-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
1/14
TROUBLESHOOTINGSERVERMESSAGEBLOCK
INBOUNDCONNECTIONLIMITINWINDOWS
PEER TO PEERWORKGROUP
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
2/14
TROUBLESHOOTINGSERVERMESSAGEBLOCK
INBOUNDCONNECTIONLIMITINWINDOWS
PEER TO PEERWORKGROUP
In a peer-to-peer workgroup, when you try to connect to thenetwork resources of a computer that is running any of the
products listed at the beginning of this article, you may receive
one of the following error messages:
Operating system error 71.
No more connections can be made to this remote
computer at this time because there are already asmany connections as the computer can accept.
--------------***-------------
System error 71 has occurred.
This remote computer has reached its connectionlimit, you cannot connect at this time.
--------------***-------------
This problem occurs when a computer reaches the maximum
number of host connections that are allowed. In this case, when a
NULL session connection is generated in the Microsoft Windows
2000 client, this NULL session connection is counted as one
session on the Microsoft Windows XP-based server. Therefore, the
error messages occur that are mentioned in this "Symptom"
section, even if the number of connections to computers do not
exceed the limit.
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
3/14
In addition, when multiple NULL sessions are generated from a
single Windows 2000 client computer, the multiple NULL sessions
are counted as multiple sessions. However, a NULL session
appears as a single session when you run the net session
command. In this case, when the Restrict Anonymous registryentry is set, and the NULL session connection is rejected, this
symptom still occurs.
Notes:
For Windows XP Professional-based computers, themaximum number of concurrent network connections that
are allowed is 10. This limit includes all transfer and allresource share protocols. For Windows XP Home Edition-
based computers, the maximum number of concurrent
network connections that are allowed is 5. This limit is the
number of sessions that can be hosted at the same time
from other computers. Therefore, we cannot use the
administrative tool usage to connect to the system from a
remote computer.
When multiple NULL sessions are connected from a singlecomputer, each one of them is counted.
Only one IPC$ can be checked by using the net sessioncommand. For example, when a single Windows 2000-basedcomputer tries to use multiple IPC$ sessions, only one singleIPC$ session can be used at a time.
Restrict Anonymous is not valid for this resolution.
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
4/14
CAUSE :
A Windows client workstation may have opened a pipe connection
to the named pipe...
A Windows client workstation may have opened a pipe connectionto the named pipe \PIPE\spoolss on either a print server or a
workstation that has a shared printer. This typically occurs when
you start a program (such as Microsoft Word) that queries
printers, or if you open the Printers folder in Control Panel. Printer
spooling on both the client and the server will open a handle
related to this connection.
A Remote Procedure Call (RPC) requires one named pipe instancefor every active RPC call (like Open Printer). If an Open Printer
call stops responding, RPC keeps open the named pipe
connection. RPC does not disconnect this connection until the
context handle (that is Open Printers) has been closed.
If both the following conditions are true, you may open an
anonymous connection (also known as null session connection)
that never closes to the named pipe \PIPE\spoolss on the
workstation that acts as the server in your peer to peer network:
Your client has connected a shared printer on the computerthat acts as a 'print server'.
You have set up a local shared printer on one or moreclients.
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
5/14
RESOLUTIONS :
Use one of the following methods to restrict null session
connections on your wo...
Use one of the following methods to restrict null session
connections on your workstation that is acting as a print server.The preferred method is the first one.
Method 1
Disable null session connections on the Windows computer that
exceeds its incoming connection limit and shows some additional
null session connections either by using the Group Policy GUI or
by setting a registry key.
Using the Group Policy User Interface(Local Security Policy MMC Snap-In)
____________________________________
Click Star t , point to Pr og r ams , point to Adm in i st r a t i ve Too ls ,
and then click Loca l Secur i t y Po l icy .
Note :If you cannot perform this step because Admin i s t r a t i ve Toolsdoes not appear in the Program list, click Sta r t , point to
Set t ings , point to Cont ro l Pane l , double-click Admin i s t r a t i ve
Tools, and then click Loca l Secur i t y Po l icy .
Note :In Windows XP, the Restrict Anonymous sub key can
have a value of0 or 1 . A value of 1 restricts null sessionconnections on Windows XP-based clients. For regulation of the
enumeration of SAM accounts, the following new registry sub key
has been added:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\
restrictanonymoussam
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
6/14
The policy is configurable via Local Security Settings under
Security Settings\ Local Policies\ Security Options\ Network Access: Do not
allow anonymous enumeration of SAM accounts.
1.In Secur i t y Se t t i ngs , double-click Local Pol ic ies, andthen click Secur i t y Op t ions .
2.Double-click Add i t i ona l r es t r i c t i ons f or anonym ous connec t ions , and then under Loca l po l icy se t t ing : , clickNo access w i t hou t exp l i ci t anonym ous pe r m iss ions .
3.Restart the computer.This policy restricts null session connections.
Using Registry Editor
Important :This section, method, or task contains steps that
tell you how to modify the registry. However, serious problemsmight occur if you modify the registry incorrectly. Therefore,
make sure that you follow these steps carefully. For added
protection, back up the registry before you modify it. Then, you
can restore the registry if a problem occurs. For more information
about how to back up and restore the registry, click the following
article number to view the article in the Microsoft Knowledge
Base:
322756 (http:/ / support.microsoft.com/ kb/ 322756/ ) How to back up and restore
the registry in Window s
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
7/14
To restrict null session connections (or disable null session
access):
1.Start Regis t r y Ed i t o r .2.Locate, and then click the following key in the registry:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ LSA
3.On theEditmenu, click Add Va lue , and then add thefollowing registry value:
Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 2
Default: 0
A value of2 restricts nu l l session connections.
To set the Rest r i ct Anonym ous value, change the registry key
to 0 or 1 for Windows NT 4.0 or to 0, 1 , or 2for Windows 2000.
These numbers correspond to the following settings:
0 None. Rely on default permissions. 1 Do not allow enumeration of SAM accounts and
names.
2 No access without explicit anonymous permissions4.Restart the computer.
____________________________________
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
8/14
Method 2
Use the following method to avoid null session connections that
have a high session idle time and that have opened a handle to
the named pipe \PIPE\spoolss.
Remove Printer Share on Clients
Identify clients that have local printer shares enabled (see the
"More Information" section for additional information) and
remove all local printer shares on these computers:
1.Open the Pr in te r s folder to verify whether you haveshared a local printer.
2.Open the Proper t ies window of the shared printer, andthen click Shar ing .
3.Click to select the Not Shared option.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft
products that ar...
Microsoft has confirmed that this is a problem in the Microsoft
products that are listed in the "Applies to" section.
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
9/14
MORE INFORMATION
Computers that run Windows NT Workstation 4.0, Windows 2000
Professional, and Wi...
Computers that run Windows NT Workstation 4.0, Windows 2000
Professional, and Windows XP Professional are licensed for amaximum of 10 concurrent client incoming sessions.Computers that run Windows XP Home Edition are licensed for a
maximum of 5 concurrent client incoming sessions. All logical
drive, logical printer, and transport level connections combined
from a single computer are one session.
If the server service already has the maximum number of open
sessions and one more user tries to allocate a resource, thecomputer returns the error messages that are described in the
"Symptoms" section of this article.
Typically a computer does not have multiple sessions to another
computer. But there are exceptions. For example, computer A is
running a service under another user context than the logged-on
user, and that service creates a logical connection to computer B.
The logical connection can result from file shares, printers, serial
ports, and also from communication between computers using
named pipes and mail slots.
Use the following commands to get information about sessions
and open files and shared resources.
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
10/14
Information About Active Sessions on theComputer That Is Running the Server Service
To receive information about active sessions on the computer
that is running the server service, type the following command:
net session
Count the number of open sessions to see if the session limit of
10, or 5 in the case of Windows XP Home Edition, is already
reached. Typically there is only one session per remote client.
If there is more than one session from a remote client, view theUser name context on the remote client that has set up more
than one session:
View all the services that are running, and find out if oneis running under the user context of the username shown
in the session table.
Look for scheduled tasks that are running in a logon scriptand are using a different user account then the one
logging in.
Look for rows where the User nam ecolumn is empty andexamine the idle time.
A session that has an empty user context is anu l l sess ion .
Temporary null sessions are usually caused by IPC$ connections
as the first step in establishing a connection. They stay active for
30 seconds to 90 seconds.
Note : To disconnect client computer sessions, use thefollowing command:
net session / delete \ \ computername
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
11/14
This command disconnects all sessions from that computer and
closes all open files. This command may cause data loss if open
files that have not been saved are closed.
Information About Open Files
To receive information about open files, on the computer that is
running the server service, type the following command:
net files
If you have seen permanent null user sessions in the session
table, determine which file or pipe the null user is using.
Information About NetBIOS Connection Table
To see a listing of incoming and outgoing connections and the
amount of traffic carried on these connections, type the
command:
nbtstat s
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
12/14
Information About Shared Resources
To see file shares, hidden administrative shares and shared
printers, type the following command:
net share
You may have to perform further troubleshooting to determine
the causes for multiple client sessions.
Use Network Monitor to find out which component initiates an
additional session and what security context is used for the
Server Message Block (SMB) session. To filter the traffic that
printer spooling causes, use the R_WINSPOOL parser in NetworkMonitor. If a Windows-based computer looks for computers that
are acting as a Print Queue Server, it uses NetShareEnum
transactions through the RemAPI protocol (also known as the
Microsoft Windows Lanman Remote API Protocol). By default,
when you use a NetShareEnum transaction, you require only
anonymous access to make NetServerEnum2 and
NetServerEnum3 requests. By default, Windows operating
systems have anonymous access enabled.
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
13/14
For more information, click the follow ingarticle number to view the article in theMicrosoft Knowledge Base:
122920 (http:/ / support.microsoft.com/ kb/ 122920/ ) Inbound connections limit in Windows
132679 (http:/ / support.microsoft.com/ kb/ 132679/ ) Local System account and null sessions in
Windows NT
143474 (http:/ / support.microsoft.com/ kb/ 143474/ ) Restricting information available to anonymous
logon users
149522 (http:/ / support.microsoft.com/ kb/ 149522/ ) System Error 71 and License Manager
154541 (http:/ / support.microsoft.com/ kb/ 154541/ ) Clients open many \ Pipe\ Spoolss connections
to WinNT print server
156431 (http:/ / support.microsoft.com/ kb/ 156431/ ) Error 71 when using NT Server from MSDN
Select CD
179483 (http:/ / support.microsoft.com/ kb/ 179483/ ) "No more connections can be made at this
time" error message
191611 (http:/ / support.microsoft.com/ kb/ 191611/ ) Symptoms of multihomed browsers
246261 (http:/ / support.microsoft.com/ kb/ 246261/ ) How to use the RestrictAnonymous registry
value in Window s 2000
289655 (http:/ / support.microsoft.com/ kb/ 289655/ ) How to enable null session shares on a
Window s 2000-based computer
302099 (http:/ / support.microsoft.com/ kb/ 302099/ ) Windows 2000 clients use multiple connections
when mapping drives to a single server
314882 (http:/ / support.microsoft.com/ kb/ 314882/ ) Inbound connections limit in Windows XP
-
8/4/2019 Troubleshooting LAN or Network Problems Solutions
14/14