DOCUMENT:Q256919 13-JUN-2001 [sna] TITLE :DLS Connection Fails with Event ID: 705 PRODUCT :Microsoft SNA Server PROD/VER:WINDOWS:2.11 (all SP),3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 2.11 SP1, 2.11 SP2, 3.0, 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3 ------------------------------------------------------------------------------- SYMPTOMS ======== If you install a branch SNA Server by using a specific user account (as opposed to using the system account), if for any reason the user account cannot be validated by the central SNA Server, you cannot connect to the branch SNA Server site. In the Application event log on the branch SNA Server, the following event is logged: Event ID: 705 Source: SNA Link Service Type: Warning Description: Logon Failed. EXPLANATION Connection Failed due to data security. Access denied -- Error Code: 44 CAUSE ===== When you attempt to connect a branch SNA Server site by using the Distributed Link Service (DLS), the central SNA Server attempts to validate the incoming connection by using the context that the DLS is running under on the branch SNA Server. This can potentially cause a problem if the central SNA Server is unable to validate the account for any reason (for example, broken trust, different domain, and so on), and the connection status shows Pending on the branch SNA Server. This problem occurs because of the different methods that Windows NT uses to validate the system account, as opposed to a user account. If the DLS is running under the local system account, then it must use Local Security Authority (LSA) for logon, and by default, there is no security enforced. If the DLS is running under a user account, then it uses Windows NT LanManager(NTLM) authentication for logon, and security is enforced. For example: DLS Client-----------------------------Link Service Proxy SNAREM1-------LSA logon (system)-----> SNADLC[D] (no NT credentials required: local system) SNAREM1-------NTLM logon (user)------> SNADLC[D] (Valid NT credentials required: User account) RESOLUTION ========== To resolve this issue, do one of the following: - Enable the guest account on the central SNA Server. - On the central SNA Server, create an account with a matching user ID (UID) and password (PWD) that the DLS on the branch SNA Server is running under. - Set the DLS to run under the system account on the branch SNA Server. MORE INFORMATION ================ In the Link Message Trace on the branch SNA Server, this problem occurs before the Open Link Request ever comes down the pipe. In the Link Message Trace, you can view the following: -------------------------------------------------------------------------------- DLC 01160001->04020100 DLCST OUTG DLC Outage: 0x0A UPTYPE:0 UPCNTR:12 COUNT:112 DLC DLC ---- Header at address 010144B4, 0 elements ---- DLC 180A000C 10110070 01000400 0100D401 <.......p......M.> DLC -------------------------------------------------------------------------------- For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q132679 Local System Account and Null Sessions in Windows NT Additional query words: ====================================================================== Keywords : Technology : kbAudDeveloper kbSNAServSearch kbSNAServ300 kbSNAServ400 kbSNAServ211SP1 kbSNAServ211SP2 kbSNAServ300SP3 kbSNAServ300SP1 kbSNAServ400SP1 kbSNAServ400SP2 kbSNAServ400SP3 kbSNAServ300SP2 kbSNAServ300SP4 Version : WINDOWS:2.11 (all SP),3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.