October 2 2013

Limiting RPC dynamic port allocation range

From time to time, you will need limit (or ‘lock-down’) the number of ports that are used for RPC – this might be to allow traffic through firewalls or for other reasons. In Windows Server 2008/Vista and later versions the default dynamic port range is 49152-65535. For Windows 2000, Windows XP and Windows Server 2003 the default range is 1025-5000.

There is a Microsoft article – http://support.microsoft.com/kb/154596 – this outlines how to do this with some registry value changes, for example if I wanted to limit ports to between 8000-9000, then the following adjustments would be made, followed by a restart:

reg add HKLMSOFTWAREMicrosoftRpcInternet /v Ports /t REG_MULTI_SZ /f /d 8000-9000
reg add HKLMSOFTWAREMicrosoftRpcInternet /v PortsInternetAvailable /t REG_SZ /f /d Y
reg add HKLMSOFTWAREMicrosoftRpcInternet /v UseInternetPorts /t REG_SZ /f /d Y

After testing this on a Windows 2008 R2 Server and looking at Network Monitor traces, I found that the source port was still in the 49152-65535 range. After reading http://support.microsoft.com/kb/929851, I ran the following commands on both source and target servers, then restarted:

netsh int ipv4 set dynamicport tcp start=8000 num=1001
netsh int ipv4 set dynamicport udp start=8000 num=1001
netsh int ipv6 set dynamicport tcp start=8000 num=1001
netsh int ipv6 set dynamicport udp start=8000 num=1001

After looking at Network Monitor traces after making these final changes, I could then see that the RPC dynamic port allocation range (both source and destination ports) was locked down to the specified ports.

 

 

October 1 2013

Remote WMI queries fail due to Kerberos token size

This post may be helpful for someone else having trouble in this unique scenario. The relevant points are:

  • Server01 exists in AD Site01 and Site01 is in Country01.
  • Server02 exists in AD Site01 and Site01 is in Country01.
  • Server03 exists in AD Site02 and Site02 is in Country02.
  • WMI queries from Server01 to Server02 work fine.
  • WMI queries from Server01 to Server03 fail. All methods of WMI queries fail – MMC, wbemtest, wmic and gmwi (Powershell) – the error message it either RPC server is unavailable or Call was canceled by the message filter.
  • Other calls in the RPC dynamic port range worked fine – for example remote MMC, remote event viewer.
  • Network Monitor shows no communication problems, successful RPC communication is obvious.
  • Firewalls (software and hardware) logs have been checked and traffic flowing as expected.

To cut a very long story short, the problem was that the maximum allowed Kerberos token size wasn’t big enough on both the source and destination servers – after increasing the MaxTokenSize to 65535 bytes (the maximum allowed) on both servers (plus a restart), remote WMI queries started to work.

Registry key to be updated:

reg add HKLMSYSTEMCurrentControlSetControlLsaKerberosParameters /v MaxTokenSize /t REG_DWORD /f /d 65535

More information on MaxTokenSize – http://support.microsoft.com/kb/327825/en-us.

Hopefully this helps someone out.

 

 

Category: Windows | LEAVE A COMMENT