Article ID: 201359
Article Last Modified on 4/19/2005
APPLIES TO
- Microsoft SNA Server 3.0 Service Pack 4
- Microsoft SNA Server 4.0
- Microsoft SNA Server 3.0 Service Pack 2
- Microsoft SNA Server 3.0 Service Pack 3
- Microsoft SNA Server 3.0 Service Pack 4
- Microsoft SNA Server 4.0
- Microsoft SNA Server 4.0 Service Pack 1
- Microsoft SNA Server 4.0 Service Pack 2
- Microsoft SNA Server 4.0 Service Pack 3
This article was previously published under Q201359
SYMPTOMS
When you use Microsoft Host Security Integration (HSI) and select the Password is Replicated option from the Host Security Domain properties, you can change a Windows NT user password, while synchronizing the password change to the AS/400 user database at the same time .
The initial password change request can come from anyone of the following sources:
- Windows NT Server by using User Manager for Domains
- Windows NT Workstation by using the CTRL-ALT-DELETE key combination, and then selecting Change Password
- Windows 95/98 computer by clicking the Passwords icon in Control Panel
When a password change request is completed from one of the above sources, the end user can log off, and then log back on to Windows NT using the "new" password. However, if a password change request fails to complete in the AS/400 user database, the end user has no way of knowing until the next time they request a session. If you use the 5250 applet that ships with SNA Server, the following error message occurs when you use the "new" password:
The following is the Primary and Secondary return code information:
Note: Other third-party emulators may report a different error message.
CAUSE
In most cases, the cause for this problem is due to a set of rules or "System Values" on the AS/400 user database, which is similar to the "Account Policies" in Windows NT User Manager for Domains.
Additional Information
Viewing the application log in the Event Viewer may help in resolving why a "new" password was rejected from the AS/400. Every time the password is rejected, it records various logs, normally four entries total. The following two are always recorded:
You then receive two additional events, which may provide more detail. In the following example, a password of 10 characters is used, which the AS/400 does not allow:
The events from this next example occur as a result of the password being the same as the AS/400 User ID, which the AS/400 does not allow:
RESOLUTION
Correct the restriction for the user's password as indicated by the event message. If the message does not include the actual problem description, view the System Operator Messages on the AS/400 for more information.
MORE INFORMATION
With Host Security Integration, you can change and synchronize passwords from a Windows NT user database to an AS/400 user database running V3R1 or later without any additional host (AS/400) code being needed. This unidirectional password change is made possible by the Sec400.dll file that is installed when your Host Security Domain is configured.
For bi-directional password changes (AS/400 to Windows NT), third-party software is required. Please see the Companion Products Catalog on the SNA Server compact disc for references.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
175063 Host Security Integration Setup and Architectural Overview
Additional query words: sync
Keywords: kbhowto kbprb KB201359