MORE INFORMATION

Host security domains (HSD) are configured in SNA Manager. A Host Security Domain Wizard is provided to simplify the process of creating an HSD. Each HSD represents a "host" user database. When configured initially, an HSD is assigned to a particular host connection. Within the Host Account Cache (HAC) database, each user's record contains an entry for every host security domain of which they are a member.

When a host security domain is created, a Windows 2000 (or Windows NT) user group must be created with the same name. Users who are members of this group can cache information in the Host Account Cache database for this HSD. A second group is also created that appends "_Proxy" to the HSD name for its group name. Members of the "<HSD name>_Proxy" group can use the APPC Privileged Proxy feature.

For example, if a host security domain called "AS400" is created, the Host Security Domain Wizard will create the following Windows 2000 (or Windows NT) groups:

• AS400
• AS400_Proxy

The Host Security Domain Wizard adds the <domain>\Domain Users group to the HSD group (in this case, AS400) when an HSD is created. Users in this group are authorized to populate host user IDs and passwords to the HAC database. The HSD Wizard adds the <domain>\Domain Admins group to the "_Proxy" HSD group when an HSD is created.

Users that are not explicitly added to the Host Account Cache database will be added dynamically when they change their Windows 2000 (or Windows NT) password if they are members of the HSD group. Because the Domain Users group is added to the HSD group, by default every user in the Windows 2000 (or Windows NT) domain is a valid host security domain member.

If the HSD is configured to replicate passwords to a host system (IBM AS/400s or IBM mainframes), the host security components will replicate a user's new Windows password to the host system when the password is changed. If the user has not been explicitly added to the HAC database, the user will be dynamically added to the HAC database when the user changes his or her password.

When a user is added dynamically, the HAC database does not have any way to get the user's previous Windows password, and the user's new Windows password won't be sent to the HAC database until later. In this case, the HAC database has an "uninitialized" Windows password for the user.

As the password synchronization process continues, the user's previous password must be obtained from the HAC database because it is needed to log on to the host system in order to have the password change to the new password. Because the HAC database does not have the user's previous password, it returns a default "uninitialized" value for the user's previous Windows password.

The logon to the host system fails because the previous password (the "uninitialized" value) is not valid. This causes an error to be returned to the SNA Server or Host Integration Server 2000, resulting in the events listed in the "Symptoms" section of this article when an attempt is made to connect to the host system.

See the following Microsoft Knowledge Base article for an overview of the Host Security components and architecture:

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.