Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

SNA applications that run as Windows services do not connect to a Host Integration Server 2004-based server and log an event 705 message


View products that this article applies to.

Symptoms

SNA applications that run as a Windows service do not connect to Microsoft Host Integration Server 2004-based servers when the service is started by using the LocalSystem account. When this problem occurs, the following event is logged on the system where the SNA application is installed:
Event ID: 705
Source: SNA APPC Application
Description: Logon Failed.

EXPLANATION
Access denied on client-server or Distributed Link Service connection request.

Access denied --- Error Code : 43
Additionally, the following event will be logged on the Host Integration Server 2004-based server that the SNA application tried to connect to:
Event ID: 705
Source: SNA Server
Description: Logon Failed.

EXPLANATION
Access denied on client-server or Distributed Link Service connection request.

Unknown user name or bad password from client Client name --- Error Code : 4097
Note These SNA applications can include 3270, LUA, APPC, and Common Programming Interface for Communications (CPI-C) applications.

↑ Back to the top


Cause

By default, support for anonymous logons is disabled in Host Integration Server 2004. Therefore, any user or application that tries to access resources on a Host Integration Server 2004-based server by using null credentials will be denied access to the request resource. For example, a Windows service that was started by using the LocalSystem account on a remote system may be denied access.

↑ Back to the top


Resolution

To resolve this problem, configure SNA applications that operate as Windows services to use user credentials that can access resources on the Host Integration Server 2004-based server. Do not configure SNA applications to run under the LocalSystem account.

↑ Back to the top


Workaround

To work around this problem if the SNA application service on a Host Integration Server 2004 system must use the LocalSystem account, you can add the following registry entry to let the SNA Server service (Snaservr.exe) accept anonymous logons:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following key in the registry:
    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/SnaBase/Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type DenyAnonymousLogon, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data field, type 0, and then click OK.
Note Enabling anonymous logon support on Host Integration Server 2004 does not correct the problem if the SNA application runs as a Windows service on an SNA Server 4.0-based system or a Host Integration Server 2000-based system.

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

Support for anonymous logons was disabled in Host Integration Server 2004 to help make the product more secure. Instead of enabling support for anonymous logons, we recommend that you modify applications or services that use the LocalSystem account to use valid user credentials to access remote resources.

If anonymous logon support is enabled, any service or application that passes null credentials can access the Host Integration Server 2004-based server without having to provide valid user credentials. Null credentials are a null user account name, password, and domain. The application or service could possibly take disruptive or destructive actions.

For more information about the LocalSystem account and the extensive user rights it has on the local computer, visit the following Microsoft Developer Network (MSDN) Web site:We do not recommend that you use the LocalSystem account unless a service actually must have all the user rights that are provided by this account. Additionally, services that run under the LocalSystem account use null credentials when they access remote resources.

Logon method for anonymous logons

SNA Server 4.0 and Host Integration Server 2000 use the LSA logon method for anonymous logons. If an SNA application that is running as a Windows service is started under the LocalSystem account, SNA Server 4.0 and Host Integration Server 2000 try to use the LSA logon method. This also applies to the SNA services that are installed by SNA Server 4.0 and Host Integration Server 2000, such as the SnaBase service.

If the SnaBase service is started under the LocalSystem account, it will use the LSA logon method when connecting to the SnaBase service on a SNA Server 4.0, Host Integration Server 2000, or Host Integration Server 2004 server. Host Integration Server 2004 does not support the LSA logon method. Support for LSA logons was removed from Host Integration Server 2004 to help make the product more secure. For additional information about another issue where the lack of LSA logon support may cause a problem, click the following article number to view the article in the Microsoft Knowledge Base:
888762� Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers


Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers. Host Integration Server 2004 was changed to use the NTLM logon method for anonymous logons. If the SNA application that is running as a Windows service is installed on a Host Integration Server 2004 system, and it is configured to start by using the LocalSystem account, Host Integration Server 2004 uses NTLM for the anonymous logon. By default, this process fails unless the DenyAnonymousLogon entry is changed to allow anonymous logons. Any Windows service that is running on SNA Server 4.0 or Host Integration Server 2000 by using the LocalSystem account cannot connect to a Host Integration Server 2004 server because LSA logons are not supported and cannot be enabled.

↑ Back to the top


References

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
143474� Restricting information available to anonymous logon users
278259� Everyone group does not include Anonymous security identifier

↑ Back to the top


Keywords: KB888478, kbprb, kbtshoot

↑ Back to the top

Article Info
Article ID : 888478
Revision : 5
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 510