Logon fails after you restrict client RPC to DC traffic in Windows Server 2012 R2 or Windows Server 2008 R2

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials More

Symptoms


Assume that you define static TCP ports according to article 224196 to restrict the client remote procedure call (RPC) traffic to specific ports on the domain controller (DC), and you only open these specific static ports on the firewall. In this situation, the Local Security Authority RPC (LSAR) calls (such as Lsarlookupnames4 and lsarlookupsids3) fail, and the logon to the Windows Server 2012 R2-based or Windows Server 2008 R2 Service Pack 1 (SP1)-based DC also fails.

Cause


After you configure the registry keys according to article 224196 to restrict the client RPC traffic to specific ports on DC, all the client RPC traffics use specified static ports. However, when the endpoint mapper sends a request to the LSA interface, it returns both a dynamic port and a fixed port, and the static port is not always returned by the endpoint mapper as first priority. This issue occurs when a dynamic port is returned, and is blocked by the firewall.

How to obtain this hotfix


To resolve this issue, we have released hotfixes for Windows Server 2012 R2 or Windows Server 2008 R2 that has a restart requirement.

Before you install this hotfix, check the prerequisite of the hotfix.

Hotfix for Windows Server 2012 R2 or Windows Server 2008 R2

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must first install update 2919355 in Windows Server 2012 R2, or you must first install SP1 in Windows 2008 R2. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

2919355 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update April, 2014

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

More Information


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.