Microsoft KB Archive/912686

= A software update is available for Host Integration Server 2004 that adds support for the Local System Account (LSA) logon method =

Article ID: 912686

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Host Integration Server 2004 Enterprise Edition
 * Microsoft Host Integration Server 2004 Standard Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article discusses a software update that adds support for the Local System Account (LSA) logon method in Microsoft Host Integration Server 2004. Support was removed for the LSA logon method in Host Integration Server 2004 to help make the product more secure. The following Knowledge Base articles describe some problems that may occur because of the lack of support for LSA logons in Host Integration Server 2004:

888762 Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers

888478 SNA applications that run as Windows services do not connect to a Host Integration Server 2004-based server and log an event 705 message



MORE INFORMATION
This software update adds support for the LSA logon method in Host Integration Server 2004.

Important We strongly recommend that customers consider the risk to a system when Host Integration Server 2004 is configured to use the LSA logon method. Host Integration Server services require elevated rights to support LSA. If the Host Integration Server service is compromised, the effects of the compromise may be increased because of these elevated rights.

Software update information
A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Host Integration Server 2004 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

File information
The English version of this software update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Note Because of file dependencies, the most recent software update that contains these files may also contain additional files.

Configuration information
After you apply the software update, you must configure support for LSA logons. To do this, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  Add the SupportLSA registry parameter. To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

 

 Right-click Parameters, point to New, and then click DWORD Value. Type SupportLSA, and then press ENTER. Double-click SupportLSA, type 1, and then click OK. Close Registry Editor.</li></ol> </li> Stop and start the SnaBase service to enable the registry parameter. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type services.msc, and then click OK.</li> Right-click SnaBase, and then click Stop.</li> Right-click SnaBase, and then click Start.</li> Close the Services window.</li></ol> </li> Grant the Host Integration Server Service Account the Act as part of the operating system user right. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type secpol.msc, and then click OK.</li> Under Security Settings, expand Local Policies.</li> Click User Rights Assignment.</li> Double-click Act as part of the operating system.</li> Click Add User or Group.</li> Type the name of the Host Integration Server Service Account that is specified in the Host Integration Server Configuration Wizard, and then click OK.

Note If you click Advanced to add an account, you may have to click Object Types or Location to add the account that you want.</li> Click OK.</li> Close the Local Security Settings window.</li></ol> </li></ol>

Note These steps explain how to set a user right in the local security policy for a Microsoft Windows Server 2003-based server. If the server is a member of a domain, you may have to use the Group Policy Object Editor (Gpedit.msc) to add the user right. If the server is a Windows Domain Controller, you must use the Domain Controller Security Policy tool (Dompol.msc) to add the user right.

After you enable support for LSA logons on a Host Integration Server 2004 server, the following error message is logged in the Application log every time that the SnaBase service is started:

Event Source: SNA Base Service

Type: Error

Event ID: 5510

Description: Support for LSA logons has been enabled. Enabling this support, along with support for anonymous logons increases the security risk to the server. Microsoft recommends turning off LSA support

Keywords: kbinfo kbqfe kbpubtypekc kbhotfixserver KB912686

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.