Synchronizing Windows NT to AS/400 Passwords Using HSI (201359)
The information in this article applies to:
- Microsoft SNA Server 3.0
- Microsoft SNA Server 3.0 SP1
- Microsoft SNA Server 3.0 SP2
- Microsoft SNA Server 3.0 SP3
- Microsoft SNA Server 3.0 SP4
- Microsoft SNA Server 4.0
- Microsoft SNA Server 4.0 SP1
- Microsoft SNA Server 4.0 SP2
- Microsoft SNA Server 4.0 SP3
This article was previously published under Q201359 SYMPTOMS
When you use Microsoft Host Security Integration (HSI) and select the Password is Replicated option from the Host Security Domain properties, you can change a Windows NT user password, while synchronizing the password change to the AS/400 user database at the same time .
The initial password change request can come from anyone of the following sources:
- Windows NT Server by using User Manager for Domains
- Windows NT Workstation by using the CTRL-ALT-DELETE key combination, and then selecting Change Password
- Windows 95/98 computer by clicking the Passwords icon in Control Panel
When a password change request is completed from one of the above sources, the end user can log off, and then log back on to Windows NT using the "new" password. However, if a password change request fails to complete in the AS/400 user database, the end user has no way of knowing until the next time they request a session. If you use the 5250 applet that ships with SNA Server, the following error message occurs when you use the "new" password:
The host system rejected the connection due to a security validation error.
Please check your session configuration.
[0003] [080F6051]
The following is the Primary and Secondary return code information:
PRC = [0003] AP_ALLOCATION ERROR
APPC has failed to allocate a conversation. The conversation state is set to RESET.
SRC = [080F6051] AP_SECURITY_NOT_VALID
The user ID or password specified in the allocation request was not accepted by the partner LU.
Note: Other third-party emulators may report a different error message.
CAUSE
In most cases, the cause for this problem is due to a set of rules or "System Values" on the AS/400 user database, which is similar to the "Account Policies" in Windows NT User Manager for Domains. Additional Information
Viewing the application log in the Event Viewer may help in resolving why a "new" password was rejected from the AS/400. Every time the password is rejected, it records various logs, normally four entries total. The following two are always recorded:
Event 6005 - Source: AS400 MDSI
Event 1506 - Source: SNA Host Security
You then receive two additional events, which may provide more detail. In the following example, a password of 10 characters is used, which the AS/400 does not allow:
Event 6012 - Source: AS400 MDSI
The AS/400 in domain <HS_Domain_Name> reports that the new password for <User_Id> is invalid for the following reason:
Password longer than 8 characters.
Event 1513 - Source: SNA Host Security
New host password supplied is longer than maximum allowed.
The events from this next example occur as a result of the password being the same as the AS/400 User ID, which the AS/400 does not allow:
Event 6012 - Source: AS400 MDSI
The AS/400 in domain <HS_Domain_Name> reports that the new password for <User_Id> is invalid for the following reason:
Password cannot be same as user ID.
Event 1511 - Source: SNA Host Security
Invalid new password for the host user was specified.
RESOLUTION
Correct the restriction for the user's password as indicated by the event message. If the message does not include the actual problem description, view the System Operator Messages on the AS/400 for more information.
Modification Type: | Minor | Last Reviewed: | 4/19/2005 |
---|
Keywords: | kbhowto kbprb KB201359 |
---|
|