Q165385: Single Signon for APPC Applications Using Privileged Proxy
Article: Q165385
Product(s): Microsoft SNA Server
Version(s): WINDOWS:3.0
Operating System(s):
Keyword(s): kbnetwork kbProgramming
Last Modified: 06-AUG-2002
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft SNA Server, version 3.0
-------------------------------------------------------------------------------
SYMPTOMS
========
An Advanced Program-to-Program Communications (APPC) application is not allowed
to open an LU6.2 conversation using the Microsoft SNA Server 3.0 Host Security
single signon feature and impersonate the security context of another Microsoft
Windows NT user account.
An APPC application that is defined on a computer running Windows NT can only
open a conversation using single signon on behalf of the Windows NT account that
the application is defined to use.
CAUSE
=====
SNA Server 3.0 was not originally designed to support this functionality.
RESOLUTION
==========
Several updates have been made to SNA Server 3.0 to allow a privileged APPC
application to open an APPC conversation using the single signon feature on
behalf of any defined Windows NT user. This is the privileged proxy feature. In
addition, an extension has been added to the APPC API to invoke the feature.
These extensions are documented in the descriptions of [MC_]ALLOCATE APPC
verbs.
An APPC application becomes privileged when the application is started in a
Windows NT user account that is a member of a special Windows NT group.
When a Host Security Domain is configured, SNA Server Manager defines a second
Windows NT group for use with the host security features of SNA Server. If the
user account under which the actual client is running is a member of this second
Windows NT group, the client is privileged to initiate an APPC conversation on
behalf of any user account defined in the Host Account Cache.
The following illustrates how the privileged proxy feature works:
The SNA Server administrator creates a Host Security Domain called APP. SNA
Server Manager now creates two Windows NT groups. The first group is called APP
and the second is called APP_PROXY for this example. Users that are assigned to
the APP group are enabled for single signon. Users assigned to the APP_PROXY
group are privileged proxies. The administrator adds the Windows NT user
AppcUser to the APP_PROXY group using the Users button on the Host Security
Domain Property dialog box in SNA Server Manager.
The administrator then sets up an APPC application on the SNA Server to run as a
Windows NT service called APPCAPP and that service is set up to operate under
the AppcUser user account. When APPCAPP runs, it opens an APPC session via an
MC_ALLOCATE verb using the extended VCB format and specifies the Windows NT
username of the desired user, UserA (for example). The SNA Server service sees
the session request coming from a connection that is a member of the Host
Security Domain APP. The Client/Server interface tells the SNA Server service
that the actual client is AppcUser. The SNA Server service checks to see if
AppcUser is a member of the APP_PROXY group. Because AppcUser is a member of
APP_PROXY, the SNA Server service inserts the Username/Password for UserA in the
APPC Attach (FMH-5) command and sends it off to the partner TP.
APPC Application Requirements to Implement Privileged Proxy Support
-------------------------------------------------------------------
In order to support the priviledged proxy feature, the APPC application must
implement the following program logic:
1. First, the updated Winappc.h and Wappc32.lib files must be used from the SNA
Server 3.0 Service Pack 1 software development kit (SDK). The updated
Winappc.h includes new prototypes to support the privileged proxy feature.
2. The APPC application must determine the Windows NT user ID and domain name
that it wishes to impersonate.
3. The APPC application must set the following parameters before calling the
[MC_]ALLOCATE verb:
- Set security = AP_PROXY_SAME, AP_PROXY_PGM or AP_PROXY_STRONG.
- Enable the use of the extended ALLOCATE verb control block (VCB) structure
by setting the AP_EXTD_VCB flag in the opext field.
- Set up the pointers for proxy_user and proxy_domain to point to UNICODE
strings containing the user name and domain name of the user to be
impersonated.
NOTE: The application does not need to set up user_id and pwd fields in the
Allocate VCB.
When the APPC application performs the above steps and calls [MC_]ALLOCATE, the
SNA Server performs a lookup in the host security domain for the specified
Windows NT user, and sets the user ID and password fields in the FMH-5 Attach
message sent to the remote system.
STATUS
======
Microsoft has confirmed that this is a problem in SNA Server version 3.0. This
problem was corrected in the latest Microsoft SNA Server 3.0 U.S. Service Pack.
For information on obtaining the service pack, query on the following word in
the Microsoft Knowledge Base (without the spaces):
S E R V P A C K
MORE INFORMATION
================
Additional query words:
======================================================================
Keywords : kbnetwork kbProgramming
Technology : kbAudDeveloper kbSNAServSearch kbSNAServ300
Version : WINDOWS:3.0
Issue type : kbbug
Solution Type : kbfix
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.