Article ID: 235381
Article Last Modified on 9/22/2005
APPLIES TO
- Microsoft SNA Server 4.0
This article was previously published under Q235381
SYMPTOMS
The SNA Server service (Snaservr.exe) may unexpectedly fail with an access violation, causing an SNA Server Event 624 to be logged in the Windows NT application event log, and a log entry to be written to the Winroot\Drwtsn32.log file. This specific problem only occurs when SNA Server is supporting an application that is attempting to use "privileged proxy" security, as described in the following Knowledge Base article:
165385 Single Signon for APPC Applications Using Privileged Proxy
For example, this could occur if COM Transaction Integrator (COMTI) is being used and a COMTI Remote Environment is configured to authenticate with user credentials.
When this failure occurs, all SNA client users who are currently accessing this server lose their SNA sessions. Note that the stack-back trace indicates that the Snasii.dll (SNA Server Host Security DLL) has been called by the SNA Server service.
Application exception occurred:
App: exe\snaservr.dbg (pid)
Exception number: c0000005 (access violation)
function: nosymbols
77820998 804d0d02 or byte ptr [ebp+0xd],0x2
7782099c 53 push ebx
7782099d 56 push esi
7782099e 57 push edi
7782099f 68d85f8377 push 0x77835fd8
778209a4 ff15f0928277 call dword ptr [778292f0]
778209aa 8b7508 mov esi,[ebp+0x8]
778209ad 85f6 test esi,esi
778209af 7505 jnz 778209b6
778209b1 bebc948277 mov esi,0x778294bc
FAULT ->778209b6 668b0e mov cx,[esi] ds:000307cf=????
*---- Stack Back Trace ----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0dd8f8f4 7781d016 000307cf 00000200 00000001 000f36b8 netapi32!nosymbols
0dd8f938 6198305c 000307cf 0010bcf6 00000000 0dd8f980 netapi32!NetGroupGetUsers
0dd8f970 61983966 0dd8fccc 00000000 00000000 00000000 snasii!nosymbols (FPO: [EBP 0x00000000] [5,1,4])
0dd8faa4 619847f7 0dd8fccc 0dd8fcf6 0dd8fac8 61988078 snasii!nosymbols (FPO: [EBP 0x602027a0] [5,67,4])
0dd8fcc4 61985503 006c0066 002d006c 00730061 00610070 snasii!nosymbols (FPO: [85,128,2])
CAUSE
When SNA Server receives a "privileged proxy" host security request from an APPC application, the SNA Server first verifies if the application's user context is authorized to make the request. As part of this verification, SNA Server attempts to determine what groups the user is a member of. If the Windows NT primary domain controller (PDC) for the user domain is inactive, SNA Server passes an invalid server name to the NetGroupGetUsers function, leading to an access violation.
The actual access violation occurs in netapi32!UaspOpenDomain(), an internal function called by netapi32!NetGroupGetUsers().
RESOLUTION
To resolve this problem, obtain the latest service pack for SNA Server version 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack
STATUS
Microsoft has confirmed that this is a problem in Microsoft SNA Server version 4.0, 4.0 SP1 and 4.0 SP2. This problem was first corrected in SNA Server version 4.0 Service Pack 3.
MORE INFORMATION
With this update applied, the SNA Server host security DLL (Snasii.dll) no longer encounters an access violation if the Windows NT PDC is down and the COMTI user authentication is being used. In addition, Snasii attempts to use the closest domain controller (including backup domain controllers), not relying on the PDC, and find another domain controller if the one becomes unavailable.
Keywords: kbbug kbfix kbsna400sp3fix kbqfe kbhotfixserver KB235381
