DOCUMENT:Q236122 23-OCT-2000 [sna] TITLE :SNA Server Doesn't Support AV/PV for APPC Conversation Security PRODUCT :Microsoft SNA Server PROD/VER:WINDOWS:3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2 OPER/SYS: KEYWORDS:kbsna400sp3fix kbsna300sp1 kbsna300sp2 kbsna300sp3 sna4 kbsna400sp1 kbsna400sp2 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 3.0, 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2 ------------------------------------------------------------------------------- SYMPTOMS ======== An APPC Transaction Program configured to run on SNA Server may receive a BIND from the Host indicating support for the Already Verified (AV) and Persistent Verification (PV) in the BIND Security Support Indicators. During subsequent conversation processing, if the Transaction Program changes conversation security from AP_NONE to AP_SAME in subsequent ALLOCATES, the APPC session may fail with a Primary Return Code : 0003 (AP_ALLOCATION_ERROR), Secondary Return Code : 080F6051 (AP_SECURITY_NOT_VALID), and the following event may be logged in the Windows NT Application Log: Event ID: 63 Source: SNA Server Description: Incorrect password received from client for logged on user. EXPLANATION An invalid password was specified for a signed-on PV user (user ID: user). This password will be forwarded to the host to verify. If the password has changed, then the host will accept the new password, and the conversation will continue without persistent verification. ACTION If host rejects password, then check password, and try again. CAUSE ===== SNA Server fails to correctly implement user credential manipulation when the APPC conversation security is changed between ALLOCATE verbs. RESOLUTION ========== To resolve this problem, obtain the latest service pack for SNA Server version 4.0. For additional information, please see the following article in the Microsoft Knowledge Base: Q215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack STATUS ====== Microsoft has confirmed this to be a problem in Microsoft SNA Server versions 3.0, 3.0SP1, 3.0SP2, 3.0SP3, 4.0, 4.0SP1, 4.0SP2. This problem was first corrected in SNA Server version 4.0 Service Pack 3. MORE INFORMATION ================ The problem is that when both AV and PV are specified, SNA Server treats the message as a hybrid of both. In the APPC library, the password is stripped out because it is AV. In the SNA Server, as a result of the issue discussed in the following Microsoft Knowledge Base article: Q222121 Enhanced Security When Using Persistent Verification the Attach is rejected because SNA Server thinks it is PV, but there is no password. SNA Server rejects the Attach by stripping out the security indicator and letting the Host deal with it. The correct behavior when the Host accepts AV and PV, and the application specifies security=AP_SAME, is specified in the following Microsoft Knowledge Base article: Q180866 Persistent Verification Support for APPC Sessions Namely, if SNA Server doesn't recognize that the user is signed on to the Host, it sends an Attach with the AV bit set and the PV bits set to "sign-on requested." The Attach does not include a password. If SNA Server recognizes the user as signed on, SNA Server sends an Attach with the AV bit set and the PV bits set to "already signed on." Again, the Attach doesn't include a password. Additional query words: ====================================================================== Keywords : kbsna400sp3fix kbsna300sp1 kbsna300sp2 kbsna300sp3 sna4 kbsna400sp1 kbsna400sp2 Technology : kbAudDeveloper kbSNAServSearch kbSNAServ300 kbSNAServ400 kbSNAServ300SP3 kbSNAServ300SP1 kbSNAServ400SP1 kbSNAServ400SP2 kbSNAServ300SP2 kbSNAServ300SP4 Version : WINDOWS:3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2000.