DOCUMENT:Q194741 25-OCT-2001 [sna] TITLE :StarQuest ODBC Sessions Through SNA Server Fail When Using IIS PRODUCT :Microsoft SNA Server PROD/VER::4.0 SP1 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, version 4.0 SP1 ------------------------------------------------------------------------------- SYMPTOMS ======== ODBC sessions using the StarQuest ODBC driver bundled with SNA Server 4.0 Service Pack 1 (SP1) fail to start when connecting through IIS. The following error is returned by SNA Server's APPC library when this problem occurs: Primary Return Code: F004 (AP_COMM_SUBSYSTEM_NOT_LOADED) ODBC connections through applications (that is, MSQuery) other than Internet Information Server (IIS) do not exhibit this problem. In addition, this problem did not occur when using SNA Server 4.0 and earlier. Also, Event ID 705 may get logged when the session fails to connect. The following error is logged with APPC Application Event ID 705: Logon Failed. EXPLANATION Connection request failed due to data security. Access denied --- Error Code : 44 CAUSE ===== When an ODBC connection through IIS is started, SNA Server's DMOD initialization fails because the initialization is started by a thread that is impersonating another user. In this case, the impersonated user is likely to be IUSR_ or whatever the IIS account has been changed to. This occurs because the impersonating thread does not have the rights needed to modify any of the process security settings. RESOLUTION ========== Microsoft has confirmed this to be a problem in SNA Server version 4.0 SP1. This problem was corrected in the latest SNA Server version 4.0 U.S. Service Pack. For information on obtaining this Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces): S E R V P A C K MORE INFORMATION ================ After applying the hotfix, the DMOD initialization will be done in a thread that has the necessary rights to modify the process security settings. By default, when IIS is installed, it creates a user account called IUSR_, where is the name of the computer on which IIS is running. When a request is received by IIS from an application, IIS will impersonate the IUSR_ account in order to execute any code or access any files that are involved in the request. For more information on IIS security, please see the following Microsoft Knowledge Base article: ARTICLE-ID: Q158229 TITLE : Security Ramifications for IIS Applications Additional query words: ====================================================================== Keywords : Technology : kbAudDeveloper kbSNAServSearch kbSNAServ400SP1 Version : :4.0 SP1 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.