Microsoft KB Archive/248479

= Host Account Database Location for Single Sign-On =

Article ID: 248479

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Host Integration Server 2000 Standard Edition
 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0
 * Microsoft SNA Server 3.0 Service Pack 2
 * Microsoft SNA Server 3.0 Service Pack 3
 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0
 * Microsoft SNA Server 4.0 Service Pack 1
 * Microsoft SNA Server 4.0 Service Pack 2
 * Microsoft SNA Server 4.0 Service Pack 3
 * Microsoft SNA Server 4.0 Service Pack 4

-



This article was previously published under Q248479



SUMMARY
When you use the Host Security Integration features to provide Single Sign-On (SSO) support, the SNA Server/Host Integration Server (HIS) 2000 computer needs to contact a Host Account Cache (HAC) database to get the correct host user credentials to send to the host system.

The Host Security Integration dynamic link library (DLL) (Snasii.dll) is responsible for locating an HAC database that can be used for host account look ups.



MORE INFORMATION
The Snasii.dll file is initialized when the SNA Server service starts. During initialization, the Snasii.dll file attempts to locate a secondary (backup) host account database (SDB) to use for host account look ups. The following steps describe the process that is used to locate a secondary HAC database.  The Snasii.dll file makes a call to determine the primary domain controller (PDC)/PDC emulator for the Windows NT/Windows 2000 domain. A remote procedure call (RPC) connection to the PDC/PDC emulator where the master database (MDB) resides is attempted.  If the RPC connection to the MDB is successful:  A UDI_LOCATE message is sent to the MDB asking for the name of a SDB. The UDI_LOCATE message also includes the SNA subdomain for the SNA Server. The MDB checks to see if any SDBs are registered with an SNA subdomain name that matches the subdomain name in the UDI_LOCATE message.  If there are SDBs that are registered with the same subdomain name, then the MDB sends a response to the UDI_LOCATE message that includes the name of the first SDB that matches the request.

In HIS 2000, the UDI_LOCATE message includes the name of the SDB that has the same domain name and the lowest locate_count number.

NOTE: The locate_count number was added in HIS 2000 to provide load-balancing among SDBs. Prior to HIS 2000, all SNA Server computers in a subdomain used the same SDB for account look-ups because the MDB always returned the first SDB in its list that matched the subdomain name specified. If there are no SDBs registered with the MDB with the same subdomain name, then the MDB sends a response to the UDI_LOCATE message that includes the name of the first SDB in its list regardless of the subdomain name.

In HIS 2000, the MDB sends a response to the UDI_LOCATE message that includes the name of the SDB that has the lowest locate_count regardless of the subdomain name.</li> If there are no SDBs registered with the MDB, the MDB sends a response to the UDI_LOCATE that indicates that the MDB should be used for the account look ups.</li></ol> </li></ol> </li> If the RPC connection to the MDB is unsuccessful (for example, if the MDB is unavailable) and if SNA Server 4.0 Service Pack (SP) 3 or later is being used: <ol style="list-style-type: lower-alpha;"> The Snasii.dll file checks to see if there is an active HAC database installed locally; if there is, it will use this SDB for host account look ups.</li> If the local system does not have an active HAC database, the Snasii.dll file issues an API call to find all of the backup domain controllers (BDCs) (DCs in Windows 2000) in the domain. It then contacts each BDC (or DC) in turn to see if it has an active HAC database. It connects to the first BDC (or DC) that reports that it has an active database and uses this database for host account look ups.</li></ol> </li></ul> </li></ol>

Note The ability to search for BDCs was added in SNA Server 4.0 SP3. Please refer to the following article for details on the problem that resulted in this new functionality:

235929 Single Sign-On Fails If the Windows NT Primary Domain Controller is Unavailable

For additional information regarding the initialization of the SNASII.DLL when host security is not being used, click the article number below to view the article in the Microsoft Knowledge Base:

265384 SNASII.DLL Always Tries to Locate Host Account Cache Database

Other Points of Interest:
 * All SNA Server 3.0/4.0 computers in a subdomain that do account look-ups use the same SDB for account look-ups because the MDB always returns the first SDB in its list that matches the subdomain name that is specified. The MDB does not implement any load-balancing algorithm to distribute the host account look ups across multiple SDBs. Load-balancing was implemented in HIS 2000, as described previously.
 * An SNA Server/HIS 2000 computer with a secondary HAC database is only guaranteed to use its local HAC database for host account look-ups when the MDB is unavailable.
 * SDBs reregister with the MDB every three minutes. This is done to make sure that the MDB has an accurate list of active SDBs. If the MDB cannot reregister an SDB after three registration periods (approximately 9 minutes), the SDB is removed from its list of active SDBs.
 * When a new SDB is registered with the MDB, all SNA Server computers with the same subdomain name as the new SDB relocate to this new SDB. The new SDB is then used for host account look ups.

NOTE: This does not apply when HIS 2000 is being used.
 * The SNA Host Account Cache service can be installed on a Windows NT/Windows 2000 member server, and can be used for host account look-ups. If there are no other SDBs installed on BDCs (or DCs) in the domain, SNA Server/HIS 2000 computers cannot locate these SDBs if the MDB is unavailable. The reason for this is that SNA Server/HIS 2000 (Snasii.dll) searches for an active local HAC database, and then it searches for BDCs (or DCs). It does not search for member servers. If the SNA Server/HIS 2000 computers are running on member Windows NT/Windows 2000 servers and each has an active SDB, then each would use its own local HAC database if the MDB is unavailable.

Additional query words: HIS 2000

Keywords: kbinfo KB248479

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.