AS/400 Password Change Using Host Security May Not Complete

ID: Q232035


The information in this article applies to:
  • Microsoft SNA Server, versions 3.0, 3.0SP1, 3.0SP2, 3.0SP3, 4.0, 4.0SP1, 4.0SP2


SYMPTOMS

When you use Microsoft's SNA Server Host Security Integration (HSI) to make a password change on an AS/400 system, the request will be sent to the AS/400 system, however, the password change may never reach the AS/400 User Database.

If a password change request doesn't work, end users have no way of knowing this until the next time they try logging onto the AS/400 using the "new" AS/400 password. If using the 5250 applet that is included with Microsoft's SNA Server, the following error message is displayed:

The host system rejected the connection due to a security validation error. Please check your session configuration.

[0003] [080F6051]
Here is the primary and secondary return code information:
PRC = [0003] AP_ALLOCATION ERROR
APPC has failed to allocate a conversation. The conversation state is set to RESET.

SRC = [080F6051] AP_SECURITY_NOT_VALID
The user ID or password specified in the allocation request was not accepted by the partner LU.
NOTE: Other third-party emulators may report a different error message.

ADDITIONAL INFORMATION

During the time of a password change failure, the following entries are recorded in the Event Viewer application log on the SNA Server:
  • Event 6005 Source: AS400MDSI

    The SNA APPC service returned the following error when attempting an operation for [userid_name] in the [Host_Security_Domain_Name]:

    Receive and Wait verb has completed with primary return code Allocation Error.


  • Event 1506 Source: SNA Host Security

    Security DLL could not establish network connection to host side components.


If an SNA Server DLC trace (nodemsg) is taken when the password request leaves the SNA Server (node), the AS/400 rejects the Attach (02FF) with a 0846 0000 sense code promising the SNA Server the real error in a later message.
DLC   ----------------------------------------------- 12:39:53.0859
DLC   01020501->04160001 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      RQE FMD FI BC EC DR1 PI CD
DLC
DLC   ---- Header  at address 011946F0, 1 elements ----
DLC   0B050000 1D002C00 01010001 01009300     <......,.......l.>
DLC
DLC   ---- Element at address 01B83480, start 10, end 136 ----
DLC   0B912040 0502FF10 03D10000 0406F3F0     <.j @.....J....30>
DLC   F1120702 D4D6D5E3 C5C20901 36D18DB1     <1...MONTEB..6J..>
DLC   FE4EE330 140BC1D7 D7D54BD3 D6C3C2C9     <.NT0..APPNKLOCBI>
DLC   C707CF05 0C0C2700 01000800 00000000     <G.....'.........>
DLC   00000100 3C12FF00 38122100 34FF0408     <....<...8.!.4...>
DLC   01D4D6D5 E3C5C20A 07000000 00000000     <.MONTEB.........>
DLC   020A035A 2F306BE7 AD90A60A 05909504     <...Z/0kX..w...n.>
DLC   FE1D27EC 550A04C8 82A03363 31B53D       <..'.U..Hb.3c1.= >
DLC   ----------------------------------------------- 12:39:53.0869
DLC   04160001->01020501 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      +RSP FMD BC EC PI
DLC
DLC   ---- Header  at address 011946F0, 1 elements ----
DLC   0B050000 1D002C00 01010000 01004301     <......,.......C.>
DLC
DLC   ---- Element at address 01B83480, start 10, end 12 ----
DLC   830100                                  <c..             >
DLC   ----------------------------------------------- 12:39:53.0869
DLC   04160001->01020501 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      -RSP FMD SD BC EC DR1
DLC
DLC   ---- Header  at address 011946F0, 1 elements ----
DLC   0B050000 1D002C00 01018000 01004301     <......,.......C.>
DLC
DLC   ---- Element at address 01B83480, start 10, end 16 ----
DLC   87900008 460000                         <g...F..         >
            ^^ ^^^^^^  
 ----------------------------------------------- 12:39:53.0869 
The 0846 0000 sense code means ERP Message Forthcoming.

Here is the actual error from the AS/400:

DLC   ----------------------------------------------- 12:39:53.0869
DLC   04160001->01020501 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      RQE FMD FI BC EC DR1 PI CEB
DLC
DLC   ---- Header  at address 01194890, 1 elements ----
DLC   0B050000 1D002C00 01010001 01004301     <......,.......C.>
DLC
DLC   ---- Element at address 01B83A34, start 10, end 49 ----
DLC   0B910107 07084B60 3180001E 12E10018     <.j....K`1.......>
                 ^^^^^^ ^^   
Primary Sense Code: 084B - Requested Resources Not Available
Secondary Sense Code: 6031 - Transaction Program Not Available


CAUSE

The subsystem or job where this transaction program (TP) runs on the AS/400 is not active.


RESOLUTION

The transaction program to which SNA Server's Host Security talks is named QACSOTP. This TP normally runs as a job under a particular subsystem on the AS/400. For example, the AS/400 subsystem may be called QBASE, which is part of a library called QSYS where the program job TP QACSOTP runs. If either the subsystem QBASE, or the TP QACSOTP is not "active," password changes do not work.


MORE INFORMATION

Microsoft's Host Security Integration components provides out of the box one-way (unidirectional) password synchronization from Windows NT to IBM AS/400 systems (V3R1 or later) without any additional host code being needed. This is made possible by means of the Sec400.dll that gets installed with HSI and used after configuring and setting up a Host Security Domain.

For two-way (bi-directional) password changes (AS/400 to Window NT), third-party solutions are required. For a list of third-party independent software vendors (ISVs), please see the Companion Product Catalog (Isvcatal.doc) on the SNA Server CD.

The third-party products discussed here are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.

Additional query words:

Keywords : sna3 sna3sp1 sna3sp2 sna3sp3 sna4 sna4sp1 sna4sp2
Version : WINDOWS:3.0,3.0SP1,3.0SP2,3.0SP3,4.0,4.0SP1,4.0SP2
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: June 9, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.