Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: General network TCP settings that can impact BizTalk Server (Part 8)

Posted: February 9, 2012  |  Categories: Administration Advance Configurations BizTalk

This part of the article will focus on configuring TCP setting on BizTalk Server and the SQL server machines that can impact BizTalk Server and that can prevent from occurring general network errors.

When I was analyzing my BizTalk environment with BizTalk Server Best Practice Analyser tool, has appeared a warning that caught my attention:

Privilege Attribute Certificate (PAC) Signature Validation is Enabled on Server BTS2010LAB01.
On server BTS2010LAB01, Privilege Attribute Certificate (PAC) signature is enabled, which may cause some user-authentication delay

And led me to go deeper in trying to see what was causing this strange issue and I found a number of TCP settings that needs to be done (or is recommended) which can also prevent from occurring general network errors on BizTalk Server Environments.

In the scenario described in this series of articles we should apply the following TCP/IP settings:

  • Disable the Scalable Networking Pack (SNP) features
    • This needs to be done on the BizTalk Server and the SQL Server
  • Disable Privilege Attribute Certificate (PAC)
    • This needs to be done on the BizTalk Server and the SQL Server
  • Check and if necessary increase the ephemeral ports and reduce the TCP re-use timeout setting
    • This needs to be done only on the BizTalk Server

How to Disable the Scalable Networking Pack (SNP) features

Scalable Networking Pack (SNP) be used, under specific circumstances, to improve network performance, however, most environments do not have SNP capable network adapters/drivers. This can result in unexpected network problem which is why it is recommended to disable SNP unless a server can benefit from it.

To disable SNP features we need to:

  • Disable TCP Chimney Offload in the operating system
    • Use administrative credentials to open a command prompt.
    • At the command prompt, type the following command, and then press ENTER:
    • netsh int tcp set global chimney=disabled
  • Disable RSS in the operating system
    • Use administrative credentials to open a command prompt.
    • At the command prompt, type the following command, and then press ENTER:
      • netsh int tcp set global rss=disabled
  • Disable NetDMA in the operating system
    • Click Start, click Run, type Regedit, and then click OK.
    • Locate the following registry subkey, and then click it:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Double-click the EnableTCPA registry entry.
      • Note: If this registry entry does not exist, right-click Parameters, point to New, click DWORD Value, type EnableTCPA, and then press ENTER.
    • To disable NetDMA, type 0 in the Value data box, and then click OK.

To determine the current status of SNP features, follow these steps:

  • Use administrative credentials to open a command prompt.
  • At the command prompt, type the following command, and then press ENTER:
    • netsh int tcp show global

Note: you need to restart the computer first.

How to Disable Privilege Attribute Certificate (PAC)

The Privilege Attribute Certificate (PAC) is a function invoked within the Windows security system when you log on to a system utilizing Kerberos. It is a network authentication protocol.

The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. PAC validation means a more secure environment so why should be disabled?

When you run a high-volume server program on a domain member that uses Kerberos to authenticate users, you experience a delay in the user authentication process. Additionally, you notice an increase in the remote procedure call (RPC) traffic between the domain controller that uses the Net Logon RPC interface and the server. This problem occurs because the Kerberos client verifies the Privilege Attribute Certificate (PAC) signature in the Kerberos ticket by using the domain controller. The Kerberos client performs this verification to prevent PAC spoofing. The increased network traffic is generated by the RPC requests that are part of this verification process.

To disable PAC we need to:

  • Click Start, click Run, type Regedit, and then click OK.
  • Locate the following registry subkey, and then click it:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  • Add the following registry entry
    • Right-click Parameters, point to New, click DWORD Value, type ValidateKdcPacSignature, and then press ENTER.
  • To disable PAC, double-click the ValidateKdcPacSignature registry entry and type 0 in the Value data box, and then click OK

How to Check and if necessary increase the ephemeral ports and reduce the TCP re-use timeout setting

When a client initiates a TCP/IP socket connection to a server, the client typically connects to a specific port on the server and requests that the server responds to the client over an ephemeral, or short-lived, TCP or UDP port.

Under certain conditions, it is possible that the available ports in the default range will be exhausted. If this occurs the following symptoms may be observed:

  • Client applications may fail to connect to the BizTalk Server.
  • The BizTalk Application service may fail to connect to a remote SQL Server.
  • BizTalk Server adapters may fail to connect to a remote server.

To verify that one or more client applications are not generating excessive TCP/IP socket connections perform the following on the BizTalk servers in the group:

  • From a command prompt window execute “netstat -ano -p tcp”.
  • Count the number of unique Local Address TCP ports open above 1024 for each IP address.

If less than 3000 ephemeral ports are currently in use then it’s fine. (Original source: Recommended Platform Configuration for BizTalk Server by Abdul Rafay)

You can check or modify these settings at the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key. The recommended values are:

  • Registry name: MaxUserPort
    • Value: 0xFFFE (65534)
    • Comment: Prevents port exhaustion
  • Registry name: TcpTimedWaitDelay
    • Value: 0x1E (30)
    • Comment: Release unused ports as quickly as possible

Or you can view the dynamic port range by using the following netsh commands:

  • netsh int ipv4 show dynamicport tcp
  • netsh int ipv4 show dynamicport udp

On all BizTalk servers running on Windows Server 2008, Microsoft recommends not modifying the dynamic port range. However, if you determine that additional dynamic ports are needed you can also use netsh command to modify these settings, as follows:

  • netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range

This command sets the dynamic port range for TCP. The start port is a number, and the total number of ports is a range. Example:

  • netsh int ipv4 set dynamicport tcp start=10000 num=1000

These sample commands set the dynamic port range to start at port 10000 and to end at port 11000 (1000 ports).

Important notes:

  • The minimum range of ports that can be set is 255.
  • The minimum starting port that can be set is 1025.
  • The maximum end port (based on the range being configured) cannot exceed 65535.

See Microsoft Help and Support

In the end, you should restart BizTalk and SQL Servers.

Other sources TCP settings that can impact BizTalk Server

Related Links

Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

Leave a Reply

Your email address will not be published.

BizTalk360
BizTalk Server

Over 650+ customers across
30+ countries depend on BizTalk360

Learn More
Serverless360
Azure

Operate efficiently with enterprise-grade Azure monitoring,
tracing, remediation & governance in one platform

Learn More

Back to Top