Monday, November 29, 2010

Of event id 7023 and Microsoft patch strategy.

Have you ever had an issue with Internet Authentication Service (IAS) failing with event id 7023? This event is somewhat a very good occasion to understand how things work at Redmond. The problem with Microsoft is that quite often installing a patch means that you are soon going to have some unforeseen issues just like when replacing the corner stone of an old pyramid. At least this is what I learnt today when I applied security updates to one of my  good old Windows Domain Controllers. 

Let's start from...
the beginning. I have IAS, which is Microsoft's implementation of RADIUS, running on DC so that our end-users authenticate directly against our Active Directory.

IAS uses port 1812 for authentication and port 1813 for accounting. These are RADIUS standard ports defined in RFCs 2865 and 2866.

Today, after installing MS08-037, which is a security update designed to prevent DNS spoofing, the IAS Service failed to start, with the following event logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 28/11/2010
Time: 6:00:01 AM
User: N/A
Computer: DC-SERVER-IAS
Description: The Internet Authentication Service Service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.


The root cause for this is that this brilliant update changes the way the DNS server allocates the UDP source port for DNS queries without taking care of other services listening on these ports. Microsoft DNS against Microsoft IAS, I daresay...

I first tried to run a netstat -ab, and my Domain Controller displayed 2500 UDP ports as reserved for the dns.exe process. 2500 is by default the size of the socket pool on Windows-based servers after upplying this patch.


In the past, DNS server was designed to listen only on the historically famous TCP port 53 and UDP port 53. They were so well know to represent a sitting duck for attackers. So once you apply security update 953230 on your DNS server, you will find that it allocates 2500 dynamic UDP ports, which makes them hard to guess.

The downside of this is that when the DNS service starts up, a port conflict will occur if the DNS server allocates a port that is required by another service and that service will fail once it requests that static UDP port. This is where you will get the event id 7023.

So, what about the solution? Well, it's easy. The ReservedPorts key in the Windows registry has to be used to exclude ports from the pool the DNS server will put in place. Microsoft should have thought of it, but unfortunately it did not, so sysadmins, it is up to you to do it. Open HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts and add these ports to your reserved range:

  • 1645-1646 - for IAS - Internet Authentication Service
  • 1812-1813 - still for IAS - Internet Authentication Service


Once you modify the ReservedPorts key, just reboot the server to make the change effective.

Hope this helps!

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...