You may encounter an issue with servers running both the DNS and IAS services that have installed update MS08-037 (Vulnerabilities in DNS could allow spoofing – 953230).  The IAS services will fail to start and any authentication that relies on IAS (such as VPNs) will fail.

When connecting to the IAS server with the IAS management console the following errors may appear:

An error occurred while trying to make a connection to the datastore

There was an error getting connection to the data store. The handle is invalid.

Event ID 7023 will appear in the System event log of the IAS server.

 

Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7023
Date:        28/01/2009
Time:        9:15:17 AM
User:        N/A
Computer:    SERVER
Description:

The Internet Authentication Service service terminated with the following error:

Only one usage of each sock address (protocol/network address/port) is normally permitted.

The cause of the issue is explained in KB956188:

 

You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)

This issue occurs because the service cannot obtain the port that it requires to function correctly. This issue occurs because of changes to the port allocation in the DNS Service after security update 953230 is installed.

Read full article

The solution is to reserve the IAS ports from the ephemeral port range to ensure that the DNS Server service does not dynamically allocate those ports to itself.  To determine which ports are being used by IAS open the IAS management console, right-click the server name and select Properties.

iasconfig01

Navigate to the Ports tab and note the port numbers in use.

iasconfig02

Follow the instructions in KB812873 (How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003) and enter the correct ports in the registry key like this.

regconfig

The server must be restarted for the change to take effect.  After the restart the DNS Server will no longer allocate the IAS ports to itself, which will allow IAS to start properly.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Dirk

    Thank you. Thank you. Thank you.

Leave a Reply