Microsoft KB Archive/232035

= AS/400 Password Change Using Host Security May Not Complete =

Article ID: 232035

Article Last Modified on 11/18/2004

-

APPLIES TO


 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0

-



This article was previously published under Q232035



SYMPTOMS
When you use Microsoft's SNA Server Host Security Integration (HSI) to make a password change on an AS/400 system, the request will be sent to the AS/400 system, however, the password change may never reach the AS/400 User Database.

If a password change request doesn't work, end users have no way of knowing this until the next time they try logging onto the AS/400 using the "new" AS/400 password. If using the 5250 applet that is included with Microsoft's SNA Server, the following error message is displayed:

The host system rejected the connection due to a security validation error. Please check your session configuration.

[0003] [080F6051]

Here is the primary and secondary return code information:

PRC = [0003] AP_ALLOCATION ERROR

APPC has failed to allocate a conversation. The conversation state is set to RESET.

SRC = [080F6051] AP_SECURITY_NOT_VALID

The user ID or password specified in the allocation request was not accepted by the partner LU.

NOTE: Other third-party emulators may report a different error message.

ADDITIONAL INFORMATION
During the time of a password change failure, the following entries are recorded in the Event Viewer application log on the SNA Server:
 * Event 6005 Source: AS400MDSI

The SNA APPC service returned the following error when attempting an operation for [userid_name] in the [Host_Security_Domain_Name]:

Receive and Wait verb has completed with primary return code Allocation Error.
 * Event 1506 Source: SNA Host Security

Security DLL could not establish network connection to host side components.

If an SNA Server DLC trace (nodemsg) is taken when the password request leaves the SNA Server (node), the AS/400 rejects the Attach (02FF) with a 0846 0000 sense code promising the SNA Server the real error in a later message. DLC  --- 12:39:53.0859 DLC  01020501->04160001 DLC DATA DLC                     DAF:01 OAF:01 ODAI:off Normal DLC                     RQE FMD FI BC EC DR1 PI CD DLC DLC   Header  at address 011946F0, 1 elements DLC  0B050000 1D002C00 01010001 01009300     <......,.......l.> DLC DLC   Element at address 01B83480, start 10, end 136 DLC  0B912040 0502FF10 03D10000 0406F3F0     <.j @.....J....30> DLC  F1120702 D4D6D5E3 C5C20901 36D18DB1     <1...MONTEB..6J..> DLC  FE4EE330 140BC1D7 D7D54BD3 D6C3C2C9     <.NT0..APPNKLOCBI> DLC  C707CF05 0C0C2700 01000800 00000000      DLC  00000100 3C12FF00 38122100 34FF0408     <....<...8.!.4...> DLC  01D4D6D5 E3C5C20A 07000000 00000000     <.MONTEB.........> DLC  020A035A 2F306BE7 AD90A60A 05909504     <...Z/0kX..w...n.> DLC  FE1D27EC 550A04C8 82A03363 31B53D       <..'.U..Hb.3c1.= > DLC  --- 12:39:53.0869 DLC  04160001->01020501 DLC DATA DLC                     DAF:01 OAF:01 ODAI:off Normal DLC                     +RSP FMD BC EC PI DLC DLC   Header  at address 011946F0, 1 elements DLC  0B050000 1D002C00 01010000 01004301     <......,.......C.> DLC DLC   Element at address 01B83480, start 10, end 12 DLC  830100                                   DLC  --- 12:39:53.0869 DLC  04160001->01020501 DLC DATA DLC                     DAF:01 OAF:01 ODAI:off Normal DLC                     -RSP FMD SD BC EC DR1 DLC DLC   Header  at address 011946F0, 1 elements DLC  0B050000 1D002C00 01018000 01004301     <......,.......C.> DLC DLC   Element at address 01B83480, start 10, end 16 DLC  87900008 460000                                    ^^ ^^^^^^   --- 12:39:53.0869 The 0846 0000 sense code means ERP Message Forthcoming.

Here is the actual error from the AS/400:

DLC  --- 12:39:53.0869 DLC  04160001->01020501 DLC DATA DLC                     DAF:01 OAF:01 ODAI:off Normal DLC                     RQE FMD FI BC EC DR1 PI CEB DLC DLC   Header  at address 01194890, 1 elements DLC  0B050000 1D002C00 01010001 01004301     <......,.......C.> DLC DLC   Element at address 01B83A34, start 10, end 49 DLC  0B910107 07084B60 3180001E 12E10018     <.j....K`1.......> ^^^^^^ ^^

Primary Sense Code: 084B - Requested Resources Not Available

Secondary Sense Code: 6031 - Transaction Program Not Available



CAUSE
The subsystem or job where this transaction program (TP) runs on the AS/400 is not active.



RESOLUTION
The transaction program to which SNA Server's Host Security talks is named QACSOTP. This TP normally runs as a job under a particular subsystem on the AS/400. For example, the AS/400 subsystem may be called QBASE, which is part of a library called QSYS where the program job TP QACSOTP runs. If either the subsystem QBASE, or the TP QACSOTP is not "active," password changes do not work.



MORE INFORMATION
Microsoft's Host Security Integration components provides out of the box one-way (unidirectional) password synchronization from Windows NT to IBM AS/400 systems (V3R1 or later) without any additional host code being needed. This is made possible by means of the Sec400.dll that gets installed with HSI and used after configuring and setting up a Host Security Domain.

For two-way (bi-directional) password changes (AS/400 to Window NT), third-party solutions are required. For a list of third-party independent software vendors (ISVs), please see the Companion Product Catalog (Isvcatal.doc) on the SNA Server CD.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Keywords: kbprb kbfaq KB232035

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.