No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.
This remote computer has reached its connection limit, you cannot connect at this time.
In addition, when multiple NULL sessions are generated from a single Windows 2000 client computer, the multiple NULL sessions are counted as multiple sessions. However, a NULL session appears as a single session when you run the net session command. In this case, when the RestrictAnonymous registry entry is set, and the NULL session connection is rejected, this symptom still occurs.
- For Windows XP Professional-based computers, the maximum number of concurrent network connections that are allowed is 10. This limit includes all transfer and all resource share protocols. For Windows XP Home Edition-based computers, the maximum number of concurrent network connections that are allowed is 5. This limit is the number of sessions that can be hosted at the same time from other computers. Therefore, we cannot use the administrative tool usage to connect to the system from a remote computer.
- When multiple NULL sessions are connected from a single computer, each one of them is counted.
- Only one IPC$ can be checked by using the net session command. For example, when a single Windows 2000-based computer tries to use multiple IPC$ sessions, only one single IPC$ session can be used at a time.
- RestrictAnonymous is not valid for this resolution.
A Remote Procedure Call (RPC) requires one named pipe instance for every active RPC call (like OpenPrinter). If an OpenPrinter call stops responding, RPC keeps open the named pipe connection. RPC does not disconnect this connection until the context handle (that is OpenPrinters) has been closed.
If both the following conditions are true, you may open an anonymous connection (also known as null session connection) that never closes to the named pipe \PIPE\spoolss on the workstation that acts as the server in your peer to peer network:
- Your client has connected a shared printer on the computer that acts as a 'print server'.
- You have set up a local shared printer on one or more clients.
Method 1Disable null session connections on the Windows computer that exceeds its incoming connection limit and shows some additional null session connections either by using the Group Policy GUI or by setting a registry key.
Using the Group Policy User Interface (Local Security Policy MMC Snap-In)
- Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
Note If you cannot perform this step because Administrative Tools does not appear in the Program list, click Start, point to Settings, point to Control Panel, double-click Administrative Tools, and then click Local Security Policy.
Note In Windows XP, the RestrictAnonymous subkey can have a value of 0 or 1. A value of 1 restricts null session connections on Windows XP-based clients. For regulation of the enumeration of SAM accounts, the following new registry subkey has been added:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussamThe policy is configurable via Local Security Settings under Security Settings\Local Policies\Security Options\Network Access: Do not allow anonymous enumeration of SAM accounts.
- In Security Settings, double-click Local Policies, and then click Security Options.
- Double-click Additional restrictions for anonymous connections, and then under Local policy setting:, click No access without explicit anonymous permissions.
- Restart the computer.
Using Registry EditorImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To restrict null session connections (or disable null session access):
- Start Registry Editor.
- Locate, and then click the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
- On the Edit menu, click Add Value, and then add the following registry value: Value Name: RestrictAnonymousA value of 2 restricts null session connections.
Data Type: REG_DWORD
To set the RestrictAnonymous value, change the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:
- 0 None. Rely on default permissions.
- 1 Do not allow enumeration of SAM accounts and names.
- 2 No access without explicit anonymous permissions
- Restart the computer.
Method 2Use the following method to avoid null session connections that have a high session idle time and that have opened a handle to the named pipe \PIPE\spoolss.
Remove Printer Share on ClientsIdentify clients that have local printer shares enabled (see the "More Information" section for additional information) and remove all local printer shares on these computers:
- Open the Printers folder to verify whether you have shared a local printer.
- Open the Properties window of the shared printer, and then click Sharing.
- Click to select the Not Shared option.
If the server service already has the maximum number of open sessions and one more user tries to allocate a resource, the computer returns the error messages that are described in the "Symptoms" section of this article.
Typically a computer does not have multiple sessions to another computer. But there are exceptions. For example, computer A is running a service under another user context than the logged-on user, and that service creates a logical connection to computer B. The logical connection can result from file shares, printers, serial ports, and also from communication between computers using named pipes and mail slots.
Use the following commands to get information about sessions and open files and shared resources.
Information About Active Sessions on the Computer That Is Running the Server ServiceTo receive information about active sessions on the computer that is running the server service, type the following command:
If there is more than one session from a remote client, view the User name context on the remote client that has set up more than one session:
- View all the services that are running, and find out if one is running under the user context of the username shown in the session table.
- Look for scheduled tasks that are running in a logon script and are using a different user account then the one logging in.
- Look for rows where the User name column is empty and examine the idle time.
Temporary null sessions are usually caused by IPC$ connections as the first step in establishing a connection. They stay active for 30 seconds to 90 seconds.
Note To disconnect client computer sessions, use the following command:
Information About Open FilesTo receive information about open files, on the computer that is running the server service, type the following command:
Information About NetBIOS Connection TableTo see a listing of incoming and outgoing connections and the amount of traffic carried on these connections, type the command:
Information About Shared ResourcesTo see file shares, hidden administrative shares and shared printers, type the following command:
Use Network Monitor to find out which component initiates an additional session and what security context is used for the Server Message Block (SMB) session.
By default, when you use a NetShareEnum transaction, you require only anonymous access to make NetServerEnum2 and NetServerEnum3 requests. By default, Windows operating systems have anonymous access enabled.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 328459 - Last Review: Mar 15, 2008 - Revision: 1