KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q222947: COMTI: Allow Use Of Already Verified and Application Override

Article: Q222947
Product(s): Microsoft SNA Server
Version(s): WINDOWS:4.0,4.0 SP2,4.0SP1,4.0SP2
Operating System(s): 
Keyword(s): kbsna400sp3fix
Last Modified: 08-MAY-2002

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft COM Transaction Integrator for CICS and IMS, version 4.0 SP2 
- Microsoft SNA Server, versions 4.0, 4.0SP1, 4.0SP2 
-------------------------------------------------------------------------------


SYMPTOMS
========

When you enable user or package-level security in the Remote Environment on the
Security tab within the COM Transaction Integrator Manager, the following
security options may be selected, but are not currently designed to function
together:

- Allow application to override selected authentication

- Use Already Verified or Persistent Verification authentication

Because of a non-trusted domain architecture, a customer was unable to deploy the
SNA Server Host Security Integration feature, and wanted their application to
supply the host user ID and password credentials. This is possible by selecting
the "Allow application override" option. But, if this option is selected along
with "Already Verified or Persistent Verification", the application-supplied
credentials are ignored, and the user ID and password are sent to the host. It
was requested that both options to be allowed to work together. Prior to this
update, the use of the COMTI "Already Verified or Persistent Verification" check
box required that the SNA Server Host Security Integration feature had been
deployed.

CAUSE
=====

These security options were not designed to work together, because this would
allow a user application to provide any arbitrary host user ID on a host
request, which the host would accept if the CICS region is defined with
Attachsec=Identify. By allowing "Identify" security, CICS will accept requests
with only the host user ID being provided in the user request, without requiring
host verification of the host password.

RESOLUTION
==========

To resolve this problem, obtain the latest service pack for SNA Server version
4.0. For additional information, please see the following article in the
Microsoft Knowledge Base:

  Q215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack


STATUS
======

Microsoft has confirmed this to be a problem in SNA Server 4.0, 4.0 SP1 and 4.0
SP2. This problem was first corrected in SNA Server version 4.0 Service Pack 3.

MORE INFORMATION
================

When COM Transaction Integrator is configured to support both of these security
options and this update is applied, the following behavior occurs.

If the host is configured to accept "Already Verified" security:

1. Within the CICS region, "Attachsec=Identify" allows CICS to accept requests
  with only the user ID provided by the application.

2. The COM application provides a user ID when invoking the COM object
  associated with their host transaction.

3. COMTI accepts the user ID, converts it to EBCDIC, and calls MC_ALLOCATE with
  the user ID and security=AP_SAME. The Wappc32.dll detects that the host BIND
  allows FMH-5 Attach requests with the "already verified" indicator set
  (within byte 23 of the BIND request), and formats the FMH-5 with the "already
  verified" indicator and the user ID security vector (but no password vector).

4. The host accepts the user ID only, and executes the transaction.

If the host is configured to accept "Persistent Verification" security:

- Within the CICS region, "Attachsec=Persistent" is configured. See the
  following article in the Microsoft Knowledge Base for other host
  configuration settings required to enable persistent verification:

  Q222565 SNA Server Caches User in PV Signed-On List if Attach Fails

- The COM application provides a user ID and password when invoking the COM
  object associated with their host transaction.

- COMTI accepts the user ID and password, converts it to EBCDIC, and calls
  MC_ALLOCATE with the user ID and password, with security=AP_SAME. The
  Wappc32.dll detects that the host BIND allows FMH-5 Attach requests with
  "persistent verification" (within byte 23 of the BIND request), and formats
  the FMH-5 with the "PV sign-on requested" bit along with both the user ID and
  password security vectors.

- SNA Server accepts the FMH-5 Attach from the Wappc32.dll, and checks the SNA
  Server internal PV signed-on cache to determine if the user has previously
  signed on to the host using persistent verification. If not, the FMH-5 Attach
  is provided to the host, with the "PV sign-on requested" bit set, and the
  user is added to the SNA Server PV signed-on list. If the user has previously
  signed on using persistent verification, the password is removed from the
  FMH-5 Attach, and the "PV already signed-on" bit is set, then the FMH-5 is
  sent to the host.

- The host accepts the FMH-5 Attach, containing the PV indicator and security
  credential.

NOTE: For more information about persistent verification, see the following
article in the Microsoft Knowledge Base:

  Q198179 Enabling an APPC/CPIC Program to Use Persistent Verification

Additional query words:

======================================================================
Keywords          : kbsna400sp3fix 
Technology        : kbAudDeveloper kbSNAServSearch kbCOMTISearch kbCOMTI400SP2 kbSNAServ400
Version           : WINDOWS:4.0,4.0 SP2,4.0SP1,4.0SP2
Issue type        : kbbug
Solution Type     : kbfix

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.