Password Change Lost if Password Change DLL Can't Contact SNAPMP
ID: Q236135
The information in this article applies to:
Microsoft SNA Server, versions 3.0, 3.0 SP1, 3.0 SP2, 3.0 SP3, 3.0 SP4, 4.0, 4.0 SP1, 4.0 SP2
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information about how to do this, view the "Restoring
the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help
topic in Regedt32.exe.
The password change DLL has been updated to implement a retry mechanism if it is unable to contact the master Windows NT Password Synchronization service.
When you use the SNA Server Host Security feature to synchronize passwords between a host and a Windows NT domain, the password change DLL (Snapwchg.dll) is responsible for intercepting password changes made to Windows NT accounts in its Windows NT domain and passing them on to the Windows NT Password Synchronization (SNAPMP) service.
In multiple domain environments, the password change DLL and the master (primary) SNAPMP service may reside on primary domain controllers (PDCs) in different Windows NT domains. In environments such as these, password changes will be lost if the password change DLL is unable to contact the master SNAPMP service running on the PDC in the other Windows NT domain.
The password change DLL is not designed to provide any type of retry mechanism if it fails to communicate with the SNAPMP service.
After you apply the update, the password change DLL writes all password change notifications it intercepts into a memory queue. After the password change notification is written to the memory queue, the dispatch thread of password change DLL dequeues the first password change notification and immediately attempts to contact the SNAPMP service to propagate it. If the SNAPMP service cannot be contacted, the password change DLL attempts to send the password change notification stored in the memory buffer a total of five times. The initial attempt, is then followed by up to four retries. The password change DLL stops retrying if the total retry time exceeds five minutes. The actual interval between retries may vary depending on specific network situations.
In addition, the password change notifications are written to an encrypted file if the five attempts to contact the SNAPMP from the memory buffer fail or if the retry time exceeds five minutes. If the message queue file is enabled, the password change DLL attempts to contact the SNAPMP service every five minutes to propagate the password changes that are queued in the file. The password change DLL only attempts to send the password change notification once for each five-minute period. After a password change notification is successfully sent to the SNAPMP service from the message queue file, the next password change notification in the message queue file is sent immediately and it is attempted up to five times. It is not resent for another five minutes if the fifth attempt fails or if the maximum retry time of five minutes is exceeded.
The following registry entry is used to specify the path and name of the encrypted file that the password changes messages will be written to.
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete
Information in the Registry" and "Edit Registry Data" Help topics in
Regedt32.exe. Note that you should back up the registry before you edit it.
If you are running Windows NT, you should also update your Emergency
Repair Disk (ERD).
- Start Registry Editor (Regedt32.exe).
- Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SNA Server \CurrentVersion\HostSecurity\PasswordChange NOTE: The above registry key is one path; it has been wrapped for readability.
- On the Edit menu, click Add Value, and then add the following registry value:
Value Name: MsgQueFileName
Data Type: REG_SZ
Value: path\filename - Quit Registry Editor.
NOTE: The message queue file can be located in any path on the local computer running Windows NT Server and can have any valid file name. However, it is recommended that the file be located in the folder where the SNA Server Host Security software is installed. For example, if the host security software is installed in the C:\Hostsec folder, the recommended location and name of the message queue file is:
If the path and file name in the registry is incorrect, the password change notifications will only be queued in the memory queue.
The following registry entry has to be added to disable the use of the message queue file:
- Start Registry Editor (Regedt32.exe).
- Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SNA Server \CurrentVersion\HostSecurity\PasswordChange NOTE: The above registry key is one path; it has been wrapped for readability.
- On the Edit menu, click Add Value, and then add the following registry value:
Value Name: MsgQueFileWriteToFile
Data Type: REG_DWORD
Value: 0
- Quit Registry Editor.
If a message queue file is not used, the password change notifications are discarded after the fifth attempt to contact the SNAPMP service from the memory buffer.
The following are some other items related to this new retry functionality:
- The memory buffer queue can contain a maximum of 1000 password change notifications. The message file queue can contain a maximum of 10,000 password change notifications. The queue sizes are not configurable at this time.
- If a new password change notification arrives when either the memory buffer or message queue file is full, the new password change notification is discarded, and one of the following events is logged in the application event log:
Event ID: 668
Source: SNA Host Security
Description: Password Change DLL -- The message queue file is full.
Event ID: 676
Source: SNA Host Security
Description: Password Change DLL -- The memory password change message queue is full.
- Before writing a password change notification to the message queue file, the password change DLL searches the message queue file for a notification with the same user name and replaces the old password change message with the new one if a previous entry is found.
- After a password change notification fails to be propagated to the SNAPMP service, all subsequent password change notifications are appended to the end of the message queue file. The password change DLL does not propagate password change notifications from the memory buffer until all pending password change notifications in the message queue file are successfully sent to the SNAPMP service.
- The message queue file is encrypted using 128-bit encryption.
- The password change DLL tries to verify the integrity of the encrypted message queue file when the DLL is initialized. If, for some reason, the encrypted message queue file is corrupted, memory-only message dispatch is used. Deleting the corrupted message queue file and restarting the system results in a new message queue file being created.
This feature is available in the latest service pack for SNA Server version 4.0. For additional information, please see the following article in the Microsoft Knowledge Base:
Q215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack
This feature was first included in SNA Server version 4.0 Service Pack 3.
Additional query words:
Keywords : sna3 sna3sp1 sna3sp2 sna3sp3 sna3sp4 sna4 sna4sp1 sna4sp2
Version : WINDOWS:3.0,3.0 SP1,3.0 SP2,3.0 SP3,3.0 SP4,4.0,4.0 SP1,4.0 SP2
Platform : WINDOWS
Issue type : kbinfo