Microsoft KB Archive/888762

= Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers =

Article ID: 888762

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Host Integration Server 2000 Standard Edition
 * Microsoft Host Integration Server 2000 Service Pack 1
 * Microsoft Host Integration Server 2004 Standard Edition

-





SYMPTOMS
Distributed Link Services (DLS) link services that are started by using the LocalSystem account on Microsoft Host Integration Server 2000-based servers do not connect to Host Integration Server 2004-based servers.

If host connections are configured to use a DLS link service such as SnaRem1 in Host Integration Server 2000, a status message that is similar to the following may appear in SNA Manager when the problem occurs:

[Pending](Failed @ )

You receive an error message that is similar to the following on the Host Integration Server 2000-based server:

Event ID: 23

Source: SNA Server

Description: Connection Failure

Connection =

Link Service =

Outage Code =

You also receive the following error message on the Host Integration Server 2004-based server that the DLS link service is trying to connect to when the problem occurs:

Event ID: 705

Source: SNA Base Service

Description: Logon Failed.

EXPLANATION

Access denied on client-server or Distributed Link Service connection request.

Connection from  denied because LSA logons are not supported. --- Error Code : 4097



CAUSE
Host Integration Server 2000 uses the Local System Account (LSA) logon method for validation when a DLS link service is started by using the LocalSystem account. LSA logons are not supported in Host Integration Server 2004. Therefore, DLS link services that are started by using the LocalSystem account on Host Integration Server 2000 and on earlier versions of SNA Server cannot connect to Host Integration Server 2004.



RESOLUTION
To resolve this behavior, you must configure DLS link services to start by using user credentials that can access resources on the Host Integration Server 2004-based server.



STATUS
This behavior is by design.



MORE INFORMATION
Support for the LSA logon method was removed in Host Integration Server 2004 to help make the product more secure. If you have applications or services such as DLS link services that use the LocalSystem account, we recommend that you modify these applications or services to use valid user credentials to access remote resources.

If anonymous logon support is enabled, any service or application that passes null credentials can access the Host Integration Server 2004-based server without having to provide valid user credentials. Null credentials are a null user account name, password, and domain. The application or service could possibly perform disruptive or destructive actions.

For more information about the LocalSystem account and the extensive permissions that it has on the local computer, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/ms684190.aspx\

We do not recommend that you use the LocalSystem account unless a service actually must have all the permissions that are provided by this account. Additionally, services that run under the LocalSystem account will use null credentials when they access remote resources.

For additional information about a related Host Integration Server 2004 issue that occurs when you use SNA applications that run as Windows services by using the LocalSystem account, click the following article number to view the article in the Microsoft Knowledge Base:

888478 SNA applications that run as Windows services do not connect to a Host Integration Server 2004-based server and log an event 705 message

Additional query words: HIS2004

Keywords: kbprb KB888762

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.