DOCUMENT:Q248479 18-DEC-2001 [sna] TITLE :Host Account Database Location for Single Sign-On PRODUCT :Microsoft SNA Server PROD/VER::3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4 OPER/SYS: KEYWORDS:kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 3.0, 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4 - Microsoft Host Integration Server 2000 ------------------------------------------------------------------------------- SUMMARY ======= When you use the Host Security Integration features to provide Single Sign-On (SSO) support, the SNA Server/Host Integration Server (HIS) 2000 computer needs to contact a Host Account Cache (HAC) database to get the correct host user credentials to send to the host system. The Host Security Integration dynamic link library (DLL) (Snasii.dll) is responsible for locating an HAC database that can be used for host account look ups. MORE INFORMATION ================ The Snasii.dll file is initialized when the SNA Server service starts. During initialization, the Snasii.dll file attempts to locate a secondary (backup) host account database (SDB) to use for host account look ups. The following steps describe the process that is used to locate a secondary HAC database. 1. The Snasii.dll file makes a call to determine the primary domain controller (PDC)/PDC emulator for the Windows NT/Windows 2000 domain. 2. A remote procedure call (RPC) connection to the PDC/PDC emulator where the master database (MDB) resides is attempted. - If the RPC connection to the MDB is successful: a. A UDI_LOCATE message is sent to the MDB asking for the name of a SDB. The UDI_LOCATE message also includes the SNA subdomain for the SNA Server. b. The MDB checks to see if any SDBs are registered with an SNA subdomain name that matches the subdomain name in the UDI_LOCATE message. 1. If there are SDBs that are registered with the same subdomain name, then the MDB sends a response to the UDI_LOCATE message that includes the name of the first SDB that matches the request. In HIS 2000, the UDI_LOCATE message includes the name of the SDB that has the same domain name and the lowest locate_count number. NOTE: The locate_count number was added in HIS 2000 to provide load-balancing among SDBs. Prior to HIS 2000, all SNA Server computers in a subdomain used the same SDB for account look-ups because the MDB always returned the first SDB in its list that matched the subdomain name specified. 2. If there are no SDBs registered with the MDB with the same subdomain name, then the MDB sends a response to the UDI_LOCATE message that includes the name of the first SDB in its list regardless of the subdomain name. In HIS 2000, the MDB sends a response to the UDI_LOCATE message that includes the name of the SDB that has the lowest locate_count regardless of the subdomain name. 3. If there are no SDBs registered with the MDB, the MDB sends a response to the UDI_LOCATE that indicates that the MDB should be used for the account look ups. - If the RPC connection to the MDB is unsuccessful (for example, if the MDB is unavailable) and if SNA Server 4.0 Service Pack (SP) 3 or later is being used: a. The Snasii.dll file checks to see if there is an active HAC database installed locally; if there is, it will use this SDB for host account look ups. b. If the local system does not have an active HAC database, the Snasii.dll file issues an API call to find all of the backup domain controllers (BDCs) (DCs in Windows 2000) in the domain. It then contacts each BDC (or DC) in turn to see if it has an active HAC database. It connects to the first BDC (or DC) that reports that it has an active database and uses this database for host account look ups. Note: The ability to search for BDCs was added in SNA Server 4.0 SP3. Please refer to the following article for details on the problem that resulted in this new functionality: Q235929 Single Sign-On Fails If the Windows NT Primary Domain Controller is Unavailable For additional information regarding the initialization of the SNASII.DLL when host security is not being used, click the article number below to view the article in the Microsoft Knowledge Base: Q265384 SNASII.DLL Always Tries to Locate Host Account Cache Database Other Points of Interest: - All SNA Server 3.0/4.0 computers in a subdomain that do account look-ups use the same SDB for account look-ups because the MDB always returns the first SDB in its list that matches the subdomain name that is specified. The MDB does not implement any load-balancing algorithm to distribute the host account look ups across multiple SDBs. Load-balancing was implemented in HIS 2000, as described previously. - An SNA Server/HIS 2000 computer with a secondary HAC database is only guaranteed to use its local HAC database for host account look-ups when the MDB is unavailable. - SDBs reregister with the MDB every three minutes. This is done to make sure that the MDB has an accurate list of active SDBs. If the MDB cannot reregister an SDB after three registration periods (approximately 9 minutes), the SDB is removed from its list of active SDBs. - When a new SDB is registered with the MDB, all SNA Server computers with the same subdomain name as the new SDB relocate to this new SDB. The new SDB is then used for host account look ups. NOTE: This does not apply when HIS 2000 is being used. - The SNA Host Account Cache service can be installed on a Windows NT/Windows 2000 member server, and can be used for host account look-ups. If there are no other SDBs installed on BDCs (or DCs) in the domain, SNA Server/HIS 2000 computers cannot locate these SDBs if the MDB is unavailable. The reason for this is that SNA Server/HIS 2000 (Snasii.dll) searches for an active local HAC database, and then it searches for BDCs (or DCs). It does not search for member servers. If the SNA Server/HIS 2000 computers are running on member Windows NT/Windows 2000 servers and each has an active SDB, then each would use its own local HAC database if the MDB is unavailable. Additional query words: ====================================================================== Keywords : kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp3 Technology : kbAudDeveloper kbSNAServSearch kbHostIntegServ2000 kbSNAServ400 Version : :3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.