MORE INFORMATION

After you apply the update, the password change DLL writes all password change notifications it intercepts into a memory queue. After the password change notification is written to the memory queue, the dispatch thread of password change DLL dequeues the first password change notification and immediately attempts to contact the SNAPMP service to propagate it. If the SNAPMP service cannot be contacted, the password change DLL attempts to send the password change notification stored in the memory buffer a total of five times. The initial attempt, is then followed by up to four retries. The password change DLL stops retrying if the total retry time exceeds five minutes. The actual interval between retries may vary depending on specific network situations.

In addition, the password change notifications are written to an encrypted file if the five attempts to contact the SNAPMP from the memory buffer fail or if the retry time exceeds five minutes. If the message queue file is enabled, the password change DLL attempts to contact the SNAPMP service every five minutes to propagate the password changes that are queued in the file. The password change DLL only attempts to send the password change notification once for each five-minute period. After a password change notification is successfully sent to the SNAPMP service from the message queue file, the next password change notification in the message queue file is sent immediately and it is attempted up to five times. It is not resent for another five minutes if the fifth attempt fails or if the maximum retry time of five minutes is exceeded.

The following registry entry is used to specify the path and name of the encrypted file that the password changes messages will be written to.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Start Registry Editor (Regedt32.exe).
2. Locate the following key in the registry:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SNA Server \CurrentVersion\HostSecurity\PasswordChange

   NOTE: The above registry key is one path; it has been wrapped for readability.
3. On the Edit menu, click Add Value, and then add the following registry value:

   Value Name: MsgQueFileName
   Data Type: REG_SZ
   Value: path\filename

4. Quit Registry Editor.

NOTE: The message queue file can be located in any path on the local computer running Windows NT Server and can have any valid file name. However, it is recommended that the file be located in the folder where the SNA Server Host Security software is installed. For example, if the host security software is installed in the C:\Hostsec folder, the recommended location and name of the message queue file is:

If the path and file name in the registry is incorrect, the password change notifications will only be queued in the memory queue.

The following registry entry has to be added to disable the use of the message queue file:

1. Start Registry Editor (Regedt32.exe).
2. Locate the following key in the registry:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SNA Server \CurrentVersion\HostSecurity\PasswordChange

   NOTE: The above registry key is one path; it has been wrapped for readability.
3. On the Edit menu, click Add Value, and then add the following registry value:

   Value Name: MsgQueFileWriteToFile
   Data Type: REG_DWORD
   Value: 0

4. Quit Registry Editor.

If a message queue file is not used, the password change notifications are discarded after the fifth attempt to contact the SNAPMP service from the memory buffer.

The following are some other items related to this new retry functionality:

• The memory buffer queue can contain a maximum of 1000 password change notifications. The message file queue can contain a maximum of 10,000 password change notifications. The queue sizes are not configurable at this time.
• If a new password change notification arrives when either the memory buffer or message queue file is full, the new password change notification is discarded, and one of the following events is logged in the application event log:

  Event ID: 668
  Source: SNA Host Security
  Description: Password Change DLL -- The message queue file is full.
  
  Event ID: 676
  Source: SNA Host Security
  Description: Password Change DLL -- The memory password change message queue is full.

• Before writing a password change notification to the message queue file, the password change DLL searches the message queue file for a notification with the same user name and replaces the old password change message with the new one if a previous entry is found.
• After a password change notification fails to be propagated to the SNAPMP service, all subsequent password change notifications are appended to the end of the message queue file. The password change DLL does not propagate password change notifications from the memory buffer until all pending password change notifications in the message queue file are successfully sent to the SNAPMP service.
• The message queue file is encrypted using 128-bit encryption.
• The password change DLL tries to verify the integrity of the encrypted message queue file when the DLL is initialized. If, for some reason, the encrypted message queue file is corrupted, memory-only message dispatch is used. Deleting the corrupted message queue file and restarting the system results in a new message queue file being created.

This feature is available in the latest service pack for SNA Server version 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

This feature was first included in SNA Server version 4.0 Service Pack 3.