Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Host Integration Server 2004 applications that are configured to use the ENTSSO service do not use the credential cache for SSO lookup requests


View products that this article applies to.

Summary

When the Enterprise Single Sign-On Service (ENTSSO) service performs a Single Sign-On (SSO) lookup, the ENTSSO service stores the user�s external credentials, such as an IBM mainframe username and password, in a credential cache. The next time that the ENTSSO service receives a SSO lookup request from the same affiliate application for the same Microsoft Windows user, the user�s external credentials are supposed to be retrieved from the credential cache. The credential cache is intended to provide a performance gain because each SSO lookup request does not have to be sent to the SSO credential database. SSO credential databases are frequently located on a remote computer that is running Microsoft SQL Server.

The following types of Microsoft Host Integration Server 2004 applications do not use the credential cache when the applications are configured to use ENTSSO for SSO support to remote applications:
  • Transaction Integrator applications.
  • Applications that use the Data Providers to access IBM DB2 systems.
  • SNA applications. These include 3270 emulators, Advanced Program-to-Program Communications (APPC) applications, CPIC applications, Logical Unit Application (LUA) applications, and 5250 emulators
The local ENTSSO service sends the SSO lookup requests that are processed for these types of applications to the SSO credential database on the computer that is running SQL Server. You can have the ENTSSO service bypass the credential cache by setting the SSO_FLAG_REFRESH flag in the GetCredentials API call. Host Integration Server 2004 applications use either the Snasii.dll file or the ESSOHelper.dll file to initiate the SSO lookup requests. These DLLs set the SSO_FLAG_REFRESH flag when the DLLs call the GetCredentials API. Therefore, the credential cache is never used for SSO lookup requests.

When you create an affiliate application in the ENTSSO system, you can disable the use of the credential cache. By default, the credential cache is enabled when you create an affiliate application. If the disableCredCache option is set to Yes in the XML file that is used to create the affiliate application, the credential cache is not used for any SSO lookup requests for the affiliate application.

↑ Back to the top


More information

After you apply the update, the Host Integration Server 2004 applications that are listed in the "Summary" section use the credential cache when the applications process SSO lookup requests. If the user�s credentials are not in the credential cache, the SSO lookup request is sent to the SSO credential database. The user�s credentials are then added to the credential cache for subsequent SSO lookup requests. For more information about the use of the credential cache when the ENTSSO service cannot communicate with the SSO credential database, click the following article number to view the article in the Microsoft Knowledge Base:
904702� Applications that use Enterprise Single Sign-On cannot log on to remote applications if the ENTSSO service cannot communicate with the SSO credential database for 5 or more minutes
A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it. This feature might receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next software update that contains this feature.

If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version            Size    File name
   -----------------------------------------------------------------
   02-Aug-2005  18:07  6.0.1974.0         26,624  Essohelper.dll
   02-Aug-2005  18:07  6.0.1974.0         21,504  Snasii.dll
Note Because of file dependencies, the most recent fix that contains these files may also contain additional files.

↑ Back to the top


Keywords: KB905399, kbpubtypekc, kbinfo, kbqfe, kbhotfixserver, kbautohotfix

↑ Back to the top

Article Info
Article ID : 905399
Revision : 7
Created on : 12/4/2007
Published on : 12/4/2007
Exists online : False
Views : 382