Host Account Database Location for Single Sign-On

ID: Q248479

The information in this article applies to:
  • Microsoft SNA Server, versions 3.0 (all SP), 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3

SUMMARY

When you use the SNA Server Host Security Integration features to provide Single Sign-On (SSO) support, the SNA Server computer needs to contact a Host Account Cache (HAC) database to get the correct host user credentials to send to the host system.

The Host Security Integration DLL (Snasii.dll) is responsible for locating an HAC database that can be used for host account look ups.


MORE INFORMATION

The Snasii.dll file is initialized when the SNA Server service starts. During initialization, the Snasii.dll file attempts to locate a Secondary (Backup) Host Account Database (SDB) to use for host account look ups. The following steps describe the process to locate a HAC database.

  • The Snasii.dll file makes a call to determine the PDC for the Windows NT domain.


  • An RPC connection to the PDC where the Master Database (MDB) resides is attempted.

    • If the RPC connection to the MDB is successful:

      1. A UDI_LOCATE message is sent to the MDB asking for the name of a SDB. The UDI_LOCATE message also includes the SNA Subdomain for the SNA Server.


      2. The MDB checks to see if any SDBs are registered with a SNA Subdomain name that matches the subdomain name in the UDI_LOCATE.


      1. If there are SDBs registered with the same subdomain name, then the MDB sends a response to the UDI_LOCATE message that includes the name of the first SDB that matches the request.


      2. If there are no SDBs registered with the MDB with the same subdomain name, then the MDB sends a response to the UDI_LOCATE that includes the name of the first SDB in its list regardless of the subdomain name.


      3. If there are no SDBs registered with the MDB, the MDB sends a response to the UDI_LOCATE that indicates that the MDB should be used for the account look ups.




    • If the RPC connection to the MDB is unsuccessful (for example, the MDB is unavailable) and if SNA Server 4.0 SP3 has been applied:

      1. The Snasii.dll file checks to see if there is an active HAC database installed locally; if there is, it will use this SDB for host account look ups.


      2. If the local system does not have an active HAC database, the Snasii.dll file issues an API call to find all of the BDCs in the domain. It then contacts each BDC in turn to see if it has an active HAC database. It connects to the first BDC that reports that it has an active database and uses this database for host account look ups.






Note: The ability to search for BDCs was added in SNA Server 4.0 SP3. Please refer to the following article for details on the problem that resulted in this new functionality:

Q235929 Single Sign-On Fails if the Windows NT Primary Domain Controller is Unavailable
Other Points of Interest:
  • All SNA Server computers in a subdomain that do account look ups use the same SDB for account look ups because the MDB always returns the first SDB in its list that matches the subdomain name specified. The MDB does not implement any load balancing algorithm to distribute the host account look ups across multiple SDBs.


  • An SNA Server computer with a secondary HAC database is only guaranteed to use its local HAC database for host account look ups when the MDB is unavailable.


  • SDBs re-register with the MDB every three minutes. This is done to make sure that the MDB has an accurate list of active SDBs. If the MDB cannot re-register an SDB after three registration periods (approximately 9 minutes), the SDB is removed from its list of active SDBs.


  • When a new SDB is registered with the MDB, all SNA Server computers with the same subdomain name as the new SDB relocate to this new SDB. The new SDB is then used for host account look ups.


  • The SNA Host Account Cache service can be installed on a Windows NT Member server, and can be used for host account look ups. If there are no other SDBs installed on BDCs in the NT domain, SNA Server computers cannot locate these SDBs if the MDB is unavailable. The reason for this is that SNA Server (the Snasii.dll) searches for an active local HAC database, and then it searches for BDCs. It does not search for member servers. If the SNA Server computers are running on member Windows NT servers and each has an active SDB, then each would use their own local HAC database if the MDB is unavailable.


Additional query words:

Keywords : sna3 sna3sp1 sna3sp2 sna3sp3 sna3sp4 sna4 sna4sp1 sna4sp2 sna4sp3
Version : WINDOWS:3.0 (all SP),4.0,4.0 SP1,4.0 SP2,4.0 SP3
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 22, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.