The affected clients include Microsoft Outlook, Quest Migration Manager for Exchange, and BlackBerry Enterprise Server.
Note Windows Server 2003 and earlier versions of Microsoft Windows operating systems do not exhibit this behavior. The change of behavior in Windows Server 2008 and later versions is intended to protect domain controllers against clients that open too many NSPI connections without then closing the connections. Too many connections such as these can result in resource depletion.
Note The Outlook NSPI MAPI provider that is installed with Microsoft Outlook is intended for use only with Microsoft Outlook. External scripts and applications that rely on the Outlook NSPI MAPI provider are not supported.
How to modify the registry to allow for additional NSPI connectionsWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
If more concurrent NSPI connections per user are legitimately required, you can change the default limit. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
- Right-click the Parameters key.
- In the popup menu, select New, and then click DWORD Value.
- Type NSPI max sessions per user, and then press Enter.
- Double-click NSPI max sessions per user, type the maximum number of the NSPI connections that you want to have, and then click OK.
Note Although the upper limit of this setting is 0xffffffff (or 4294967295), a server configuration that has a value that is larger than the default value will consume additional memory (one new page per connection) on the server. If this value is set too high, and too many connections are created for each user application instance, the server will run low on memory or become completely unresponsive.
The lower default NSPI connection limit in Windows Server 2008 was based on customer experience in which previous operating systems would allow themselves to be overwhelmed by third-party products in what is essentially a denial of service attack.
You should use a common sense approach to increase the maximum session setting beyond the default value. For example, start by using decimal 250 (hex 0x000000FA), and then test to see the memory overhead that is created and whether the errors have stopped. Your long-term solution must be to contact the vendor of your NSPI product to ask them to change this behavior. A change in the registry value is only as a workaround to provide error relief.
- Exit Registry Editor.
- Restart the computer or restart Active Directory Domain Services.
Alternatively, you can do this by runing the following command in a Command Prompt window with administrator permission:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /v "NSPI max sessions per user" /t REG_DWORD /d 250 /f
Event ID: 2820NSPI max connection limit for the user has reached.You need to do NSPI unbind on old connections before making new connections.Additional DataMax NSPI connections per user: %1User: %2
The “User:” information will have the Sid of the user. You can use “psgetsid” for example to retrieve the logon name of the user.
A network capture of the failure may contain packets that resemble the following.
|ServerIP||ClientIP||NSPI||NspiBind response, Status: MAPI_E_LOGON_FAILED|