Q248479: Host Account Database Location for Single Sign-On
Article: Q248479
Product(s): Microsoft SNA Server
Version(s): 3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4
Operating System(s):
Keyword(s): kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp
Last Modified: 18-DEC-2001
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft SNA Server, versions 3.0, 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4
- Microsoft Host Integration Server 2000
-------------------------------------------------------------------------------
SUMMARY
=======
When you use the Host Security Integration features to provide Single Sign-On
(SSO) support, the SNA Server/Host Integration Server (HIS) 2000 computer needs
to contact a Host Account Cache (HAC) database to get the correct host user
credentials to send to the host system.
The Host Security Integration dynamic link library (DLL) (Snasii.dll) is
responsible for locating an HAC database that can be used for host account look
ups.
MORE INFORMATION
================
The Snasii.dll file is initialized when the SNA Server service starts. During
initialization, the Snasii.dll file attempts to locate a secondary (backup) host
account database (SDB) to use for host account look ups. The following steps
describe the process that is used to locate a secondary HAC database.
1. The Snasii.dll file makes a call to determine the primary domain controller
(PDC)/PDC emulator for the Windows NT/Windows 2000 domain.
2. A remote procedure call (RPC) connection to the PDC/PDC emulator where the
master database (MDB) resides is attempted.
- If the RPC connection to the MDB is successful:
a. A UDI_LOCATE message is sent to the MDB asking for the name of a SDB.
The UDI_LOCATE message also includes the SNA subdomain for the SNA
Server.
b. The MDB checks to see if any SDBs are registered with an SNA subdomain
name that matches the subdomain name in the UDI_LOCATE message.
1. If there are SDBs that are registered with the same subdomain name,
then the MDB sends a response to the UDI_LOCATE message that
includes the name of the first SDB that matches the request.
In HIS 2000, the UDI_LOCATE message includes the name of the SDB that
has the same domain name and the lowest locate_count number.
NOTE: The locate_count number was added in HIS 2000 to provide
load-balancing among SDBs. Prior to HIS 2000, all SNA Server
computers in a subdomain used the same SDB for account look-ups
because the MDB always returned the first SDB in its list that
matched the subdomain name specified.
2. If there are no SDBs registered with the MDB with the same subdomain
name, then the MDB sends a response to the UDI_LOCATE message that
includes the name of the first SDB in its list regardless of the
subdomain name.
In HIS 2000, the MDB sends a response to the UDI_LOCATE message that
includes the name of the SDB that has the lowest locate_count
regardless of the subdomain name.
3. If there are no SDBs registered with the MDB, the MDB sends a
response to the UDI_LOCATE that indicates that the MDB should be
used for the account look ups.
- If the RPC connection to the MDB is unsuccessful (for example, if the MDB
is unavailable) and if SNA Server 4.0 Service Pack (SP) 3 or later is
being used:
a. The Snasii.dll file checks to see if there is an active HAC database
installed locally; if there is, it will use this SDB for host account
look ups.
b. If the local system does not have an active HAC database, the
Snasii.dll file issues an API call to find all of the backup domain
controllers (BDCs) (DCs in Windows 2000) in the domain. It then
contacts each BDC (or DC) in turn to see if it has an active HAC
database. It connects to the first BDC (or DC) that reports that it has
an active database and uses this database for host account look ups.
Note: The ability to search for BDCs was added in SNA Server 4.0 SP3. Please
refer to the following article for details on the problem that resulted in this
new functionality:
Q235929 Single Sign-On Fails If the Windows NT Primary Domain Controller is
Unavailable
For additional information regarding the initialization of the SNASII.DLL when
host security is not being used, click the article number below to view the
article in the Microsoft Knowledge Base:
Q265384 SNASII.DLL Always Tries to Locate Host Account Cache Database
Other Points of Interest:
- All SNA Server 3.0/4.0 computers in a subdomain that do account look-ups use
the same SDB for account look-ups because the MDB always returns the first
SDB in its list that matches the subdomain name that is specified. The MDB
does not implement any load-balancing algorithm to distribute the host
account look ups across multiple SDBs. Load-balancing was implemented in HIS
2000, as described previously.
- An SNA Server/HIS 2000 computer with a secondary HAC database is only
guaranteed to use its local HAC database for host account look-ups when the
MDB is unavailable.
- SDBs reregister with the MDB every three minutes. This is done to make sure
that the MDB has an accurate list of active SDBs. If the MDB cannot
reregister an SDB after three registration periods (approximately 9 minutes),
the SDB is removed from its list of active SDBs.
- When a new SDB is registered with the MDB, all SNA Server computers with the
same subdomain name as the new SDB relocate to this new SDB. The new SDB is
then used for host account look ups.
NOTE: This does not apply when HIS 2000 is being used.
- The SNA Host Account Cache service can be installed on a Windows NT/Windows
2000 member server, and can be used for host account look-ups. If there are
no other SDBs installed on BDCs (or DCs) in the domain, SNA Server/HIS 2000
computers cannot locate these SDBs if the MDB is unavailable. The reason for
this is that SNA Server/HIS 2000 (Snasii.dll) searches for an active local
HAC database, and then it searches for BDCs (or DCs). It does not search for
member servers. If the SNA Server/HIS 2000 computers are running on member
Windows NT/Windows 2000 servers and each has an active SDB, then each would
use its own local HAC database if the MDB is unavailable.
Additional query words:
======================================================================
Keywords : kbsna300sp1 kbsna300sp2 kbsna300sp3 kbsna300sp4 sna4 kbsna400sp1 kbsna400sp2 kbsna400sp3
Technology : kbAudDeveloper kbSNAServSearch kbHostIntegServ2000 kbSNAServ400
Version : :3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4
Issue type : kbinfo
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.