The Enterprise Single Sign-On Service and associated BizTalk Server 2004 services fail after you install Windows XP Service Pack 2 (SP2)

You receive one or more of the following errors on a computer that is running BizTalk Server 2004 after you install Windows XP SP2:

• The BizTalk Configuration Framework Wizard (Configframework.exe) fails and you receive an error message that is similar to the following:
  
  Failed to generate the master secret (error code 0x800706BF)
  If you click Retry, you receive the same error message. If you click Cancel, the Configuration Framework rolls back any configuration options that have been applied when you ran the BizTalk Configuration Framework Wizard.
• If you try to start the Enterpise Single Sign-On (ENTSSO) service, it will not start and evan error message that is similar to the following is logged in the application event log:
  
  Event Type: Error
  Event Source: ENTSSO
  Event Category: Enterprise Single Sign-On
  Event ID: 10555
  Computer: BIZTALKSERVER
  Description: Secret server access denied. Client User: Domain\UserName
  For more information, see Help and Support Center at http://support.microsoft.com.
  
  Note In this error message, BIZTALKSERVER is a placeholder for the name of the BizTalk Server where you receive the error message and Domain\UserName is a placeholder for the domain name and user name of the account that the ENTSSO service is configured to run as.
• • Any component that tries to access the ENTSSO service or the BizTalk Server runtime services receives an "Access denied" error message. When you receive the "Access denied" error message, no corresponding error is written to the BizTalk Server event log.

Behavior of the Remote Procedure Call (RPC) protocol is changed after you apply Windows XP SP2 in the following ways:

• By default, the behavior of RPC clients in Windows XP and Windows XP SP2 is to request endpoints from the RPC Endpoint Mapper anonymously.
• By default, the behavior of the RPC protocol in Windows XP is to permit anonymous requests to the RPC Endpoint Mapper.
• After you install Windows XP SP2, the RPC protocol does not permit anonymous requests to the RPC Endpont Mapper but requires client requests to be authenticated.
• Because, by default, RPC client requests to the Endpoint Mapper are made anonymously, these client requests fail after you install Windows XP SP2.

The failure of anonymous RPC client requests to the RPC Endpoint Mapper creates an inability to use the RPC protocol. This inability prevents the ENTSSO service and the BizTalk Application Service from starting. This behavior occurs because the ENTSSO service depends on the RPC protocol and the BizTalk Application Service depends on the ENTSSO service.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

To allow client requests to the RPC Endpoint Mapper to succeed, you must require client calls to the RPC Endpoint Mapper to be authenticated. You can enforce authenticated client calls to the RPC Endpoint Mapper by running the Group Policy Object Editor or by creating a registry entry. Use one of the following methods to require client calls to the RPC Endpoint Mapper to be authenticated.

Use the Group Policy Object Editor to enforce the use of authenticated client calls to the RPC Endpoint Mapper

1. Click Start, click Run, type gpedit.msc, and then click OK.
2. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, click Remote Procedure Call, and then click RPC Endpoint Mapper Client Authentication.
3. Change the value for RPC Endpoint Mapper Client Authentication to Enabled.

Use Registry Editor to enforce the use of authenticated client calls to the RPC Endpoint Mapper

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
3. Look for a subkey that is named RPC. If this key exists, click the RPC subkey, and then go to step 6. If this key does not exist, go to step 4.
4. On the Edit menu, point to New, and then click Key.
5. While the new key is selected, type RPC, and then press ENTER.
6. On the Edit menu, point to New, and then click DWORD Value.
7. Type EnableAuthEpResolution, and then press ENTER.
8. On the Edit menu, click Modify.
9. In the Value data box, type the number 1. Click OK.
   
   Note If you want to disable this functionality, set the EnableAuthEpResolution registry entry to 0 (zero).
10. Quit Registry Editor.

After you create this registry value, you must restart your computer for the registry value to take effect. After this registry change is implemented, client calls to the RPC Endpoint Mapper will be made with authentication. This behavior allows the ENTSSO service to start.

Things to consider for Windows XP computers that are part of a Microsoft Windows NT 4.0 domain or that must work with remote applications that are running on Windows NT 4.0 computers

If you have installed Windows XP SP2 on a computer that is part of a Windows NT 4.0 domain or that must work with remote applications that are running on Windows NT 4.0 computers, you must also disable the RestrictRemoteClients setting that is enforced by the RPC protocol. Disabling this restriction has security implications and you must understand what these implications are before you perform this operation. For more information about the security implications of disabling the RestrictRemoteClients setting, visit the following Microsoft Developer Network (MSDN) Web site:You can disable the RestrictRemoteClients setting that is enforced by the RPC protocol by running the Group Policy Object Editor or by creating a registry entry. Use one of the following procedures to disable the RestrictRemoteClients setting that is enforced by the RPC protocol.

Use the Group Policy Object Editor to disable the RestrictRemoteClients setting that is enforced by the RPC protocol

1. Click Start, click Run, type gpedit.msc, and then click OK.
2. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, click Remote Procedure Call, and click Restrictions for Unauthenticated RPC Clients.
3. Change the value for Restrictions for Unauthenticated RPC Clients to Disabled.

Use Registry Editor to disable the RestrictRemoteClients setting that is enforced by the RPC protocol

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
3. Look for a subkey that is named RPC. If this key exists, click the RPC subkey, and then go to step 7. If this key does not exist, go to step 4.
4. On the Edit menu, point to New, and then click Key.
5. While the new key is selected, type RPC, and then press ENTER.
6. On the Edit menu, point to New, and then click DWORD Value.
7. Type RestrictRemoteClients, and then press ENTER.
8. On the Edit menu, click Modify.
9. In the Value data box, type 0, and then click OK.
   
   Note If you want to enable this functionality, set the RestrictRemoteClients registry entry to 1 (one).
10. Quit Registry Editor.

After you create this registry value, you must restart your computer for the registry value to take effect.

This behavior is by design.

For more information about BizTalk Server 2004, visit the following Microsoft Web Site:For more information about Windows XP SP2, visit the following Microsoft Web Site: