC Interface Restrictions provides increased network protection that will make systems less vulnerable to attacks over the network.

An RPC interface that is remotely and anonymously available and is registered by default on Microsoft Windows® XP presents a significant attack surface. RPC itself must register such an interface to provide endpoint resolution for calls using dynamic endpoints. The RestrictRemoteClients registry key modifies the behavior of all RPC interfaces on the system. By default, the RestrictRemoteClients registry key prevents remote anonymous access to RPC interfaces on the system, with some exceptions. Therefore, the RPC Endpoint Mapper interface is no longer available anonymously.

An RPC client that tries to make a call by using a dynamic endpoint will first query the RPC Endpoint Mapper on the server to determine what dynamic endpoint the RPC client should connect to. This query is performed anonymously, even if the RPC client call itself is performed by using RPC security. By default, anonymous calls to the RPC Endpoint Mapper interface will fail on Microsoft Windows XP Service Pack 2 because the default RestrictRemoteClients functionality prevents remote anonymous access to RPC interfaces on the system. Because of this RPC Interface Restriction, the RPC client runtime is modified to perform an authenticated query to the Endpoint Mapper. This RPC Interface Restriction is the default behavior in Windows XP Service Pack 2.

The RPC client runtime then uses Integrated Windows authentication to authenticate to the Endpoint Mapper. In Windows XP, in Windows Server 2003, in Windows Server 2008, and in Windows Vista, this facility uses NTLM only. In Windows 7, in Windows Server 2008 R2, and in later operating systems, this facility can also use Kerberos. The selections of the authentication protocol for the RPC endpoint mapper and for the actual RPC interface used by the client are independent from each other.

A non-default configuration exists if the following conditions exist:

  • The RPC registry key and EnableAuthEpResolution value described have been created.

  • The EnableAuthEpResolution registry value has been set to 0.

Clients that do not have the EnableAuthEpResolution key set cannot make RPC service requests of servers that have RestrictRemoteClients enabled. This restriction may cause RPC-based services to stop working.

Additionally, when you enable EnableAuthEpResolution NTLM Authentication, the load may increase significantly if any applications, such as Exchange MAPI clients, make heavy use of the Endpoint Mapper. Clients that are running Windows Vista or an earlier operating system version use NTLM. The client also uses NTLM if it cannot obtain a Kerberos ticket for the RPC Endpoint Mapper. For example, the client chooses NTLM in configurations in which authentication over an external trust or server name is used and when no ServicePrincipalName that has the “RPCSS/” prefix exists.

In this case, you may want to increase the Netlogon registry entry MaxConcurrentAPI to 10 (maximum for operating systems up to Windows Server 2008) or 150 (maximum for Windows Server 2008 R2). The registry entry must be set on all domain member servers and domain controllers along the trust path to the user domain. For details about MaxConcurrentAPI, see Microsoft Knowledge Base article 975363You are intermittently prompted for credentials or experience time-outs when you connect to Authenticated Services.

You can monitor NTLM authentication performance using performance monitor Netlogon object, for Windows Server 2003 you can install an update to make the object available: 928576 New performance counters for Windows Server 2003 let you monitor the performance of Netlogon authentication.

For more information about changes to the RPC service in Windows XP Service Pack 2, see (RPC Interface Restriction).