Single Signon Fails if the Windows NT Primary Domain Controller is Unavailable

ID: Q235929

The information in this article applies to:

Microsoft SNA Server, versions 3.0, 3.0SP1, 3.0SP2, 3.0SP3, 3.0SP4, 4.0, 4.0SP1, 4.0SP2

SYMPTOMS

An APPC application configured to use SNA Server's Single Sign-On (SSO) Privileged Proxy feature may fail to connect to the host if the primary domain controller (PDC) where the primary Host Account Cache (HAC) is running becomes unavailable. The APPC application will receive an error message indicating an invalid User ID or Password was used when the problem occurs. For example, an ALLOCATE issued by an APPC application may fail with an error code of 080F6051 (AP_SECURITY_NOT_VALID).

NOTE: Applications using the standard SSO (not Privileged Proxy) feature may experience a similar problem if the fix described in the following Microsoft Knowledge Base article is not applied:

Q235381 SNA Server Access Violation While Determining Proxy Privilege

CAUSE

The SNA Server Host Security DLL (Snasii.dll) was originally designed to issue a GetDCName() call to locate a Windows NT Domain Controller so that it can determine what Windows NT groups the User ID specified by the application belongs to so that it can verify if the application's user context is authorized to make the request. The GetDCName() call always returns the name of the Windows NT PDC. The update discussed in article Q235381 includes a change such that the host security DLL calls GetAnyDCName() to do this same function. The GetAnyDCname() call returns the names of backup domain controllers (BDCs) as well as the PDC. The problem is that this call fails if the PDC is not available.

If the PDC is not available, the GetAnyDCName() fails, so the host security DLL is not able to verify if the application's user context is authorized to make the request that was received. The result is the invalid User ID or Password error being returned to the application.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Microsoft SNA Server version 4.0 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or later:

File name	Date	Time
Snasii.dll	04/28/99	10:24AM
Snarpc.dll	04/28/99	10:24AM

NOTE: Because of file dependencies, the most recent fix that contains the above files may also contain additional files.

NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base:

Q154871 Determining If You Are Eligible for No-Charge Technical Support

WORKAROUND

Make sure the PDC for the Windows NT domain is available.

STATUS

Microsoft has confirmed this to be a problem in Microsoft SNA Server versions 3.0, 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2.

MORE INFORMATION

The Host Security DLL is updated to call NetServerEnum() if the GetAnyDCName() fails. The NetServerEnum () call does successfully return if the PDC is not available. The Host Security DLL is also updated to allow it to reconnect to a backup HAC if the primary HAC it is communicating with fails for some reason. With this update applied, the Host Security DLL can switch from the primary HAC to a backup HAC if the primary goes down. It can also locate a backup HAC at startup, even if the primary HAC is not running. This "hot backup" feature has the following requirements:

The backup HAC databases must be running on BDCs. The Host Security DLL only looks for DCs. It does not look for Windows NT member servers.
A backup HAC database is useful only if it has been able to contact the primary HAC database to read its initial copy of the account database. All backup HAC services delete their copy of the HAC database when they are stopped.

For additional information about SNA Server's Single Sign-On Privileged Proxy feature, please see the following article in the Microsoft Knowledge Base:

Q165385 Single Signon for APPC Applications Using Privileged Proxy

Additional query words:


Keywords          : sna3 sna3sp1 sna3sp2 sna3sp3 sna3sp4 sna4sp1 sna4sp2 
Version           : WINDOWS:3.0,3.0SP1,3.0SP2,3.0SP3,3.0SP4,4.0,4.0SP1,4.0SP2
Platform          : WINDOWS 
Issue type        : kbbug

Last Reviewed: June 28, 1999