DLS Connection Fails with Event ID: 705 When SNA Server Is Not Installed Under the System Account (256919)
The information in this article applies to:
- Microsoft SNA Server 2.11 SP1
- Microsoft SNA Server 2.11 SP2
- Microsoft SNA Server 3.0
- Microsoft SNA Server 3.0 SP1
- Microsoft SNA Server 3.0 SP2
- Microsoft SNA Server 3.0 SP3
- Microsoft SNA Server 3.0 SP4
- Microsoft SNA Server 4.0
- Microsoft SNA Server 4.0 SP1
- Microsoft SNA Server 4.0 SP2
- Microsoft SNA Server 4.0 SP3
This article was previously published under Q256919 SYMPTOMS
If you install a branch SNA Server by using a specific user account (as opposed to using the system account), if for any reason the user account cannot be validated by the central SNA Server, you cannot connect to the branch SNA Server site. In the Application event log on the branch SNA Server, the following event is logged:
Event ID: 705
Source: SNA <type> Link Service
Type: Warning
Description: Logon Failed. EXPLANATION Connection Failed due to data security. Access denied -- Error Code: 44
CAUSE
When you attempt to connect a branch SNA Server site by using the Distributed Link Service (DLS), the central SNA Server attempts to validate the incoming connection by using the context that the DLS is running under on the branch SNA Server. This can potentially cause a problem if the central SNA Server is unable to validate the account for any reason (for example, broken trust, different domain, and so on), and the connection status shows Pending on the branch SNA Server.
This problem occurs because of the different methods that Windows NT uses to validate the system account, as opposed to a user account. If the DLS is running under the local system account, then it must use Local Security Authority (LSA) for logon, and by default, there is no security enforced. If the DLS is running under a user account, then it uses Windows NT LanManager(NTLM) authentication for logon, and security is enforced. For example:
DLS Client-----------------------------Link Service Proxy
SNAREM1-------LSA logon (system)-----> SNADLC[D]
(no NT credentials required: local system)
SNAREM1-------NTLM logon (user)------> SNADLC[D]
(Valid NT credentials required: User account)
RESOLUTION
To resolve this issue, do one of the following: Enable the guest account on the central SNA Server.On the central SNA Server, create an account with a matching user ID (UID) and password (PWD) that the DLS on the branch SNA Server is running under.Set the DLS to run under the system account on the branch SNA Server.
Modification Type: | Minor | Last Reviewed: | 4/19/2005 |
---|
Keywords: | KB256919 |
---|
|