Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers (888762)


The information in this article applies to:

  • Microsoft Host Integration Server 2000
  • Microsoft Host Integration Server 2000 SP1
  • Microsoft Host Integration Server 2004

SYMPTOMS

Distributed Link Services (DLS) link services that are started by using the LocalSystem account on Microsoft Host Integration Server 2000-based servers do not connect to Host Integration Server 2004-based servers.

If host connections are configured to use a DLS link service such as SnaRem1 in Host Integration Server 2000, a status message that is similar to the following may appear in SNA Manager when the problem occurs:
[Pending](Failed @ Time)
You receive an error message that is similar to the following on the Host Integration Server 2000-based server:
Event ID: 23
Source: SNA Server
Description: Connection Failure
Connection = ConnectionName
Link Service = DLSLinkServiceName
Outage Code = OutageCode
You also receive the following error message on the Host Integration Server 2004-based server that the DLS link service is trying to connect to when the problem occurs:
Event ID: 705
Source: SNA Base Service
Description: Logon Failed.

EXPLANATION
Access denied on client-server or Distributed Link Service connection request.

Connection from RemoteServerName denied because LSA logons are not supported. --- Error Code : 4097

CAUSE

Host Integration Server 2000 uses the Local System Account (LSA) logon method for validation when a DLS link service is started by using the LocalSystem account. LSA logons are not supported in Host Integration Server 2004. Therefore, DLS link services that are started by using the LocalSystem account on Host Integration Server 2000 and on earlier versions of SNA Server cannot connect to Host Integration Server 2004.

RESOLUTION

To resolve this behavior, you must configure DLS link services to start by using user credentials that can access resources on the Host Integration Server 2004-based server.

STATUS

This behavior is by design.

MORE INFORMATION

Support for the LSA logon method was removed in Host Integration Server 2004 to help make the product more secure. If you have applications or services such as DLS link services that use the LocalSystem account, we recommend that you modify these applications or services to use valid user credentials to access remote resources.

If anonymous logon support is enabled, any service or application that passes null credentials can access the Host Integration Server 2004-based server without having to provide valid user credentials. Null credentials are a null user account name, password, and domain. The application or service could possibly perform disruptive or destructive actions.

For more information about the LocalSystem account and the extensive permissions that it has on the local computer, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/localsystem_account.asp

We do not recommend that you use the LocalSystem account unless a service actually must have all the permissions that are provided by this account. Additionally, services that run under the LocalSystem account will use null credentials when they access remote resources.

For additional information about a related Host Integration Server 2004 issue that occurs when you use SNA applications that run as Windows services by using the LocalSystem account, click the following article number to view the article in the Microsoft Knowledge Base:

888478 SNA applications that run as Windows services do not connect to a Host Integration Server 2004-based server and log an event 705 message

Modification Type:MajorLast Reviewed:11/10/2004
Keywords:kbprb KB888762 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.