12.1.6. Enabling XA Transactions on Windows XP SP2 and Windows Server 2003
In Windows 2000, the MSDTC runs as LocalSystem, a special account that is granted all possible privileges to the local computer on which it resides. However, if someone compromises the DTC or any other service running under LocalSystem, that person then has full Administrator access to the computer. To avoid this potential security problem, starting with Windows XP SP2 and Windows Server 2003, Microsoft changed the account under which MSDTC service runs to be "NT AUTHORITY\NetworkService". A service running as NetworkService has the same network access as a service running as System (i.e. the operating system), but has significantly reduced local access. (NetworkService services access local resources as members of the local Users group.) Microsoft also introduced other MSDTC security enhancements. As a result, to enable XA transactions for these environment, some additional steps are needed after installing OpenLink XA/MSDTC enabled drivers.
(If you are using the distributed transactions support in COM+/Enterprise Services components with OpenLink drivers, you must enable XA transactions.)
1) Enable XA transactions
To turn on support for XA transactions, follow these steps:
-
Open Component Services.
-
Expand the tree view to locate the computer where you want to turn on support for XA transactions (for example, My Computer).
-
Right-click the computer name, and then click Properties.
-
Click the MSDTC tab, and then click Security Configuration.
-
Under Security Settings, click to select the check box for XA Transactions to turn on this support.
2) Identify in the registry the XA DLLs you plan to use
Windows Server 2003 and XP SP2 provide a registry entry for specifying the XA DLLs that the MSDTC can use. For each XA enabled OpenLink ODBC driver you plan to use, you must create a registry named-value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\XADLL. In your registry named-value, Name is the file name of the XA DLL (in the format dllname.dll), Type is String (REG_SZ), and the value is the full path name (including the file name) of the DLL file.
e.g.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\XADLL] Key name: ntl6o10zu.dll Data: C:\program files\openlink\bin\ntl6o10zu.dll
3) Allow the NetworkService account access to the folder containing the XA DLL
Since NetworkService a very restricted account, you need to provide this account with access to the folder where the XA DLL is located; for instance by modifying the access control list (ACL) for the folder. The ACL for an object is generally found on the Security tab of the object's property sheet.
4) Ensure the system PATH includes the folders of any DLLs loaded by the XA DLL
The MSDTC must be able to locate any DLLs on which the XA DLL depends. The folders containing these DLLs must be included in the global PATH environment variable. (The required DLLs and their paths can be identified easily withDependencyWalkerafter enabling the 'Full Paths' option on the 'View' menu.) Correct the path using Control panel, System Properties, Environment Variables, System Variables, Path. A reboot may be necessary for the change to take effect.
In Windows versions supporting the XADLL registry entry, it is not necessary to include the location of the XA DLL itself in the system PATH, as the registry entry includes the DLL's full path. In all earlier versions of Windows, the system PATH must include the XA DLL's location.
Useful Links
Florin Lazar's Weblog - MSDTC Posts
Microsoft Windows XP Professional Resource Kit Documentation(See Part III Security, Chapter 16 Authorization and Access Control)