Telnet session "Shell process may not have been launched" (Solution)

[Brian L.]

Hello all,

After unsuccessful searches on the net for a solution to the following
problem:

Failure in initializing the telnet session. Shell process may not have
been launched.
Telnet Server has closed the connection.
Connection to host lost.

I wanted to share one possible solution that I found to work. The existing
articles/solutions out there
(http://support.microsoft.com/default.aspx?scid=kb;en-us;309523) are all for
Windows XP 64-bit Edition. That article and its solution do not apply to
Windows Server 2003.

The solution I have found is that the Telnet session seems to require the
"Secondary Logon" service to be started. There is no documented service
dependency, and the Telnet service will start without it, but you will
receive the error above when trying to connect.

I found this solution because I realized telnet works until I apply our
standard security lockdown template using the Security Configuration and
Analysis tool. Through trial and error, I narrowed it down to the fact that
we turn off the Secondary Logon service as part of the lockdown. Turning
this service off is recommended by Microsoft in the Windows Server 2003
Security Guide. It is a good idea to disable the service, so long as you
don't need to run telnet!

Hope this helps you avoid the frustration I experienced. Microsoft, please
consider adding this information as a KB article.

[Rebecca Chen [MSFT]]

Hi Brian,

Thank you for your excellent experience sharing!

I would like to confirm my understanding of this issue that you encounter
the error as described in KB 309523 on win2k3 server system. You are able
to use the telnet session until starting Secondary Logon service.

According to my research, this is a by design behavior. Telnet server
(tlntsvr.exe) needs to run the CMD process (cmd.exe) using the credentials
of the login user. If Secondary Logon Service is not started, telnet server
process cannot start CMD process using an alternative credential.

To solve this problem, on Windows 2003 server, Administrative Tools ->
Computer Management -> Services and Apllications -> Services

Change Start up type for "Secondary Logon" to Automatic and start the
service

Your suggestion to address this concern in a KB article is a very good idea
since I also see this issue for several times, and I believe the KB article
address this issue will benefit others encounter the same problem. I have
forward your suggestions to the mswish@ Microsoft.com to so that the
appropriate folks to catch their immediate attention. You may also consider
sending your feedback to msw...@microsoft.com to make sure your sound is
heard by Microsoft. The more feedback they receive, the higher chance they
will make the change.

If you have any update, please feel free to post back.

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Brian L." <699df88b-2059788708@news.postalias>
>Subject: Telnet session "Shell process may not have been launched"
(Solution)
>Date: Tue, 21 Jun 2005 14:53:36 -0400
>Lines: 33
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>Message-ID: <O0qAPKpd...@TK2MSFTNGP10.phx.gbl>
>Newsgroups:
microsoft.public.windows.server.general,microsoft.public.windows.server.secu
rity
>NNTP-Posting-Host: 204.60.67.237
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.security:5729
microsoft.public.windows.server.general:40201
>X-Tomcat-NG: microsoft.public.windows.server.general

[Brian L.]

Yes Rebecca, you understand the issue correctly. The Secondary Logon service
is required, and starting it does solve the problem. I just thought it odd
that this requirement is not explained anywhere that I could find, and since
the 2003 Security Guide suggests you disable the service, I had it off. It's
not a true dependency since the Telnet service WILL start without Secondary
Logon started, but Telnet won't be functional without it. Perhaps this link
between the two could be explained in the Help text about the Telnet
service, or in the 2003 Security guide. In any case, a KB article is
definitely worthwhile. Thanks for your response!

""Rebecca Chen [MSFT]"" <v-r...@online.microsoft.com> wrote in message
news:JGAksHy...@TK2MSFTNGXA01.phx.gbl...

[Lesley Kipling [MSFT]]

Hi.

I'm sorry this has given you so much grief and I will see what I can do to
get a KB article written for this. The issue is that in W2K3 Telnet server
(tlntsvr.exe) no longer runs as LocalSystem and needs to run the CMD process
(cmd.exe) using the

credentials of the logged in user. If Secondary Logon Service is not
started, telnet

server process cannot start the CMD process using the required alternative
credential. In fact, this applies to any service which requires access to
the creds of the logged on user - another one I can point out is the runas
service, as per..

How to enable and use the "Run As" feature in Windows Server 2003 WGID:493

ID: 325859

HTH, Les

This posting is provided "AS IS" with no warranties, and confers no rights.

"Brian L." <699df88b-2059788708@news.postalias> wrote in message
news:O0qAPKpd...@TK2MSFTNGP10.phx.gbl...

[Rebecca Chen [MSFT]]

Hi Brian,

As Lesley has stated, this is a feature change in win2k3 server. However,
your suggestion does make sense that an KB article will be very helpful
when encounting this kind of issue.

Thank you for your valueable feedback and I believe other will get benifits
from this discussion!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "Brian L." <699df88b-2059788708@news.postalias>

>References: <O0qAPKpd...@TK2MSFTNGP10.phx.gbl>
<JGAksHy...@TK2MSFTNGXA01.phx.gbl>
>Subject: Re: Telnet session "Shell process may not have been launched"
(Solution)
>Date: Fri, 24 Jun 2005 11:11:46 -0400
>Lines: 126

>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527

>Message-ID: <O49dO8Me...@TK2MSFTNGP15.phx.gbl>
>Newsgroups: microsoft.public.windows.server.general
>NNTP-Posting-Host: 204.60.67.237
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:40591
>X-Tomcat-NG: microsoft.public.windows.server.general