Article ID: 888478
Article Last Modified on 12/4/2007
APPLIES TO
- Microsoft Host Integration Server 2004 Standard Edition
SYMPTOMS
SNA applications that run as a Windows service do not connect to Microsoft Host Integration Server 2004-based servers when the service is started by using the LocalSystem account. When this problem occurs, the following event is logged on the system where the SNA application is installed:
Additionally, the following event will be logged on the Host Integration Server 2004-based server that the SNA application tried to connect to:
Note These SNA applications can include 3270, LUA, APPC, and Common Programming Interface for Communications (CPI-C) applications.
CAUSE
By default, support for anonymous logons is disabled in Host Integration Server 2004. Therefore, any user or application that tries to access resources on a Host Integration Server 2004-based server by using null credentials will be denied access to the request resource. For example, a Windows service that was started by using the LocalSystem account on a remote system may be denied access.
RESOLUTION
To resolve this problem, configure SNA applications that operate as Windows services to use user credentials that can access resources on the Host Integration Server 2004-based server. Do not configure SNA applications to run under the LocalSystem account.
WORKAROUND
To work around this problem if the SNA application service on a Host Integration Server 2004 system must use the LocalSystem account, you can add the following registry entry to let the SNA Server service (Snaservr.exe) accept anonymous logons:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/SnaBase/Parameters - On the Edit menu, point to New, and then click DWORD Value.
- Type DenyAnonymousLogon, and then press ENTER.
- On the Edit menu, click Modify.
- In the Value data field, type 0, and then click OK.
Note Enabling anonymous logon support on Host Integration Server 2004 does not correct the problem if the SNA application runs as a Windows service on an SNA Server 4.0-based system or a Host Integration Server 2000-based system.
STATUS
This behavior is by design.
MORE INFORMATION
Support for anonymous logons was disabled in Host Integration Server 2004 to help make the product more secure. Instead of enabling support for anonymous logons, we recommend that you modify applications or services that use the LocalSystem account to use valid user credentials to access remote resources.
If anonymous logon support is enabled, any service or application that passes null credentials can access the Host Integration Server 2004-based server without having to provide valid user credentials. Null credentials are a null user account name, password, and domain. The application or service could possibly take disruptive or destructive actions.
For more information about the LocalSystem account and the extensive user rights it has on the local computer, visit the following Microsoft Developer Network (MSDN) Web site:
We do not recommend that you use the LocalSystem account unless a service actually must have all the user rights that are provided by this account. Additionally, services that run under the LocalSystem account use null credentials when they access remote resources.
Logon method for anonymous logons
SNA Server 4.0 and Host Integration Server 2000 use the LSA logon method for anonymous logons. If an SNA application that is running as a Windows service is started under the LocalSystem account, SNA Server 4.0 and Host Integration Server 2000 try to use the LSA logon method. This also applies to the SNA services that are installed by SNA Server 4.0 and Host Integration Server 2000, such as the SnaBase service.
If the SnaBase service is started under the LocalSystem account, it will use the LSA logon method when connecting to the SnaBase service on a SNA Server 4.0, Host Integration Server 2000, or Host Integration Server 2004 server. Host Integration Server 2004 does not support the LSA logon method. Support for LSA logons was removed from Host Integration Server 2004 to help make the product more secure. For additional information about another issue where the lack of LSA logon support may cause a problem, click the following article number to view the article in the Microsoft Knowledge Base:
888762 Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers
Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers. Host Integration Server 2004 was changed to use the NTLM logon method for anonymous logons. If the SNA application that is running as a Windows service is installed on a Host Integration Server 2004 system, and it is configured to start by using the LocalSystem account, Host Integration Server 2004 uses NTLM for the anonymous logon. By default, this process fails unless the DenyAnonymousLogon entry is changed to allow anonymous logons. Any Windows service that is running on SNA Server 4.0 or Host Integration Server 2000 by using the LocalSystem account cannot connect to a Host Integration Server 2004 server because LSA logons are not supported and cannot be enabled.
REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
143474 Restricting information available to anonymous logon users
278259 Everyone group does not include Anonymous security identifier
Additional query words: HIS2004
Keywords: kbtshoot kbprb KB888478
