Microsoft Internet Authentication Service (IAS) dies or won’t start
Problem
We use the Microsoft Internet Authentication Service (IAS) to provide RADIUS authentication for our wireless network.
From time to time we would notice that IAS had stopped working on one of our servers. In Event Viewer, we would see the following error:
“Service Control Manager, Event ID 7023: The Internet Authentication Service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.”
You could also click on “Internet Authentication Service (Local)” and notice that the green start button was enabled, indicating that the service was not yet started.
You could start the service, but a few seconds later it would stop.
Cause
The problem was caused by the Microsoft DNS server hogging one or more of the ports RADIUS needs! Those would be UDP ports 1812, 1813, 1645 and 1646.
To identify this problem I had used a free program called NirSoft CurrPorts. I could have used Windows’ built-in netstat command, but this is one of those times when a GUI is nice — especially because you can sort by port number.
Why was DNS using those ports? It was because of the recent DNS security update (the one that fixes the Kaminsky port randomization bug). It was Microsoft security update 953230 (MS08-037).
This problem is described in KB56188.
Solution
The solution is described in KB812873.
The short version, for Server 2003, is:
- In the Registry Editor, go to
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ - If there is a value called
ReservedPorts, open it. Otherwise, create it as a “Multi-String Value”. - Add the following ports to the list:
1812-1813and1645-1646
