what is the meaning of "64(error not found)" in sys.transmission_queue

The error you see is an indication that the two machines can't connect and authenticate at the network level. Most likely this is a security authentication issue (the target does not autheticate or authorize the initiator, apparently). The best way to investigate such issues is to use the SQL Server Profiler. Start a new trace for each of the two machines, select the blank template and add the 'Broker/Broker Connection' and 'Security Audit/Audit Broker Login' event. The events should point toward what the problem is.

BTW, I'm surprised you get "error not found" for 64, this is a standard OS error: ERROR_NETNAME_DELETED - "The specified network name is no longer available."
What OS version are you running? Is it a localized version? Can you tell the version of the file wmerror.dll in your system32 directory?

HTH,
~ Remus

RemusRusanu at 2007-9-9 >

Can the TCP connection be established between the two machines? To test this, use telnet.exe and try to connect, from each machine, to the other's machine listenning port (assumming the broker endpoints are configured on both machines for port 4022):
- on inititator, run this from a command prompt: telnet target_machine_name 4022
- on the target, run this from a command prompt: telnet initiator_machine_name 4022
If telnet succeeds, the TCP connection can be opened fine.

HTH,
~ Remus

RemusRusanu at 2007-9-9 >

Oh,when I use sql profiler to trace broker,I get the response:

in Initiator:
Audit Broker Login 21 2005-07-14 20:05:07.347 1 1404 1 - Login Success
1 0X01 tcp://192.168.60.246:4022 ZLVM2\SQL2005
CERTIFICATE Microsoft Unified Security Protocol Provider Initiator 1

in Target:
Broker:Connection The network connection was aborted by the local system.
23 2005-07-14 19:48:43.743 1 998 8 - Receive IO Error
1 0X01 ZLVM3\SQL2005 1236 0ef4dcb6-30af-4b34-bfd6-54909473001e
tcp://192.168.60.245:0
Broker:Connection An operation was attempted on something that is not a socket.
23 2005-07-14 19:48:43.773 1 999 8 - Receive IO Error
1 0X01 ZLVM3\SQL2005 10038 0ef4dcb6-30af-4b34-bfd6-54909473001e
tcp://192.168.60.245:0

I don't know why the column "ObjectName" in Target profiler show "tcp://192.168.60.245:0",the port should be 4022 also.
How can I do ?

Ant19768341 at 2007-9-9 >

Windows authentication is the recommended way for scenarios when the two SQL Servers are memebers of the same domain and belong to the same organisation. Certificate authentication is the recommended way for scenarios when the two SQL Servers are in distinct domains and belong to separate organisations, like when two businesses communicate over the internet using Service Broker.

You can also configure an enpoint to use both authentication modes (Windows and Certificate).

In order to configure Windows authentication you'll have to change the way you create the endpoint:

CREATE ENDPOINT <endpointname>
STATE = STARTED
AS TCP (LISTENER_PORT = 4022)
FOR SERVICE_BROKER (AUTHENTICATION = WINDOWS);

Also, on each machine you have to grant AUTHENTICATE permission on the endpoint to the Windows user that runs the peer SQL Server service. E.g. if the peer instance is running as <domainname>\<username>:

CREATE LOGIN [<domainname>\<username>] FROM WINDOWS;
GRANT CONNECT ON ENDPOINT::[<endpointname>] TO [<domainname>\<username>];

Altough this sounds simple, in practice there are always some problems. Usually, the two instances are installed as LocalSystem or NETWORK SERVICE. In this case, the instances will authenticate on the network as the 'machine' account. That is, for every computer that joins a domain, an account called '<domainname>\<machinename>$' is created. The peer has to create a login for this account and grant authenticate permission to it. A second issue is that using the machine account work only if Kerberos is properly configured. This requires the Service Principal Name used by service broker to be registered in the domain active directory. One can do this easily using the SETSPN.EXE program:

SETSPN -A MSSqlSvc/<machinename>:4022 <machinename>

However, this command might fail, depending on the security policies of the domain.

Given all these complications, you understand why almost always examples use CERTIFICATE authentication. However, for big enterprises there are advantages when using Windows authentication. For instance they can use domain groups and grant the AUTHENTICATE perrmission to groups rather than individual machines. Then simply adding the machine to the given group will allow it to connect.

HTH,
~ Remus

RemusRusanu at 2007-9-9 >

The Broker Login events show that the two instances successfully authenticate each other and are able to exchange messages. This authentication refers only to the fact that the two instances are able to establish a network connection.

The Message Drop event shows that the messages are not accepted by the target database. You are now talking about dialog security, a separate topic from endpoint authentication. Dialog security is based solely on certificates. BOL has two 'How To's on this topic:
- Configure Target Service for Full Dialog Security
- Configure Initiating Service for Full Dialog Security

I recommend you turn on the 'Security Audit/Audit Broker Conversation' event in the profiler to see why the 'security context could not be retrieved'.

BTW, I recommend you start a new thread about this topic, the original title of this thread no longer reflects the topic being discussed :)

HTH,
~ Remus

RemusRusanu at 2007-9-9 >