MSDTC WS-AT, HTTP could not register URL https://+:2372/WsatService/. Your process does not have access rights to this namespace

Question

On a Windows Server 2012 machine, I have a local DTC and a clustered DTC, as you can see here:

Here you can see the clustered DTC in the Failover Cluster Manager:

I have enabled WS-AT with the following command on the clustered DTC:

wsatconfig -network:enable -endpointCert:7c6361568413852afb471d5f8b92604cdde530dd -accountsCerts:3bcf068b0b984d2af9d2efa03e8a489c8483ba11 -virtualServer:ftsappdev -restart

For the endpointCert, I gave the thumbprint of the certificate for ftsappdev (the cluster role), and for accountscerts, I gave the thumbprint of the certificate of a JBOSS server.

I also have configured WS-AT for the local DTC through the WS-AT tab in Component Services:

In Failover Cluster Manager, when I take the clustered DTC resource offline and then online, I get the following entry in the Eventviewer/Application:

The MSDTC WS-AT protocol failed at the beginning of recovery. As a result, WS-AT functionality will be disabled.
 Protocol ID: c05b9cad-ab24-4bb3-9440-3548fa7b4b1b
 Protocol Name: WS-AtomicTransaction 1.1
 Exception: Microsoft.Transactions.Bridge.PluggableProtocolException: A channel factory could not be opened. ---> Microsoft.Transactions.Wsat.Messaging.MessagingInitializationException: A channel factory could not be opened. ---> System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:2372/WsatService/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.LayeredChannelListener`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.DatagramChannelDemuxer`2.OnOuterListenerOpen(ChannelDemuxerFilter filter, IChannelListener listener, TimeSpan timeout)
   at System.ServiceModel.Channels.SingletonChannelListener`3.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.InternalDuplexChannelFactory.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelFactory.TypedServiceChannelFactory`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ChannelFactory.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.Transactions.Wsat.Messaging.CoordinationService.OpenChannelFactory[T](ChannelFactory`1 cf)
   --- End of inner exception stack trace ---
   at Microsoft.Transactions.Wsat.Messaging.CoordinationService.OpenChannelFactory[T](ChannelFactory`1 cf)
   at Microsoft.Transactions.Wsat.Messaging.CoordinationService.Initialize(CoordinationServiceConfiguration config)
   at Microsoft.Transactions.Wsat.Messaging.CoordinationService..ctor(CoordinationServiceConfiguration config, ProtocolVersion protocolVersion)
   at Microsoft.Transactions.Wsat.Protocol.ProtocolState.RecoveryBeginning()
   --- End of inner exception stack trace ---
   at Microsoft.Transactions.Wsat.Protocol.ProtocolState.RecoveryBeginning()
   at Microsoft.Transactions.Wsat.InputOutput.TransactionManagerReceive.RecoveryBeginning()
 Process Name: msdtc
 Process ID: 12248

In Component Services, when I restart the local DTC I get the following entry in the Eventviewer/Application:

The WS-AT protocol service successfully completed startup and recovery.
 Protocol ID: cc228cf4-a9c8-43fc-8281-8565eb5889f2
 Protocol Name: WS-AtomicTransaction 1.0
 Process Name: msdtc
 Process ID: 7744

Both DTCs run under the user Network Service:

1. Why does the clustered DTC not have access rights to this namespace, whereas the local DTC has? Both run under the same user.
2. How can I make the clustered DTC to register the URL https://+:2372/WsatService/ successfully?

Answer 1

I finally used port 8444. I had to reserve it with the command:

netsh http add urlacl url=https://+:8444/ user=Everyone

and then I ran wsatonfig specifying port 8444:

wsatconfig -network:enable -port:8444 -accounts:Everyone -endpointcert:7c6361568413852afb471d5f8b92604cdde530dd -accountsCerts:7c6361568413852afb471d5f8b92604cdde530dd,83112f9b598c4341b3975aba413bf04eb71eb679 -traceLevel:ALL -restart

Another time, it helped to disable and reenable the Network DTC Access in the properties of the Local DTC and the Cluster DTC:

Disable Local DTC, Apply and OK:

Enable Local DTC, Apply and OK:

Disable Cluster DTC, Apply and OK:

Enable Cluster DTC, Apply and OK: