AuthZ fails with an Access Denied error when an application does access checks in Windows Server

Applies to: Windows Server Datacenter CoreWindows Server Standard CoreWindows Server 2016 More

Symptoms


Consider the following scenario:

  • You're working in an Active Directory environment that's based on Windows Server 2008 R2 or a later version.
  • You run an application that uses the Authorization (AuthZ) interface. Such applications include Microsoft Exchange 2016 and Microsoft Exchange 2013.

In this scenario, when the application tries to do an access check, AuthZ fails and returns an Access Denied error message.

Cause


This issue occurs because the Network access: Restrict clients allowed to make remote calls to SAM policy is enabled. The policy controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and in Active Directory.

This policy is introduced after the following versions of Windows or Windows updates are installed:

  • Windows 10 Version 1607 and later versions
  • Windows 10 Version 1511 with KB 4103198 installed
  • Windows 10 Version 1507 with KB 4012606 installed
  • Windows 8.1 with KB 4102219 installed
  • Windows 7 with KB 4012218 installed
  • Windows Server 2016 RS1 and later versions
  • Windows Server 2012 R2 with KB 4012219 installed
  • Windows Server 2012 with KB 4012220 installed
  • Windows Server 2008 R2 with KB 4012218 installed

Policy and registry names


Name Description
Policy name Network access: Restrict clients allowed to make remote calls to SAM
Location Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Registry subkey HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam
Registry type REG_SZ
Registry value A string that contains the SDDL of the security descriptor to be deployed.
 

Screenshot

When you define the policy by using the Windows Server 2016 Admin Tools, the default is to allow only administrators access to this interface.

The error that's mentioned in the "Symptoms" section occurs if the following conditions are true:

  • The policy is enabled on the domain controllers.
  • The account for the server that is running Exchange Server is not allowed to use the interface.

Resolution


To fix this issue, use one of the following methods.

Method 1: Update the policy to allow access

In the group, the servers that have to access the interface are added as members.

For example, the "Exchange Servers" universal group requires this access.

If the application does not have a group that contain the required accounts, you may have to create and maintain such a group. This is the recommended solution because it provides access to a group that's specific to the task.

Method 2: Disable the policy

Clear the RestrictRemoteSAM registry entry or remove the policy.

Note On domain controllers, you can define per-object permissions to control the visibility of the accounts. These permissions are honored by the remote SAM RPC calls. You cannot do this for the accounts of members or standalone computers.

More Information


For more information, see the following article:

Network access: Restrict clients allowed to make remote calls to SAM

Issue example in Exchange Server

Consider the following scenario:

  • You're running Active Directory together with Windows Server 2008 R2 or a later version.
  • You're running Microsoft Exchange 2016 or Microsoft Exchange 2013 as an email collaboration platform.

Note Although this example specifies Exchange Server, this issue applies similarly to other applications that use AuthZ in this manner.

In this scenario, offline address book (OAB) generation on the server that's running Exchange Server 2016 fails.

Also, you see an entry for Event 17004 (source: MSExchange Mailbox Assistants Provider) that resembles the following. This entry is logged in the Application log on the server on which the "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}" arbitration mailbox that's used for generating the OAB is mounted.


When the offline address book is generated, Exchange verifies whether the Mailbox-Assistant is allowed to run the task. The SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} system mailbox is a disabled user account in the users container of the forest root domain. Exchange uses the AuthZ engine of Windows for this task.

When you examine the network trace of what the server that's running Exchange Server is doing, you notice a failed Kerberos S4U request that resembles the following:


AuthZ tries to recover from this failure by querying the tokenGroupsGlobalAndUniversal attribute of the system mailbox, and then continuing to enumerate the Domain-Local groups. The LDAP session is encrypted. Therefore, you can't see the result in a network trace.

You see that the retrieval of the attribute succeeds when you trace the LDAP activity of the "MSExchangeMailboxAssistants.exe" process by using the following guidelines:

2221529 Event Tracing for LDAP in Windows Vista/2008

The next step is to retrieve the Domain-Local groups. AuthZ uses SAM RPC to retrieve these group memberships. When the program connects to the domain controller, you receive a failure notice that resembles the following:


This fails and returns the following message:


In the system event log of the domain controller, Event 16969 is logged, as follows:


If you have the throttling disabled, you will see one 16965 event for each access denial incident together with the client information.