Microsoft KB Archive/236122

= SNA Server Fails to Correctly Support Both AV and PV for APPC Conversation Security =

Article ID: 236122

Article Last Modified on 9/22/2005

-

APPLIES TO


 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0
 * Microsoft SNA Server 3.0 Service Pack 2
 * Microsoft SNA Server 3.0 Service Pack 3
 * Microsoft SNA Server 3.0 Service Pack 4
 * Microsoft SNA Server 4.0
 * Microsoft SNA Server 4.0 Service Pack 1
 * Microsoft SNA Server 4.0 Service Pack 2

-



This article was previously published under Q236122





SYMPTOMS
An APPC Transaction Program configured to run on SNA Server may receive a BIND from the Host indicating support for the Already Verified (AV) and Persistent Verification (PV) in the BIND Security Support Indicators.

During subsequent conversation processing, if the Transaction Program changes conversation security from AP_NONE to AP_SAME in subsequent ALLOCATES, the APPC session may fail with a Primary Return Code : 0003 (AP_ALLOCATION_ERROR), Secondary Return Code : 080F6051 (AP_SECURITY_NOT_VALID), and the following event may be logged in the Windows NT Application Log:

Event ID: 63

Source: SNA Server

Description: Incorrect password received from client for logged on user.

EXPLANATION

An invalid password was specified for a signed-on PV user (user ID: user). This password will be forwarded to the host to verify. If the password has changed, then the host will accept the new password, and the conversation will continue without persistent verification.

ACTION

If host rejects password, then check password, and try again.



CAUSE
SNA Server fails to correctly implement user credential manipulation when the APPC conversation security is changed between ALLOCATE verbs.



RESOLUTION
To resolve this problem, obtain the latest service pack for SNA Server version 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article. This problem was first corrected in SNA Server version 4.0 Service Pack 3.



MORE INFORMATION
The problem is that when both AV and PV are specified, SNA Server treats the message as a hybrid of both.

In the APPC library, the password is stripped out because it is AV. In the SNA Server, as a result of the issue discussed in the following Microsoft Knowledge Base article:

222121 Enhanced Security When Using Persistent Verification

the Attach is rejected because SNA Server thinks it is PV, but there is no password. SNA Server rejects the Attach by stripping out the security indicator and letting the Host deal with it. The correct behavior when the Host accepts AV and PV, and the application specifies security=AP_SAME, is specified in the following Microsoft Knowledge Base article:

180866 Persistent Verification Support for APPC Sessions

Namely, if SNA Server doesn't recognize that the user is signed on to the Host, it sends an Attach with the AV bit set and the PV bits set to "sign-on requested." The Attach does not include a password. If SNA Server recognizes the user as signed on, SNA Server sends an Attach with the AV bit set and the PV bits set to "already signed on." Again, the Attach doesn't include a password.

Keywords: kbbug kbfix kbsna400sp3fix kbqfe kbhotfixserver KB236122

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.