Microsoft KB Archive/235381

= SNA Server Access Violation While Determining Proxy Privilege =

Article ID: 235381

Article Last Modified on 9/22/2005

-

APPLIES TO


 * Microsoft SNA Server 4.0

-



This article was previously published under Q235381





SYMPTOMS
The SNA Server service (Snaservr.exe) may unexpectedly fail with an access violation, causing an SNA Server Event 624 to be logged in the Windows NT application event log, and a log entry to be written to the Winroot\Drwtsn32.log file. This specific problem only occurs when SNA Server is supporting an application that is attempting to use "privileged proxy" security, as described in the following Knowledge Base article:

165385 Single Signon for APPC Applications Using Privileged Proxy

For example, this could occur if COM Transaction Integrator (COMTI) is being used and a COMTI Remote Environment is configured to authenticate with user credentials.

When this failure occurs, all SNA client users who are currently accessing this server lose their SNA sessions. Note that the stack-back trace indicates that the Snasii.dll (SNA Server Host Security DLL) has been called by the SNA Server service. Application exception occurred: App: exe\snaservr.dbg (pid) Exception number: c0000005 (access violation)

function: nosymbols 77820998 804d0d02        or      byte ptr [ebp+0xd],0x2 7782099c 53              push    ebx 7782099d 56              push    esi 7782099e 57              push    edi 7782099f 68d85f8377      push    0x77835fd8 778209a4 ff15f0928277    call    dword ptr [778292f0] 778209aa 8b7508          mov     esi,[ebp+0x8] 778209ad 85f6            test    esi,esi 778209af 7505            jnz     778209b6 778209b1 bebc948277      mov     esi,0x778294bc FAULT ->778209b6 668b0e          mov     cx,[esi]   ds:000307cf=????


 * Stack Back Trace *

FramePtr ReturnAd Param#1 Param#2  Param#3  Param#4  Function Name 0dd8f8f4 7781d016 000307cf 00000200 00000001 000f36b8 netapi32!nosymbols 0dd8f938 6198305c 000307cf 0010bcf6 00000000 0dd8f980 netapi32!NetGroupGetUsers 0dd8f970 61983966 0dd8fccc 00000000 00000000 00000000 snasii!nosymbols (FPO: [EBP 0x00000000] [5,1,4]) 0dd8faa4 619847f7 0dd8fccc 0dd8fcf6 0dd8fac8 61988078 snasii!nosymbols (FPO: [EBP 0x602027a0] [5,67,4]) 0dd8fcc4 61985503 006c0066 002d006c 00730061 00610070 snasii!nosymbols (FPO: [85,128,2])



CAUSE
When SNA Server receives a "privileged proxy" host security request from an APPC application, the SNA Server first verifies if the application's user context is authorized to make the request. As part of this verification, SNA Server attempts to determine what groups the user is a member of. If the Windows NT primary domain controller (PDC) for the user domain is inactive, SNA Server passes an invalid server name to the NetGroupGetUsers function, leading to an access violation.

The actual access violation occurs in netapi32!UaspOpenDomain, an internal function called by netapi32!NetGroupGetUsers.



RESOLUTION
To resolve this problem, obtain the latest service pack for SNA Server version 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack



STATUS
Microsoft has confirmed that this is a problem in Microsoft SNA Server version 4.0, 4.0 SP1 and 4.0 SP2. This problem was first corrected in SNA Server version 4.0 Service Pack 3.



MORE INFORMATION
With this update applied, the SNA Server host security DLL (Snasii.dll) no longer encounters an access violation if the Windows NT PDC is down and the COMTI user authentication is being used. In addition, Snasii attempts to use the closest domain controller (including backup domain controllers), not relying on the PDC, and find another domain controller if the one becomes unavailable.

Keywords: kbbug kbfix kbsna400sp3fix kbqfe kbhotfixserver KB235381

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.