Microsoft KB Archive/194741

From BetaArchive Wiki
Knowledge Base


Article ID: 194741

Article Last Modified on 10/27/2006


APPLIES TO

  • Microsoft SNA Server 4.0 Service Pack 1


This article was previously published under Q194741


SYMPTOMS

ODBC sessions using the StarQuest ODBC driver bundled with SNA Server 4.0 Service Pack 1 (SP1) fail to start when connecting through IIS. The following error is returned by SNA Server's APPC library when this problem occurs:

Primary Return Code: F004 (AP_COMM_SUBSYSTEM_NOT_LOADED)

ODBC connections through applications (that is, MSQuery) other than Internet Information Server (IIS) do not exhibit this problem. In addition, this problem did not occur when using SNA Server 4.0 and earlier.


Also, Event ID 705 may get logged when the session fails to connect. The following error is logged with APPC Application Event ID 705:

Logon Failed.

EXPLANATION
Connection request failed due to data security.
Access denied --- Error Code : 44

CAUSE

When an ODBC connection through IIS is started, SNA Server's DMOD initialization fails because the initialization is started by a thread that is impersonating another user. In this case, the impersonated user is likely to be IUSR_<computername> or whatever the IIS account has been changed to. This occurs because the impersonating thread does not have the rights needed to modify any of the process security settings.

RESOLUTION

Microsoft has confirmed this to be a problem in SNA Server version 4.0 SP1. This problem was corrected in the latest SNA Server version 4.0 U.S. Service Pack. For information on obtaining this Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

   S E R V P A C K

MORE INFORMATION

After applying the hotfix, the DMOD initialization will be done in a thread that has the necessary rights to modify the process security settings.

By default, when IIS is installed, it creates a user account called IUSR_<computername>, where <computername> is the name of the computer on which IIS is running. When a request is received by IIS from an application, IIS will impersonate the IUSR_<computername> account in order to execute any code or access any files that are involved in the request.

For more information on IIS security, please see the following Microsoft Knowledge Base article:

   ARTICLE-ID: <WWLINK TYPE="ARTICLE" VALUE="Q158229">Q158229</WWLINK>
                
   TITLE     : Security Ramifications for IIS Applications

Keywords: kbbug kbfix KB194741



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/194741&oldid=363853
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki