Microsoft KB Archive/905399

From BetaArchive Wiki
Knowledge Base


Host Integration Server 2004 applications that are configured to use the ENTSSO service do not use the credential cache for SSO lookup requests

Article ID: 905399

Article Last Modified on 12/4/2007


APPLIES TO

  • Microsoft Host Integration Server 2004 Standard Edition



SUMMARY

When the Enterprise Single Sign-On Service (ENTSSO) service performs a Single Sign-On (SSO) lookup, the ENTSSO service stores the user’s external credentials, such as an IBM mainframe username and password, in a credential cache. The next time that the ENTSSO service receives a SSO lookup request from the same affiliate application for the same Microsoft Windows user, the user’s external credentials are supposed to be retrieved from the credential cache. The credential cache is intended to provide a performance gain because each SSO lookup request does not have to be sent to the SSO credential database. SSO credential databases are frequently located on a remote computer that is running Microsoft SQL Server.

The following types of Microsoft Host Integration Server 2004 applications do not use the credential cache when the applications are configured to use ENTSSO for SSO support to remote applications:

  • Transaction Integrator applications.
  • Applications that use the Data Providers to access IBM DB2 systems.
  • SNA applications. These include 3270 emulators, Advanced Program-to-Program Communications (APPC) applications, CPIC applications, Logical Unit Application (LUA) applications, and 5250 emulators

The local ENTSSO service sends the SSO lookup requests that are processed for these types of applications to the SSO credential database on the computer that is running SQL Server. You can have the ENTSSO service bypass the credential cache by setting the SSO_FLAG_REFRESH flag in the GetCredentials API call. Host Integration Server 2004 applications use either the Snasii.dll file or the ESSOHelper.dll file to initiate the SSO lookup requests. These DLLs set the SSO_FLAG_REFRESH flag when the DLLs call the GetCredentials API. Therefore, the credential cache is never used for SSO lookup requests.

When you create an affiliate application in the ENTSSO system, you can disable the use of the credential cache. By default, the credential cache is enabled when you create an affiliate application. If the disableCredCache option is set to Yes in the XML file that is used to create the affiliate application, the credential cache is not used for any SSO lookup requests for the affiliate application.

MORE INFORMATION

After you apply the update, the Host Integration Server 2004 applications that are listed in the "Summary" section use the credential cache when the applications process SSO lookup requests. If the user’s credentials are not in the credential cache, the SSO lookup request is sent to the SSO credential database. The user’s credentials are then added to the credential cache for subsequent SSO lookup requests. For more information about the use of the credential cache when the ENTSSO service cannot communicate with the SSO credential database, click the following article number to view the article in the Microsoft Knowledge Base:

904702 Applications that use Enterprise Single Sign-On cannot log on to remote applications if the ENTSSO service cannot communicate with the SSO credential database for 5 or more minutes


A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Host Integration Server 2004 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support



The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 

   Date         Time   Version            Size    File name
   -----------------------------------------------------------------
   02-Aug-2005  18:07  6.0.1974.0         26,624  Essohelper.dll
   02-Aug-2005  18:07  6.0.1974.0         21,504  Snasii.dll

Note Because of file dependencies, the most recent fix that contains these files may also contain additional files.


Keywords: kbinfo kbqfe kbpubtypekc kbhotfixserver KB905399



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/905399&oldid=216271
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki