Password synchronization is unsuccessful with Event 1508 and with Event 6009 when an IBM AS/400 is configured with QPWDLVL=2 or a larger value in Host Integration Server 2000 (872778)

SYMPTOMS

When Microsoft Host Integration Server 2000 is configured to replicate password changes to an IBM AS/400 system, users may not be able to log on to their AS/400 system. This problem occurs after users change their Microsoft Windows NT password or their Microsoft Windows 2000 password. The following events are logged on the Host Integration Server 2000-based server where the SNA Host Account Synchronization (SnaHostProcess) service runs: Event ID: 6009
Source: AS400 MDSI
Description: The AS/400 in domain host security domain reports that the user username is unknown. The following event is logged on the primary domain controller (PDC) or on the PDC Emulator where the SNA WinNT Account Synchronization (SnaPMP) service runs: Event ID: 1508
Source: SNA Host Security
Description: Invalid old password for the host user was specified. Additionally, error messages that are similar to the following error message may be logged in the message log of the AS/400 when the problem occurs:

Message ID . . . . . . : CPI96C2 Severity . . . . . . . : 10
Message type . . . . . : Information
Date sent . . . . . . : date Time sent . . . . . . : time

Message . . . . : User password could not be changed.
Cause . . . . . : The change password request by the APPC sign-on transaction program in job 087186/QUSER/QACSOTP returned error message CPF22E2. The password was not changed.
Recovery . . . : Correct the error returned by the change password request. Then have the remote program send the change password request again.

Message ID . . . . . . : CPF1269 Severity . . . . . . . : 00
Message type . . . . . : Information
Date sent . . . . . . : date Time sent . . . . . . : time

Message . . . . : Program start request received on communications device Device Name was rejected with reason codes 704, 0.
Cause . . . . . : The program start request was rejected in job 087052/QSYS/QCMN. The device belongs to remote location Remote Location. If the device is an advanced program-to-program communications (APPC) device, the program start request was received on mode QPCSUPP with unit-of-work identifier Unit of Work ID. The first reason code means: Password is not valid. The second reason code means: None.
Recovery . . . : See the job log for more information about the problem.

CAUSE

The problem occurs when the AS/400 system uses a Password Level (QPWDLVL) setting of 2 or of 3. The AS/400 system cannot decrypt the passwords that Host Integration Server 2000 includes in the Sign-On (X'1221') General Data Stream (GDS) variable that is used to change passwords.

The password synchronization feature of Host Integration Server 2000 uses the Data Encryption Standard (DES) as the encryption mechanism when passwords are synchronized with IBM mainframes and with AS/400 iSeries systems.

On AS/400 systems that are running OS/400 V5R1 or a later version, the AS/400 expects passwords to be hashed by using Secure Hash Algorithm (SHA-1). These AS/400 systems that are running OS/400 V5R1 or a later version are configured with a Password Level (QPWDLVL) setting of 2 or of 3.

RESOLUTION

Complex changes would be required to support the SHA-1 hashing algorithm that is used by AS/400 systems that use Password Level (QPWDLVL) settings of 2 or of 3. Therefore, Host Integration Server 2000 will not be updated to support the password synchronization feature to an AS/400 when you use the increased password level.

If you have to synchronize passwords between a Windows-based system and an AS/400-based system by using Password Level (QPWDLVL) settings of 2 or of 3, Host Integration Server 2004 and Enterprise Single Sign-On (ESSO) can be used to provide this functionality. Enterprise Single Sign-On is included with Host Integration Server 2004 to provide support for enterprise-wide single sign-on solutions to non-Windows systems. This includes IBM mainframes and AS/400 systems.

Enterprise Single Sign-On also provides for password synchronization to non-Windows systems through password synchronization adaptors that are available from third-party independent software vendors (ISVs). Password synchronization adaptors for IBM mainframes and for AS/400 systems are currently available from Proginet Corporation. For additional information about available password synchronization adaptors, visit the following Proginet Web site:

http://eps.proginet.com/

MORE INFORMATION

IBM added the Password Level (QPWDLVL) setting in OS/400 V5R1 to enable user profile passwords from 1 character to 128 characters. Previously, the AS/400 user profile passwords were from 1 character to 10 characters. You can find more information in your AS/400 documentation. For more information about this setting, visit the following IBM Web site:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/index.htm

To examine the QPWDLVL setting on an IBM AS/400 system, follow these steps:

Open an AS/400 terminal or a 5250 emulator to sign-on to an AS/400 system.
Enter the following command at the AS/400 command line, and then press ENTER:

wrksysval qpwdlvl
In the Options column, type 5, and then press ENTER.
The current setting and the explanation of the current setting for the Password Level appear in the AS/400 display session.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Password synchronization is unsuccessful with Event 1508 and with Event 6009 when an IBM AS/400 is configured with QPWDLVL=2 or a larger value in Host Integration Server 2000 (872778)

SYMPTOMS

CAUSE

RESOLUTION

WORKAROUND

STATUS

MORE INFORMATION