User May Override Mapping Is Not Enforced Centrally

• Microsoft SNA Server, versions 3.0 (all SP), 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3

SUMMARY

The User May Override Mapping option is available in the Host Security Domain properties in SNA Server Manager. If this option is disabled, a user is not allowed to change the mapping for their User ID. The enforcement of the User May Override Mapping option is handled in the Host Account Manager (Udconfig.exe) program. This option is not enforced centrally by any of the other host security components.

The following article discusses a problem with Host Account Manager that allows the "Use This User ID" field to be edited even though the User May Override Mapping option is disabled in the Host Security Domain:

Q247320 User ID Can be Edited When User May Override Mapping Is Disabled

MORE INFORMATION

A supported feature that modifies the product's default behavior is now available from Microsoft, but has not been fully regression tested and should be applied only to systems having a specific need for it. If you are not severely affected by the lack of this feature, Microsoft recommends that you wait for the next Microsoft SNA Server version 4.0 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

• Updated versions of Udconfig.exe, Snapmp.exe, and Snaudb.exe.
  
  When all of the updated components are used, Udconfig.exe verifies the user privilege before enabling the mapped User ID field. The Snapmp service sets a flag to TRUE if the client has Admin privileges. The Snaudb service checks this flag before making any updates to the host account cache database. In this scenario, administrators are the only ones that can change the host account mappings if the User May Override Mapping option is disabled.



• Updated versions of Snapmp.exe and Snaudb.exe with previous versions of Udconfig.exe.
  
  If the Udconfig.exe file from SNA Server 4.0 SP3 or earlier is used, the "Use This User ID" field can be edited. A user can change the mapped User ID in Udconfig, and it appears that the change was made. However, the Snapmp and Snaudb services verify the user privilege. If the user has Admin privileges, the change is made in the host account cache database. If the user does not have Admin privileges, the change is not made in the host account cache database. Also, the following event is logged in the Application event log when the attempted change is not authorized:
  
  

  Event ID: 51
  Source: SNA Host Security
  Description: PMP could not validate the request.
  




• Updated version of Snaudb.exe and previous versions of Snapmp.exe and Udconfig.exe.
  
  In this case, the Snaudb service verifies that no one, including the Administrator, can change the mapped user name. The service logs event ID 51 (described above) in the Application event Log to note that the attempted change was unauthorized.

Additional query words:

Keywords : sna3 sna3sp1 sna3sp2 sna3sp3 sna3sp4 sna4 sna4sp1 sna4sp2 sna4sp3
Version : WINDOWS:3.0 (all SP),4.0,4.0 SP1,4.0 SP2,4.0 SP3
Platform : WINDOWS
Issue type : kbinfo