Windows NT 4.0 Service Pack 4 Breaks SNA Encrypted Client Connectivity
ID: Q195818
|
The information in this article applies to:
-
Microsoft SNA Server, versions 3.0, 4.0
-
Microsoft SNA Server version 3.0 with Service Packs 1, 2, and 3
-
Microsoft SNA Server version 4.0 with Service Pack 1
SYMPTOMS
After you upgrade SNA Server (version 3.0 or 4.0) to Windows NT 4.0 Service
Pack 4, any SNA user configured to use data encryption will be unable to
establish a session through the server when connecting from the following
client platforms:
- Windows NT 4.0 Service Pack 3 or earlier
(running the SNA 3.0 or 4.0
Windows NT, SNA Windows 9x or SNA Windows 3.x client software)
- Windows 98 or Windows 95 (running the SNA 3.0 or 4.0 Windows 9x
client
software)
- Windows 3.x (running the SNA 3.0 or 4.0 Windows 3.x client software).
SNA Windows NT clients that are upgraded to Windows NT 4.0 Service Pack 4
will be able to connect to an SNA Server which has also been upgraded to
Windows NT 4.0 Service Pack 4.
Likewise, if an SNA Windows NT client computer is upgraded to Windows NT
4.0 Service Pack 4, the SNA client user (when configured to use data
encryption) will be unable to establish a session through SNA Server if the
server is running Windows NT 4.0 Service Pack 3 or earlier.
The following symptoms will occur when clients experience this problem:
- The SNA Windows NT or Windows 3.x 3270 applet
displays the following
error on startup, and fails to display a 3270 session list within the
Session Configuration dialog box.
ERROR - Reading SNA Server Configuration
- The SNA Windows NT or Windows 3.x 5250 applet displays the following
error when attempting to open a session, and will fail to retrieve
Remote APPC LU aliases within the Session Configuration dialog box:
WIN5250
SNA Server has been deactivated. Contact System Administrator
[F003][010000F0]
-or-
The Remote LU name specified for this session is invalid
[0001] [0000001B]
- The SNA Windows NT client logs Event 705 to the Windows NT
Application
Event log:
Event ID: 705
Source: SNA 3270 Emulator (or) SNA APPC Application
Description:
Logon Failed.
EXPLANATION
Connection request failed due to data security
Access denied -- required data encryption -- Error Code: 43
- The SNA Windows 95 3270 applet displays the LU name in the session
configuration dialog box, but stops responding (hangs) with a blank
screen when attempting to connect to the session.
- When the SNA Windows 95 client fails to connect, the SNA Server logs
Event 717 to the Windows NT Application Event log:
Event ID: 717
Source: SNA Base Service
Description:
Client-Server Connection Disconnected.
EXPLANATION
Security Error - unable to decode security messages. Error Code =
0x8009030f
CAUSE
The Microsoft Windows NT 4.0 Service Pack 4 (SP4) NTLM security package
modifies the implementation of the encryption context options for
applications which use the InitializeSecurityContext() API. This causes SNA
Server (and SNA Windows NT and Windows 9x clients) to build encrypted
messages differently when running on Windows NT 4.0 SP4 than for prior
Windows NT versions. This causes interoperability problems between SNA
clients and servers that are running on different versions of Windows NT
when encryption is enabled for an SNA user.
RESOLUTION
SNA Server 3.0
To resolve this problem, obtain the latest service pack for SNA Server version 3.0. For additional information, please see the following article in the
Microsoft Knowledge Base:
Q184307 How to Obtain the Latest SNA Server Version 3.0 Service Pack
SNA Server 4.0
This problem was corrected in the latest SNA Server version 4.0 U.S.
Service Pack. For information on obtaining this Service Pack, query on
the following word in the Microsoft Knowledge Base (without the spaces):
S E R V P A C K
WORKAROUND
To work around this problem, disable the use of SNA Server client-server
encryption until SNA Server, SNA client, and/or Windows NT software can be
upgraded within the network.
STATUS
Microsoft has confirmed this to be a problem in the products listed at the
beginning of this article when running on a mixture of Windows NT 4.0 SP4
and prior Windows NT versions.
This problem was first corrected in SNA Server 3.0 Service Pack 4.
MORE INFORMATION
The following implementation decisions must be made to fully resolve this
issue and support client encryption with mixed SNA Server, SNA client, and
Windows NT versions:
- If SNA Servers are to be upgraded to Windows
NT 4.0 SP4, before any SNA
clients are upgraded to Windows NT 4.0 SP4, the SNA Server update should
be applied to the servers first, to preserve connectivity for back-level
clients (including SNA Windows 9x and Windows 3.x clients which are not
running on Windows NT).
- If SNA Windows NT (or SNA Windows 9x) clients are to be upgraded to
Windows NT 4.0 SP4, before the SNA Servers are upgraded to Windows NT
4.0 SP4, the SNA client update should be applied to the clients, to
preserve connectivity to back-level servers.
- Applying the SNA update simultaneously to all SNA Servers and SNA
clients preserves interoperability regardless of Windows NT versions
being used.
The following tables summarize interoperability between various
combinations of SNA Server, SNA client, and Windows NT software.
Old SNA CLIENT or Old SNA Server software = SNA 3.0 (including Service
Packs 1-3), SNA 4.0 (including Service Pack 1)
New SNA Client or New SNA Server = SNA 3.0 (post-Service Pack 3), SNA 4.0
(post-Service Pack 1)
---------------------------------------------------------
Old SNA ********** Old SNA Server *******
Client on NT4SP3 or earlier on NT4SP4
-------- -------------------- ---------
NT4SP3,
SNA NT or WORKS FAILS
SNA Win9x
NT4SP4,
SNA NT or FAILS WORKS
SNA Win9x
Win9x,
SNA Win9x WORKS FAILS
Any Platform,
SNA Win3x WORKS FAILS
---------------------------------------------------------
Old SNA ********** New SNA Server *******
Client on NT4SP3 or earlier on NT4SP4
-------- -------------------- ---------
NT4SP3,
SNA NT or WORKS WORKS
SNA Win9x
NT4SP4,
SNA NT or FAILS FAILS
SNA Win9x
Win9x,
SNA Win9x WORKS WORKS
Any Platform,
SNA Win3x WORKS WORKS
New SNA ********** Old SNA Server *******
Client on NT4SP3 or earlier on NT4SP4
-------- -------------------- ---------
NT4SP3,
SNA NT or WORKS FAILS
SNA Win9x
NT4SP4,
SNA NT or WORKS FAILS
SNA Win9x
Win9x,
SNA Win9x WORKS FAILS
Any Platform,
SNA Win3x WORKS FAILS
---------------------------------------------------------
New SNA ********** New SNA Server *******
Client on NT4SP3 or earlier on NT4SP4
-------- -------------------- ---------
NT4SP3,
SNA NT or WORKS WORKS
SNA Win9x
NT4SP4,
SNA NT or WORKS WORKS
SNA Win9x
Win9x,
SNA Win9x WORKS WORKS
Any Platform,
SNA Win3x WORKS WORKS
Additional query words:
Keywords :
Version : WINDOWS:3.0,4.0
Platform : WINDOWS
Issue type : kbbug