Microsoft KB Archive/243796

= Password Always Required with Application Override Security & Persistent Verification =

Article ID: 243796

Article Last Modified on 11/24/2004

-

APPLIES TO


 * Microsoft COM Transaction Integrator for CICS and IMS 4.0 SP3
 * Microsoft SNA Server 4.0 Service Pack 3

-



This article was previously published under Q243796



SUMMARY
This article describes persistent verification authentication when LU6.2 connectivity is employed for mainframe communications.

In the COM Transaction Integrator (COMTI) Remote Environment Security properties, a user may choose to "Allow the application to override the selected authentication." Additionally, a user may opt to "Use Already Verified or Persistent Verification authentication". (Properties on the mainframe determine which of the two, Already Verified or Persistent Verification, will be used. This is settled at the time a LU 6.2 session is bound.)

Persistent Verification authentication means that after a session is bound, the first transaction request (ATTACH) must contain both a user ID and a password. Subsequent ATTACHes on that session need only the user ID. On the mainframe, a security check is required only the first time so that there is a reduction in the mainframe overhead of security-checking for the subsequent transaction requests.

Despite this, when the client is using application override security, the client callback mechanism must supply both a user ID and the password for every transaction. The rationale for this requirement is that it precludes a security risk: It is considered too easy to guess mainframe user IDs, which is a problem when no password is required. Nevertheless, SNA Server sends the password on only the first ATTACH for a given session.



MORE INFORMATION
COMTI cannot tell which mode of security has been negotiated between the partner LUs nor whether the present transaction is the first for the given LU 6.2 APPC session. Therefore, the application must always supply both the user ID and password.

