---------------------------------------------------------------------- ELOQUENCE B.07.00 - patch 0412281 ---------------------------------------------------------------------- This patch adds enhancements or fixes defects of the eloqsd program as released with Eloquence B.07.00. This patch will be integrated in the Eloquence B.07.00 release. Eloquence B.07.00 must be installed before applying this patch. Severity: PE70-0412281: ENHANCEMENT Superseded patches: PE70-0409300: BUG FIX Patch PE70-0412281 ------------------ Platforms: All * Add support for new license option. Platforms: Windows XP/2000/NT * Introduced the [Config] AuthPolicy=user item in the eloqsd.cfg configuration file. This allows to run all eloqcore processes as the same Windows user account. The default AuthPolicy=server configuration performs a user logon for each eloqsd connection and runs the associated processes with the permission of the user. This allows separate permissions for each session and is preferable in most cases for security reasons. However the maximum number of concurrent eloqsd connections is limited by the Windows desktop heap. For details, please refer to the PE70-0409300 patch description below. With AuthPolicy=user, the connected user is validated using the configured user name and password in the userFile (eloqsd.user by default). However, after this validation, the user is not logged-on to Windows. Instead, all actions (for example launching an eloqcore process) are performed using the permissions of the eloqsd process. As this implies less overhead than a real user logon a higher number of concurrent connections is possible without having to adjust the size of the Windows desktop heap. AuthPolicy=user requires the eloqsd process to run as an account different from the default SYSTEM account. The necessary configuration steps are: 1) Open the Services applet from the Computer Management console in the Windows Control Panel. 2) Select the eloqsd entry in the list. Open the Properties dialog either from the menu or using the context menu (right mouse button). Select the Log On tab on top of the Properties dialog. 3) Configure an appropriate account to run the eloqsd. This account should have the necessary privileges to access all resources your application requires. Please note: When using AuthPolicy=user, the configured users must have a password assigned in the userFile (eloqsd.user by default) to successfully connect to the eloqsd. * Introduced the [Config] LogonType item in the eloqsd.cfg configuration file. This is used with AuthPolicy=server to specify how a user is logged-on to Windows: interactive - This mode grants access to all resources the same user would have when logging on interactively. It has the least side effects and therefore is now the default. Unless this is used on a Windows Domain Controller, this mode does not require any additional user rights. However, on a Windows Domain Controller, interactive access is denied to non-administrative accounts by default. To overcome this, the "allow log on locally" user right must be granted (see below). batch - This is the mode which was used in previous eloqsd versions. It uses the "batch" logon type which is meant for background processes. However, in recent Windows versions a "batch" process is restricted so that this mode may not be appropriate anymore. It requires the "log on as a batch job" user right to be granted (see below). The new default is "interactive". To retain the previous behavior, it is required to manually configure LogonType=batch. To grant either the "allow log on locally" or "log on as a batch job" user right, the following configuration steps are required: 1) [optional, recommended] Create a dedicated group for all eloqsd accounts (i.e. the accounts configured with UID in the userFile (eloqsd.user by default)). This will simplify the configuration. Also, it allows to grant access to common directories for all eloqsd accounts (e.g. a common program file directory). 2) Open the Local Security Policy editor from the Computer Management console in the Windows Control Panel. Please note: On a Windows Domain Controller, instead open the Domain Controller Security Policy editor (not the similarly named Domain Security Policy editor!). 3) In the Security Policy editor, navigate to Security Settings - Local Policies - User Rights Assignment. 4) In the policy list, locate the desired user right and open the Properties dialog either from the menu or using the context menu (right mouse button). If you created a dedicated group as suggested above (1), add this group to the list. Otherwise, selectively add your eloqsd accounts to the list. * The eloqsd.cfg.sam and eloqsd.user.sam configuration template files have been updated to reflect the new configuration items. Patch PE70-0409300 ------------------ Platforms: Windows XP/2000/NT * The eloqsd server did not allow more than about 35 concurrent connections (#2248). The exact number depended on the particular Windows configuration and usage. After connecting about 35 times, the Windows error #1816 (ERROR_NOT_ENOUGH_QUOTA) occurred. This was caused by an internal Windows limitation (all Windows versions are affected). The Windows-internal memory area which is used to store the access control lists (ACLs) is limited to 2 kilobytes. Previous eloqsd versions created an access control entry (ACE) for each connection, which quickly exhausted this 2KB area. In the new implementation, eloqsd creates its own non-interactive windowstation along with its own desktop. This windowstation/ desktop tuple then gets a single ACE. Afterwards, all connections are assigned to this tuple, effectively inheriting this ACE. As a result, eloqsd now only uses one ACE, regardless of how many connections are active. The maximum number of concurrent connections is still limited by the Windows desktop heap, so it is still possible that the #1816 (ERROR_NOT_ENOUGH_QUOTA) error occurs if a high number of concurrent connections are active. Unfortunately, how many these are cannot be forecasted, as this depends on the particular Windows configuration and usage. In this case, the Windows system size of the desktop heap for the non-interactive windowstation must be increased. This requires to change a Windows registry entry with the Windows regedit or regedit32 tool. Please note that this must be done with extreme care, as doing the wrong changes to a registry value can prevent Windows from operating correctly. The necessary procedure is documented in the Microsoft Knowledge Base at http://support.microsoft.com/?id=184802 . Summary: Locate the following value in the Windows registry (you must be administrator to edit this value): HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ Session Manager\SubSystems\Windows This is a string value consisting of multiple sections. Locate the section starting with SharedSection=, it should have 3 parameters which are comma-separated. Example: SharedSection=1024,3072,512 The 3rd parameter (in this case 512) is the one which must be increased. If you find only 2 parameters you can add the 3rd parameter yourself. You can set the 3rd parameter as high as the 2nd (in this case 3072), but this is often too much. Increase it in steps of 256 until your problem is solved. Windows must be restarted afterwards to activate this change. * When the eloqsd server is stopped, all eloqcore child processes which were previously started through this eloqsd are terminated. Installation: ------------- UNIX: In order to install this patch, you need to unpack it with gzip. Gzip is included with HP-UX and Linux. Installation requires root privileges. cd /opt/eloquence6 gzip -dc /path/to/PE70-0412281-hpux.tar.gz | tar xf - Files: bin/eloqdb6 share/doc/PE70-0412281-README Windows XP/2000/NT: This patch should *only* be installed if you previously installed the Eloquence server components on your system. Download the PE70-0412281-win32.zip file and unpack its contents with WinZip or PKUNZIP. Installation requires administrative capabilities. PLEASE MAKE SURE THE eloqsd SERVICE has been STOPPED previously (in the Service Control Manager or with NET STOP eloqsd). Please copy the eloqsd.exe file into the WINDOWS SYSTEM DIRECTORY (for example C:\Windows\System32). Please copy the .cfg.sam files into the etc subdirectory of your Eloquence installation (for example C:\Programs\Eloquence\etc). Please copy the PE70-0412281-README.txt file into the share\doc subdirectory of your Eloquence installation (for example C:\Programs\Eloquence\share\doc). Files: eloqsd.exe eloqsd.cfg.sam eloqsd.user.sam PE70-0412281-README.txt