Interoperability with IBM Host Systems |
SNA Server can also automate the process of logging on to your host system as shown in Figure 10.27. This feature, commonly called single sign-on support, automatically logs users on to all security systems in a host security subdomain once they have been validated by any system within the subdomain. For example, if a user is logged on to the Windows 2000 domain, single sign-on can automate logon processes to host systems that are encompassed by the defined host security domain.
Figure 10.27 Automatic Logon Process
The following steps describe the automatic logon process, as illustrated in Figure 10.27:
When a user starts a terminal emulator or other SNA application on a client workstation, the application works with the SNA Server subdomain to perform a resource location operation to determine which SNA Server–based computer and connection to use to open the session.
The SNA application provides a replacement keyword as a placeholder for security information during the session initialization phase. The exact format of this keyword is dependent on the type of LU session being established. For example, the string "MS$SAME" is used for APPC or CPI-C applications.
SNA Server detects the replacement keyword and determines the Windows 2000 user name under which the client is logged on. Because this step requires the support of Windows 2000 domain authentication, the ability to be logged on automatically is only supported for users running native client/server sessions (for example, sessions using a computer running SNA Server Client).
Note
TN3270 users are not supported because the TN3270 service cannot determine the client's Windows 2000 user name.
Once the user name is determined, the computer running SNA Server uses the resource location to locate the Host Account Cache in the SNA Server subdomain. The cache might be located on either the actual computer running SNA Server or on a Windows 2000 domain controller in the SNA Server subdomain depending on your installation. SNA Server then sends a lookup message to the Host Account Cache that contains the Windows 2000 user name and password, and requests the corresponding host user name and password.
The Host Account Cache service verifies that the Windows 2000 account exists in the database, and that the account is a member of the Windows 2000 group in the host security domain. If either check fails, the user record is purged from the Host Account Cache.
If all checks pass, the service replies to the computer running SNA Server with a message containing the appropriate host account user name and password in an encrypted RPC network message.
SNA Server inserts the host account name and password into the SNA data stream, and sends a regular session initialization request to the host computer.
The host computer receives the regular session initialization request containing the correct host account information and authenticates the user.
SNA Server natively supports single sign-on to an AS/400 host system. Single sign-on features are also available for APPC and CPI-C applications on both mainframes and AS/400 systems using third-party products. For a list of supported third-party vendors, see the SNA Server Web site at http://www.microsoft.com/.
For more information about SNA Server security and security integration, see the SNA Server version 4.0 documentation and the Microsoft® BackOffice® Resource Kit.