DOCUMENT:Q294974 17-OCT-2001 [sna] TITLE :Password Synchronization to AS/400 Fails with Events 1506 & 6005 PRODUCT :Microsoft SNA Server PROD/VER::3.0 (all SP),4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4 OPER/SYS: KEYWORDS:kbDSupport kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4 - Microsoft Host Integration Server 2000 ------------------------------------------------------------------------------- SYMPTOMS ======== End users may be unable to log on to their IBM AS/400 after changing their Windows NT or Windows 2000 password if SNA Server or Host Integration Server 2000 is configured to replicate password changes to the AS/400. The following events will be logged in the Application Event log when this occurs: Event ID: 1506 Source: SNA Host Security Description: Security DLL could not establish network connection to host side components. Event ID: 6005 Source: AS400 MDSI Description: The SNA APPC service returned the following error when attempting an operation for in the domain: The userid or password is not valid. Try again or contact System Administrator. Similar events would be logged if SNA Server or Host Integration Server 2000 is configured to replicate password changes to an IBM mainframe instead of an AS/400. CAUSE ===== The password synchronization fails if the user changing his or her Windows NT or Windows 2000 password has an uninitialized password in the Host Account Cache (HAC) database. For additional information on other scenarios that can cause the same event messages, click the article numbers below to view the articles in the Microsoft Knowledge Base: Q201359 Synchronizing Windows NT to AS/400 Passwords Using HSI Q232035 AS/400 Password Change Using Host Security May Not Complete RESOLUTION ========== This problem can be avoided if users are added to the Host Account Cache database through the use of the Host Account Manager (Udconfig.exe) tool, which is included with SNA Server and Host Integration Server 2000. The user's Windows password is specified when the user is added to the Host Account Cache database, which prevents an uninitialized password from being sent to the host system. MORE INFORMATION ================ Host security domains (HSD) are configured in SNA Manager. A Host Security Domain Wizard is provided to simplify the process of creating an HSD. Each HSD represents a "host" user database. When configured initially, an HSD is assigned to a particular host connection. Within the Host Account Cache (HAC) database, each user's record contains an entry for every host security domain of which they are a member. When a host security domain is created, a Windows 2000 (or Windows NT) user group must be created with the same name. Users who are members of this group can cache information in the Host Account Cache database for this HSD. A second group is also created that appends "_Proxy" to the HSD name for its group name. Members of the "_Proxy" group can use the APPC Privileged Proxy feature. For example, if a host security domain called "AS400" is created, the Host Security Domain Wizard will create the following Windows 2000 (or Windows NT) groups: - AS400 - AS400_Proxy The Host Security Domain Wizard adds the \Domain Users group to the HSD group (in this case, AS400) when an HSD is created. Users in this group are authorized to populate host user IDs and passwords to the HAC database. The HSD Wizard adds the \Domain Admins group to the "_Proxy" HSD group when an HSD is created. Users that are not explicitly added to the Host Account Cache database will be added dynamically when they change their Windows 2000 (or Windows NT) password if they are members of the HSD group. Because the Domain Users group is added to the HSD group, by default every user in the Windows 2000 (or Windows NT) domain is a valid host security domain member. If the HSD is configured to replicate passwords to a host system (IBM AS/400s or IBM mainframes), the host security components will replicate a user's new Windows password to the host system when the password is changed. If the user has not been explicitly added to the HAC database, the user will be dynamically added to the HAC database when the user changes his or her password. When a user is added dynamically, the HAC database does not have any way to get the user's previous Windows password, and the user's new Windows password won't be sent to the HAC database until later. In this case, the HAC database has an "uninitialized" Windows password for the user. As the password synchronization process continues, the user's previous password must be obtained from the HAC database because it is needed to log on to the host system in order to have the password change to the new password. Because the HAC database does not have the user's previous password, it returns a default "uninitialized" value for the user's previous Windows password. The logon to the host system fails because the previous password (the "uninitialized" value) is not valid. This causes an error to be returned to the SNA Server or Host Integration Server 2000, resulting in the events listed in the "Symptoms" section of this article when an attempt is made to connect to the host system. See the following Microsoft Knowledge Base article for an overview of the Host Security components and architecture: Q175063 Host Security Integration Setup and Architectural Overview The third-party products discussed in this article are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability. Additional query words: ====================================================================== Keywords : kbDSupport kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp3 kbhis2000 kbsna400sp4 Technology : kbAudDeveloper kbSNAServSearch kbHostIntegServ2000 kbSNAServ400 kbSNAServ300SP3 kbSNAServ300SP1 kbSNAServ400SP1 kbSNAServ400SP2 kbSNAServ400SP3 kbSNAServ400SP4 kbSNAServ300SP2 kbSNAServ300SP4 Version : :3.0 (all SP),4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.