Microsoft KB Archive/201359

= Synchronizing Windows NT to AS/400 Passwords Using HSI =

Article ID: 201359

Article Last Modified on 4/19/2005

-

APPLIES TO


 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0
 * Microsoft SNA Server 3.0 Service Pack 2
 * Microsoft SNA Server 3.0 Service Pack 3
 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0
 * Microsoft SNA Server 4.0 Service Pack 1
 * Microsoft SNA Server 4.0 Service Pack 2
 * Microsoft SNA Server 4.0 Service Pack 3

-



This article was previously published under Q201359



SYMPTOMS
When you use Microsoft Host Security Integration (HSI) and select the Password is Replicated option from the Host Security Domain properties, you can change a Windows NT user password, while synchronizing the password change to the AS/400 user database at the same time.

The initial password change request can come from anyone of the following sources:
 * Windows NT Server by using User Manager for Domains
 * Windows NT Workstation by using the CTRL-ALT-DELETE key combination, and then selecting Change Password
 * Windows 95/98 computer by clicking the Passwords icon in Control Panel

When a password change request is completed from one of the above sources, the end user can log off, and then log back on to Windows NT using the "new" password. However, if a password change request fails to complete in the AS/400 user database, the end user has no way of knowing until the next time they request a session. If you use the 5250 applet that ships with SNA Server, the following error message occurs when you use the "new" password:

The host system rejected the connection due to a security validation error. Please check your session configuration.

[0003] [080F6051]

The following is the Primary and Secondary return code information:

PRC = [0003] AP_ALLOCATION ERROR

APPC has failed to allocate a conversation. The conversation state is set to RESET.

SRC = [080F6051] AP_SECURITY_NOT_VALID

The user ID or password specified in the allocation request was not accepted by the partner LU.

Note: Other third-party emulators may report a different error message.



CAUSE
In most cases, the cause for this problem is due to a set of rules or "System Values" on the AS/400 user database, which is similar to the "Account Policies" in Windows NT User Manager for Domains.

Additional Information
Viewing the application log in the Event Viewer may help in resolving why a "new" password was rejected from the AS/400. Every time the password is rejected, it records various logs, normally four entries total. The following two are always recorded:

Event 6005 - Source: AS400 MDSI

Event 1506 - Source: SNA Host Security

You then receive two additional events, which may provide more detail. In the following example, a password of 10 characters is used, which the AS/400 does not allow:

Event 6012 - Source: AS400 MDSI

The AS/400 in domain  reports that the new password for  is invalid for the following reason:

Password longer than 8 characters.

Event 1513 - Source: SNA Host Security

New host password supplied is longer than maximum allowed.

The events from this next example occur as a result of the password being the same as the AS/400 User ID, which the AS/400 does not allow:

Event 6012 - Source: AS400 MDSI

The AS/400 in domain  reports that the new password for  is invalid for the following reason:

Password cannot be same as user ID.

Event 1511 - Source: SNA Host Security

Invalid new password for the host user was specified.



RESOLUTION
Correct the restriction for the user's password as indicated by the event message. If the message does not include the actual problem description, view the System Operator Messages on the AS/400 for more information.



MORE INFORMATION
With Host Security Integration, you can change and synchronize passwords from a Windows NT user database to an AS/400 user database running V3R1 or later without any additional host (AS/400) code being needed. This unidirectional password change is made possible by the Sec400.dll file that is installed when your Host Security Domain is configured.

For bi-directional password changes (AS/400 to Windows NT), third-party software is required. Please see the Companion Products Catalog on the SNA Server compact disc for references.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

175063 Host Security Integration Setup and Architectural Overview

Additional query words: sync

Keywords: kbhowto kbprb KB201359

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.