DOCUMENT:Q290508 12-JUN-2001 [sna] TITLE :Configuring the 3270 Emulator to Use SSO with the HAC PRODUCT :Microsoft SNA Server PROD/VER::3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4 OPER/SYS: KEYWORDS:kbDSupport kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4 - Microsoft Host Integration Server 2000 ------------------------------------------------------------------------------- SUMMARY ======= This article describes how to configure the 3270 emulator that is included with SNA Server (version 3.0 Service Pack [SP] 1 and later) and Host Integration Server 2000 to take advantage of single sign-on (SSO) while accessing the host account cache (HAC). MORE INFORMATION ================ Benefits of Using SSO and the HAC --------------------------------- - A script file can automate the keystroke logon process as well as include application information such as TSO, IMS, and so forth. - An end-user or administrator can create one script file that could be used for all 3270 users when accessing a host application/mainframe. - The script file includes MS$SAMEU (as the userid value) and MS$SAMEP (as the password value) instead of the user's clear text userid and password. This eliminates security concerns. NOTES: - Third-party emulators can be used for SSO but must support "scripting" of user input. The example script files in this article may differ from third-party emulators. - The actual text description in these example script files may differ since accessing host applications and logging onto the mainframe can vary among users. - Host security components, a host security domain, and a populated HAC must be configured before "look-ups" to the HAC can occur. This article assumes that these steps are already completed. For additional information on the HAC and the host security components, click the article number below to view the article in the Microsoft Knowledge Base: Q175063 Host Security Integration Setup and Architectural Overview Steps to Use the 3270 Emulator with a Script File ------------------------------------------------- - Step 1: Configuring a 3270 Script for SSO: a. Start the 3270 emulator. b. From the Session menu, choose Connect. c. From the Script menu, choose Record. The record facility converts these actions into a logon script. The default script file is named Logon.lsc and is located in the folder (usually C:\Sna\System). d. Connect to the appropriate host application (for example, TSO or IMS). For the following example, TSO is selected. e. Log on to the host using a valid mainframe userid and password. f. When you are finished recording your logon script, from the Script menu, choose Stop. g. To verify that your script works, you must first disconnect your session: from the Session menu, click Disconnect. h. From the Session menu, choose Connect. i. From the Script menu, choose Play. Optionally, you can use one of the following procedures to configure the logon script to run automatically when you connect: - From the Script menu, choose Auto Run. When you subsequently establish a connection to the host, the logon script runs automatically. -or- - From the Session menu, choose Autoconnect. Every time you subsequently start the 3270 client, the connection to the host will be made and you will be logged on automatically. Example 3270 Script file (Logon.lsc): SETTIMEOUT 30,EXIT WAITSESSION SSCP ; Wait for banner. Wait can be replaced with WaitString "" WAIT 3 SEND TSO@E WAITSESSION LULU ; Wait for screen after BIND. Wait can be replaced with WaitString "" WAIT 3 SEND MYUSERID@E SEND MYPASSWD@E EXIT: The following is a list of script file content descriptions: - The semi-colon (;) without quotes = remarks - TSO = the subsystem application being selected in this example - @E = Enter key was pressed - MYUSERID = real mainframe userid - MYPASSWD = real mainframe password - @T = Tab key being pressed (not included in this example) - Step 2: Edit the 3270 Script to Use SSO with the HAC: a. Using any text editor, such as Microsoft Notepad, edit the Logon.lsc script file. b. Replace the real mainframe userid and password with "MS$SAMEU" (without the quotation marks) and "MS$SAMEP" (without the quotation marks), respectively. c. Save and close the file, and then test this new script with the same steps as before. NOTE: If you make multiple script files with different names for accessing other applications, you can choose to use them by doing this: a. From the Session menu, choose Session Configuration. The 3270 Settings dialog box appears. b. In the Script File box, click Browse to select another script file. c. Double-click the script file that you want to use. d. Click OK. The newly edited script file from step 1 should now look like this: SETTIMEOUT 30,EXIT WAITSESSION SSCP ; Wait for banner. Wait can be replaced with WaitString "" WAIT 3 SEND TSO@E WAITSESSION LULU ; Wait for screen after BIND. Wait can be replaced with WaitString "" WAIT 3 SEND MS$SAMEU@E SEND MS$SAMEP@E EXIT: With host security configured, the HAC populated with an actual mainframe userid and password, the following steps occur to complete SSO while using the HAC: a. When the 3270 emulator starts up (if configured to automatically run the scripted logon), MS$SAMEU and MS$SAMEP are passed to the SNA Server/HIS 2000 server. b. SNA Server/HIS 2000 checks if the Windows NT or Windows 2000 user that is making this request is a member of the host security domain "local group". c. SNA Server/HIS 2000 then scans the data stream. It recognizes MS$SAMEU and MS$SAMEP and performs a "look-up". It then substitutes MS$SAMEU and MS$SAMEP for the real host userid and password that are configured in the HAC. For information and caveats regarding the special keywords MS$SAMEU and MS$SAMEP, see the following Microsoft Knowledge Base article: Q291805 3270 SSO Fails If 3270SSOUserTag and 3270SSOPwdTag Use Same Value Additional query words: ====================================================================== Keywords : kbDSupport kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp3 kbhis2000 kbsna400sp4 kbsna300 Technology : kbAudDeveloper kbSNAServSearch kbHostIntegServ2000 kbSNAServ400 kbSNAServ300SP3 kbSNAServ300SP1 kbSNAServ400SP1 kbSNAServ400SP2 kbSNAServ400SP3 kbSNAServ400SP4 kbSNAServ300SP2 kbSNAServ300SP4 Version : :3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.