Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: General network TCP settings that can impact BizTalk Server (Part 8)

Posted: February 9, 2012 in BizTalk
Tags: , ,

This part of the article will focus on configuring TCP setting on BizTalk server and the SQL server machines that can impact BizTalk Server and that can prevent from occurring general network errors.

When I was analyzing my BizTalk environment with BizTalk Server Best Practice Analyser tool, has appeared a warning that caught my attention:

Privilege Attribute Certificate (PAC) Signature Validation is Enabled on Server BTS2010LAB01.
On server BTS2010LAB01, Privilege Attribute Certificate (PAC) signature is enabled, which may cause some user-authentication delay

And led me to go deeper in trying to see what was causing this strange issue and I found a number of TCP settings that needs to be done (or is recommended) which can also prevent from occurring general network errors on BizTalk Server Environments.

In the scenario described in this series of articles we should apply the following TCP/IP settings:

  • Disable the Scalable Networking Pack (SNP) features
    • This needs to be done on the BizTalk Server and the SQL Server
  • Disable Privilege Attribute Certificate (PAC)
    • This needs to be done on the BizTalk Server and the SQL Server
  • Check and if necessary increase the ephemeral ports and reduce the TCP re-use timeout setting
    • This needs to be done only on the BizTalk Server
How to Disable the Scalable Networking Pack (SNP) features

Scalable Networking Pack (SNP) be used, under specific circumstances, to improve network performance, however, most environments do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it.

To disable SNP features we need to:

  • Disable TCP Chimney Offload in the operating system
    • Use administrative credentials to open a command prompt.
    • At the command prompt, type the following command, and then press ENTER:
    • netsh int tcp set global chimney=disabled
  • Disable RSS in the operating system
    • Use administrative credentials to open a command prompt.
    • At the command prompt, type the following command, and then press ENTER:
      • netsh int tcp set global rss=disabled
  • Disable NetDMA in the operating system
    • Click Start, click Run, type regedit, and then click OK.
    • Locate the following registry subkey, and then click it:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Double-click the EnableTCPA registry entry.
      • Note: If this registry entry does not exist, right-click Parameters, point to New, click DWORD Value, type EnableTCPA, and then press ENTER.
    • To disable NetDMA, type 0 in the Value data box, and then click OK.

To determine the current status of SNP features, follow these steps:

  • Use administrative credentials to open a command prompt.
  • At the command prompt, type the following command, and then press ENTER:
    • netsh int tcp show global

Note: you need to restart the computer first.

How to Disable Privilege Attribute Certificate (PAC)

The Privilege Attribute Certificate (PAC) is a function invoked within the Windows security system when you log on to a system utilizing Kerberos. It is a network authentication protocol.

The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. PAC validation means a more secure environment so why should be disabled?

When you run a high-volume server program on a domain member that uses Kerberos to authenticate users, you experience a delay in the user-authentication process. Additionally, you notice an increase in the remote procedure call (RPC) traffic between the domain controller that uses the Net Logon RPC interface and the server. This problem occurs because the Kerberos client verifies the Privilege Attribute Certificate (PAC) signature in the Kerberos ticket by using the domain controller. The Kerberos client performs this verification to prevent PAC spoofing. The increased network traffic is generated by the RPC requests that are part of this verification process.

To disable PAC we need to:

  • Click Start, click Run, type regedit, and then click OK.
  • Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  • Add the following registry entry
    • Right-click Parameters, point to New, click DWORD Value, type ValidateKdcPacSignature, and then press ENTER.
  • To disable PAC, double-click the ValidateKdcPacSignature registry entry and type 0 in the Value data box, and then click OK
How to Check and if necessary increase the ephemeral ports and reduce the TCP re-use timeout setting

When a client initiates a TCP/IP socket connection to a server, the client typically connects to a specific port on the server and requests that the server responds to the client over an ephemeral, or short lived, TCP or UDP port.

Under certain conditions it is possible that the available ports in the default range will be exhausted. If this occurs the following symptoms may be observed:

  • Client applications may fail to connect to the BizTalk Server.
  • The BizTalk Application service may fail to connect to a remote SQL Server.
  • BizTalk Server adapters may fail to connect to a remote server.

To verify that one or more client applications are not generating excessive TCP/IP socket connections perform the following on the BizTalk servers in the group:

  • From a command prompt window execute “netstat -ano -p tcp”.
  • Count the number of unique Local Address TCP ports open above 1024 for each IP address.

If less than 3000 ephemeral ports are currently in use then it’s fine. (Original source: Recommended Platform Configuration for BizTalk Server by Abdul Rafay)

You can check or modify these settings at the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key. The recommended values are:

  • Registry name: MaxUserPort
    • Value: 0xFFFE (65534)
    • Comment: Prevents port exhaustion
  • Registry name: TcpTimedWaitDelay
    • Value: 0x1E (30)
    • Comment: Release unused ports as quickly as possible

Or you can view the dynamic port range by using the following netsh commands:

  • netsh int ipv4 show dynamicport tcp
  • netsh int ipv4 show dynamicport udp

On all BizTalk servers running on Windows Server 2008, Microsoft recommend not modifying the dynamic port range. However, if you determine that additional dynamic ports are needed you can also use netsh command to modify these settings, as follows:

  • netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range

This command sets the dynamic port range for TCP. The start port is number, and the total number of ports is range. Example:

  • netsh int ipv4 set dynamicport tcp start=10000 num=1000

These sample commands set the dynamic port range to start at port 10000 and to end at port 11000 (1000 ports).

Important notes:

  • The minimum range of ports that can be set is 255.
  • The minimum starting port that can be set is 1025.
  • The maximum end port (based on the range being configured) cannot exceed 65535.

See Microsoft Help and Support

 

At the end you should restart BizTalk and SQL Servers.

Other sources TCP settings that can impact BizTalk Server

Related Links

Tags: BizTalk 2010 | Installation | Configuration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s