PRB: 3270 Single Sign-On is Unsuccessful If the Host Security Domain Is Not Created in the Local Subdomain

3270 applications that are configured to use Single Sign-On (SSO) do not successfully log on to host applications if the host security domain that was configured in SNA Manager was not created in the local Host Integration Server 2000 subdomain.

The specific symptoms of this problem can vary, depending on the host application. Generally, the host application returns a message that indicates that the user ID or password (or both) is not valid.

If a host connection is assigned to a host security domain that was not created in the Host Integration Server 2000 subdomain that is being updated, the host connection's internal record is not updated to reflect that 3270 SSO is enabled for logical units (LUs) that are on this connection.

The result is that the SNA Server service does not try an account lookup, and this causes the host application logon attempt to not succeed.

To resolve this problem, use the Host Security Domain Wizard to create a unique host security domain in each Host Integration Server 2000 subdomain that will require 3270 SSO.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

When a host security domain is created in a Host Integration Server 2000 subdomain by using the Host Security Domain Wizard, the host account cache database is updated to reflect the new host security domain. Additionally, an Enable3270SSO flag is set on an internal record for the host connection that is assigned to the host security domain so that the SNA Server service (Snaservr.exe) knows that the LUs on the connection are enabled for 3270 SSO.

Host security domains are not associated with specific Host Integration Server 2000 subdomains to be visible as the host account cache database in every Host Integration Server 2000 Subdomain that exists in the same Windows NT or Windows 2000 domain. This is by design, but can cause confusion.

When you open SNA Manager for another Host Integration Server 2000 subdomain, you see all the host security domains that the host account cache database knows about, even if none of them have been created in the local Host Integration Server 2000 subdomain that you are viewing with SNA Manager. The following example demonstrates this scenario:

1. Use the Host Security Domain Wizard to create a host security domain that is named HSD1 in a Host Integration Server 2000 subdomain named Subdomain1.
2. Open SNA Manager to view Host Integration Server 2000 subdomain Subdomain2 that exists in the same Windows 2000 domain as Subdomain1.
3. The Host Security Domains folder in SNA Manager will list HSD1 as a host security domain, even though it was not created in Subdomain2.

If you now assign a host connection to one of the host security domains that was not created locally, the configuration file (Com.cfg) for the local Host Integration Server 2000 subdomain is updated with this information.

The problem is that the Enable3270SSO flag is not updated in the internal record of the host connection when the connection is assigned to the host security domain and the Com.cfg file is saved.

Note The deletion of a host security domain results in the removal of the host security domain from the host account cache database. An additional result is that this host security domain is no longer available for use in any of the Host Integration Server 2000 subdomains, including the subdomain that it was created in.