Microsoft KB Archive/194741

= StarQuest ODBC Sessions Through SNA Server Fail When Using IIS =

Article ID: 194741

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft SNA Server 4.0 Service Pack 1

-



This article was previously published under Q194741





SYMPTOMS
ODBC sessions using the StarQuest ODBC driver bundled with SNA Server 4.0 Service Pack 1 (SP1) fail to start when connecting through IIS. The following error is returned by SNA Server's APPC library when this problem occurs:

Primary Return Code: F004 (AP_COMM_SUBSYSTEM_NOT_LOADED)

ODBC connections through applications (that is, MSQuery) other than Internet Information Server (IIS) do not exhibit this problem. In addition, this problem did not occur when using SNA Server 4.0 and earlier.

Also, Event ID 705 may get logged when the session fails to connect. The following error is logged with APPC Application Event ID 705:

Logon Failed.

EXPLANATION

Connection request failed due to data security.

Access denied --- Error Code : 44



CAUSE
When an ODBC connection through IIS is started, SNA Server's DMOD initialization fails because the initialization is started by a thread that is impersonating another user. In this case, the impersonated user is likely to be IUSR_ or whatever the IIS account has been changed to. This occurs because the impersonating thread does not have the rights needed to modify any of the process security settings.



RESOLUTION
Microsoft has confirmed this to be a problem in SNA Server version 4.0 SP1. This problem was corrected in the latest SNA Server version 4.0 U.S. Service Pack. For information on obtaining this Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

  S E R V P A C K



MORE INFORMATION
After applying the hotfix, the DMOD initialization will be done in a thread that has the necessary rights to modify the process security settings.

By default, when IIS is installed, it creates a user account called IUSR_, where is the name of the computer on which IIS is running. When a request is received by IIS from an application, IIS will impersonate the IUSR_ account in order to execute any code or access any files that are involved in the request.

For more information on IIS security, please see the following Microsoft Knowledge Base article:

  ARTICLE-ID: Q158229   TITLE     : Security Ramifications for IIS Applications

Keywords: kbbug kbfix KB194741

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.