Microsoft KB Archive/130595

From BetaArchive Wiki

SNA Server Password Encryption Support for LU 6.2 Sessions [winnt] ID: Q130595 CREATED: 23-MAY-1995 MODIFIED: 02-JUN-1995 3.10 3.50 WINDOWS MSONLY | kbnetwork

The information in this article applies to:
- Microsoft SNA Server for Windows NT, version 2.11

SUMMARY

When SNA Server 2.11 ships it will support a new feature called Password Substitution. This is a security feature supported by the latest version of OS/400 operating system (V3R1) which encrypts any password which flows between two nodes on an ATTACH message. A password flows on an ATTACH whenever someone invokes an APPC Transaction Program (TP) specifying a user ID and password. Forexample, this happens whenever anyone logs onto an AS/400.

The two nodes negotiate whether or not they support this feature in the BIND exchange. SNA Server 2.11 will set a bit in the BIND, and also adds some random data on the BIND for encryption. This bit had been reserved with previous versions of SNA Server. If the remote node supports password substitution, it sets the same bit in the BIND Response, and adds some (different) random data for decryption. Note: It is illegal for the remote node to set the bit specifying password substitution, but not to add the random data.

According to IBM, there are implementations of LU 6.2 Password Substitution that do not support password substitution but do echo the password substitution bit back to SNA Server, without specifying any random data. When they do this, SNA Server will UNBIND the session with the sense code 1006 0006.

This sense code means: 1006 = Required field or parameter missing 0006 = A required subfield of a control vector was omitted

SNA Server should also log an Event 17 (APPC session activation failure: BIND negative response sent).

The correct solution is for the failing implementation to be fixed. However, as a short-term workaround, the following SNA Server service registry setting may be set:

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Hkey_local_machine

NOPWDSUB: REG_SZ: YES - when this is specified in the registry SNA Server’s Password Substitution support will be disabled.

KBCategory: kbnetwork KBSubcategory: ntprotocol Additional reference words: prodsna 2.11

Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/130595&oldid=433135
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki