Configuring the 3270 Client Emulator to Use Single Sign On with the Security Integration features included with SNA Server, Host Integration Server 2000 and Host Integration Server 2004 (290508)


The information in this article applies to:

  • Microsoft SNA Server 3.0 SP1
  • Microsoft SNA Server 3.0 SP2
  • Microsoft SNA Server 3.0 SP3
  • Microsoft SNA Server 3.0 SP4
  • Microsoft SNA Server 4.0
  • Microsoft SNA Server 4.0 SP1
  • Microsoft SNA Server 4.0 SP2
  • Microsoft SNA Server 4.0 SP3
  • Microsoft SNA Server 4.0 SP4
  • Microsoft Host Integration Server 2000
  • Microsoft Host Integration Server 2000 SP1
  • Microsoft Host Integration Server 2004
This article was previously published under Q290508

SUMMARY

This article describes how to configure the 3270 Client (win3270.exe) that is included with SNA Server (version 3.0 Service Pack [SP] 1 and later), Host Integration Server 2000, and Host Integration Server 2004 to take advantage of single sign-on (SSO) by using the integrated security integration features.

MORE INFORMATION

Benefits of Using Security Integration and SSO

  • A script file can automate the keystroke logon process as well as include application information such as TSO, IMS, and so forth.
  • An end-user or administrator can create one script file that could be used for all 3270 users when accessing a host application/mainframe.
  • The script file includes MS$SAMEU (as the userid value) and MS$SAMEP (as the password value) instead of the user's clear text userid and password. This eliminates security concerns.

NOTES:
  • Third-party emulators can be used for SSO but must support "scripting" of user input. The example script files in this article may differ from third-party emulators.
  • The actual text description in these example script files may differ since accessing host applications and logging onto the mainframe can vary among users.
  • The security integration features must be configured before applications such as the 3270 Client can use SSO. This article assumes that these steps are already completed.
For more information about the security integration feature in SNA Server 4.0 or Host Integration Server 2000, click the following article number to view the article in the Microsoft Knowledge Base:

175063 Security integration setup and architectural overview


Information about Enterprise Single Sign-On (ESSO) is available for download from Microsoft. ESSO is the security integration feature that is included with Host Integration Server 2004 and Biztalk Server 2004.

The following files are available for download from the Microsoft Download Center:


DownloadDownload the Host Integration Server 2004 documentation package now.

DownloadDownload the Single Sign-on Services for Microsoft Enterprise Application Integration Solutions white paper package now.

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Steps to Use the 3270 Emulator with a Script File

  • Step 1: Configuring a 3270 Script for SSO

    1. Start the 3270 emulator.
    2. From the Session menu, choose Connect.
    3. From the Script menu, choose Record. The record facility converts these actions into a logon script. The default script file is named Logon.lsc and is located in the <snaroot> folder (for example, C:\Sna\System).
    4. Connect to the appropriate host application (for example, TSO or IMS). For the following example, TSO is selected.
    5. Log on to the host using a valid mainframe userid and password.
    6. When you are finished recording your logon script, from the Script menu, choose Stop.
    7. To verify that your script works, you must first disconnect your session: from the Session menu, click Disconnect.
    8. From the Session menu, choose Connect.
    9. From the Script menu, choose Play.
    Optionally, you can use one of the following procedures to configure the logon script to run automatically when you connect:

    • From the Script menu, choose Auto Run. When you subsequently establish a connection to the host, the logon script runs automatically. -or-

    • From the Session menu, choose Autoconnect. Every time you subsequently start the 3270 client, the connection to the host will be made and you will be logged on automatically.
    Example 3270 Script file (Logon.lsc):

    SETTIMEOUT 30,EXIT
WAITSESSION SSCP
; Wait for banner. Wait <delay> can be replaced with WaitString "<string>"
WAIT 3
SEND TSO@E
WAITSESSION LULU
; Wait for screen after BIND. Wait <delay> can be replaced with WaitString "<string>"
WAIT 3
SEND MYUSERID@E
SEND MYPASSWD@E
EXIT:
    The following is a list of script file content descriptions:

    - The semi-colon (;) without quotes = remarks
    - TSO = the subsystem application being selected in this example
    - @E = Enter key was pressed
    - MYUSERID = real mainframe userid
    - MYPASSWD = real mainframe password
    - @T = Tab key being pressed (not included in this example)

  • Step 2: Edit the 3270 Script to Use SSO with the HAC

    1. Using any text editor, such as Microsoft Notepad, edit the Logon.lsc script file.
    2. Replace the real mainframe userid and password with MS$SAMEU and MS$SAMEP, respectively.
    3. Save and close the file, and then test this new script with the same steps as before.

    NOTE: If you make multiple script files with different names for accessing other applications, you can choose to use them by doing this:

    1. From the Session menu, choose Session Configuration. The 3270 Settings dialog box appears.
    2. In the Script File box, click Browse to select another script file.
    3. Double-click the script file that you want to use.
    4. Click OK.
    The newly edited script file from step 1 should now look like this: 

    SETTIMEOUT 30,EXIT
WAITSESSION SSCP
; Wait for banner. Wait <delay> can be replaced with WaitString "<string>"
WAIT 3
SEND TSO@E
WAITSESSION LULU
; Wait for screen after BIND. Wait <delay> can be replaced with WaitString "<string>"
WAIT 3
SEND MS$SAMEU@E
SEND MS$SAMEP@E
EXIT:

    When the security integration feature is correctly configured, the following steps occur to complete SSO:
    1. When the 3270 emulator starts up (if configured to automatically run the scripted logon), MS$SAMEU and MS$SAMEP are passed to the SNA Server service on the SNA Server or Host Integration Server.
    2. The SNA Server service checks if the Windows user that is making this request is a member of a security integration group defined during the configuration of the security integration components.
    3. The SNA Server service then scans the data stream. It recognizes MS$SAMEU and MS$SAMEP and performs an SSO "look-up". It then substitutes MS$SAMEU and MS$SAMEP for the real host userid and password that are configured in the credentials database.
    For information and caveats regarding the special keywords MS$SAMEU and MS$SAMEP, see the following Microsoft Knowledge Base article:

    291805 3270 SSO Fails If 3270SSOUserTag and 3270SSOPwdTag Use Same Value

Modification Type:MajorLast Reviewed:3/22/2005
Keywords:KB290508
©2004 Microsoft Corporation. All rights reserved.