SNA Server Fails to Correctly Support Both AV and PV for APPC Conversation SecurityID: Q236122
|
An APPC Transaction Program configured to run on SNA Server may receive a BIND from the Host indicating support for the Already Verified (AV) and Persistent Verification (PV) in the BIND Security Support Indicators.
During subsequent conversation processing, if the Transaction Program changes conversation security from AP_NONE to AP_SAME in subsequent ALLOCATES, the APPC session may fail with a Primary Return Code : 0003 (AP_ALLOCATION_ERROR), Secondary Return Code : 080F6051 (AP_SECURITY_NOT_VALID), and the following event may be logged in the Windows NT Application Log:
Event ID: 63
Source: SNA Server
Description: Incorrect password received from client for logged on user.
EXPLANATION
An invalid password was specified for a signed-on PV user (user ID: user). This password will be forwarded to the host to verify. If the password has changed, then the host will accept the new password, and the conversation will continue without persistent verification.
ACTION
If host rejects password, then check password, and try again.
SNA Server fails to correctly implement user credential manipulation when the APPC conversation security is changed between ALLOCATE verbs.
A supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Microsoft SNA Server version 4.0 service pack
that contains this fix.
To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information on support costs, please go to the following
address on the World Wide Web:
http://www.microsoft.com/support/supportnet/overview/overview.aspThe English version of this fix should have the following file attributes or later:
| File name | Date | Time |
|---|---|---|
| Snaservr.exe | 05/05/99 | 15:04 |
Q154871 Determining If You Are Eligible for No-Charge Technical Support
Microsoft has confirmed this to be a problem in Microsoft SNA Server versions 3.0, 3.0SP1, 3.0SP2, 3.0SP3, 4.0, 4.0SP1, 4.0SP2.
The problem is that when both AV and PV are specified, SNA Server treats the message as a hybrid of both.
In the APPC library, the password is stripped out because it is AV. In the SNA Server, as a result of the issue discussed in the following Microsoft Knowledge Base article:
Q222121 Enhanced Security When Using Persistent Verificationthe Attach is rejected because SNA Server thinks it is PV, but there is no password. SNA Server rejects the Attach by stripping out the security indicator and letting the Host deal with it. The correct behavior when the Host accepts AV and PV, and the application specifies security=AP_SAME, is specified in the following Microsoft Knowledge Base article:
Q180866 Persistent Verification Support for APPC SessionsNamely, if SNA Server doesn't recognize that the user is signed on to the Host, it sends an Attach with the AV bit set and the PV bits set to "sign-on requested." The Attach does not include a password. If SNA Server recognizes the user as signed on, SNA Server sends an Attach with the AV bit set and the PV bits set to "already signed on." Again, the Attach doesn't include a password.
Additional query words:
Keywords : sna3 sna3sp1 sna3sp2 sna3sp3 sna4 sna4sp1 sna4sp2
Version : WINDOWS:3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2
Platform : WINDOWS
Issue type : kbbug Last Reviewed: July 2, 1999