| Author |
Message |
HASCH
Guest
|
 Posted:
Fri Oct 01, 2004 3:49 am Post subject:
connect with SNA Client 4.0 and HIS 2000 Client to HIS 2004 |
|
|
I have to connect NT with SNA Client 4.0 and XP with HIS 2000 Client to a
HIS 2004 Server.
When I start the SNABASE service under NT (SNA Client 4.0) the error message
is:
"can not connect to sponsor server"
Under XP (HIS 2000 Client) the SNABASE service starts, but no 3270 session
is possible. Both clients are configured to connect to a sponsor server.
What is to consider ?
--
HS |
|
| Back to top |
|
 |
Neil Pike
Guest
|
| Posted:
Fri Oct 01, 2004 2:45 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hasch,
Are the clients (SNABase account in the case of SNA client 4.0) in a domain
that is trusted by the server. It could be an NT authentication issue.
If you turn on SNA client tracing and restart SNABase you will get detailed
traces that will help debug what is going on.
| Quote: | I have to connect NT with SNA Client 4.0 and XP with HIS 2000 Client to a
HIS 2004 Server.
When I start the SNABASE service under NT (SNA Client 4.0) the error message
is:
"can not connect to sponsor server"
Under XP (HIS 2000 Client) the SNABASE service starts, but no 3270 session
is possible. Both clients are configured to connect to a sponsor server.
What is to consider ?
|
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise) |
|
| Back to top |
|
|
HASCH
Guest
|
| Posted:
Fri Oct 01, 2004 7:05 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hi,
yes the domain is trusted by the server.
There are 2 Domains, one NT Domain and one 2000 Domain.
The HIS Server are in the 2000 Domain.
The two HIS server, one 2000 and one 2004 are running on a Win2000 server,
but
they are seperate SNA domains, both are primarys.
Connecting with this clients (NT with SNA Client 4.0 and XP with HIS 2000
Client)
to the HIS 2000 Server is no problem.
The same client configuration is working fine with HIS 2000, but not working
with HIS 2004.
Also, connecting with the clients to the old SNA 4.0 server in the NT Domain
is working.
HASCH
"Neil Pike" wrote:
| Quote: | Hasch,
Are the clients (SNABase account in the case of SNA client 4.0) in a domain
that is trusted by the server. It could be an NT authentication issue.
If you turn on SNA client tracing and restart SNABase you will get detailed
traces that will help debug what is going on.
I have to connect NT with SNA Client 4.0 and XP with HIS 2000 Client to a
HIS 2004 Server.
When I start the SNABASE service under NT (SNA Client 4.0) the error message
is:
"can not connect to sponsor server"
Under XP (HIS 2000 Client) the SNABASE service starts, but no 3270 session
is possible. Both clients are configured to connect to a sponsor server.
What is to consider ?
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise)
|
|
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Fri Oct 01, 2004 9:49 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hasch - that all sounds fine, so you're going to need to get a client-side sna
client trace in the first instance to see what is going on.
Does the HIS2004 server work ok if you connect using the supplied 3270 client on
the server itself.
| Quote: | yes the domain is trusted by the server.
There are 2 Domains, one NT Domain and one 2000 Domain.
The HIS Server are in the 2000 Domain.
The two HIS server, one 2000 and one 2004 are running on a Win2000 server,
but
they are seperate SNA domains, both are primarys.
Connecting with this clients (NT with SNA Client 4.0 and XP with HIS 2000
Client)
to the HIS 2000 Server is no problem.
The same client configuration is working fine with HIS 2000, but not working
with HIS 2004.
Also, connecting with the clients to the old SNA 4.0 server in the NT Domain
is working.
|
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise) |
|
| Back to top |
|
|
HASCH
Guest
|
| Posted:
Mon Oct 04, 2004 5:23 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hi,
yes you are right, it was a security problem.
the trace
--------------------------------------------------------------------------------
Opening a connection to service 869 srvtyp =28
Pipe message type : 1
Status returned by sbpdout_dll = 5
Status after Open Request pipe send : 5
Read zero bytes from LTAB 021A0208, handle 496, inuse 21h, seqrcv 0
No msg present - error 109
IO error 38 on Ltab 021A0208
CloseDmodConnection, L table entry 2, CliCount 0, Local CliCount 0
Do we delete user ?, prctyp = 2, inuse = 4021h, usentry = 8192, usCliEntry =
28672
CliCount on exit is 0, Local CliCount 0
TRFLAGS changed from 3FFFH to 0H
SNABASE can't open sponsor connection to box SRV000HIS01
target =WKS100553= and logdata.szAlert ==
------------------------------------------------------------------------------------------
I have connected the snabase service with the sna service account of the
HIS 2004 server, and now it works.
For SNA Server 4.0 and HIS Server 2000 I did not have to do this,
there the snabase service was running with the "local system account"
"Neil Pike" wrote:
| Quote: | Hasch - that all sounds fine, so you're going to need to get a client-side sna
client trace in the first instance to see what is going on.
Does the HIS2004 server work ok if you connect using the supplied 3270 client on
the server itself.
yes the domain is trusted by the server.
There are 2 Domains, one NT Domain and one 2000 Domain.
The HIS Server are in the 2000 Domain.
The two HIS server, one 2000 and one 2004 are running on a Win2000 server,
but
they are seperate SNA domains, both are primarys.
Connecting with this clients (NT with SNA Client 4.0 and XP with HIS 2000
Client)
to the HIS 2000 Server is no problem.
The same client configuration is working fine with HIS 2000, but not working
with HIS 2004.
Also, connecting with the clients to the old SNA 4.0 server in the NT Domain
is working.
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise)
|
|
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Mon Oct 04, 2004 9:23 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
HASCH,
With HIS 2004 MS have tightened up the security of HIS. With HIS2000/SNA4
there was a completely open COMFCFG$ share - no authentication was needed to
get to it, which wasn't a good idea!
I've always used a domain account for my SNA services, because I enforce
encryption (localsystem won't work for encrypted connections). That's probably
why I've not see the issue.
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise) |
|
| Back to top |
|
|
HASCH
Guest
|
| Posted:
Tue Oct 05, 2004 8:37 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
next problem,
conneccting XP with HIS 2000 Client to HIS server 2004,
running snabase service with the service account from HIS server 2004,
failed to start snabase.
From NT with SNA Client 4.0 it works in this manner
Here is the trace.log:
00000630.000007ac DNSRF Comname: SNABASE
|00000630.000007ac ISNAS Entry 377 has Inuse flag 1
|00000630.000007ac EATPS Open Key
System\CurrentControlSet\Services\SnaBase\Parameters\TPs
|00000630.000007ac EATPS Open Key Failed rc 2
|00000630.000007ac FSNAS Leaving rc=00000000
|00000630.000007ac IBASE Succeeded with services
|00000630.000007ac IBASE Stu1Event created handle=000000FC
|00000630.000007ac IBASE Stu2Event created handle=00000100
|00000630.000007ac IBASE succeeded with events
|00000630.000007ac DROUT Adding Routing proc 002C86D0 to rout_proc[0]
|00000630.000007ac DROUT My rout_cnt is now 1
|00000630.000007ac IBASE Domain: SNA
|00000630.000007ac DINIT Creating semaphore for pipe use
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is SEM_COMNAP
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is EVN_COMNAP
|00000630.000007ac ADACL Set new security for kernel object succeeded
|00000630.000007ac DINIT Granted SYNCHRONIZE+PROCESS_Q+STANDARD_R (1F0400H)
access for EVERYONE
|00000630.000007ac ADACL Set new security for kernel object succeeded
|00000630.000007ac DINIT AddAce to process token 268 returned 0
|00000630.000007ac APRIV Enabled SE_TCB_NAME privilege
|00000630.000007ac APRIV Enabled SE_AUDIT_NAME privilege
|00000630.000007ac DINIT Calling SNASecRegisterLogonProcess
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed, retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12, msgnum = 705
|00000630.000007ac NTLOG Log Thread 272 (id 2720) and Log Event created OK
|00000630.000007ac NTLOG pLog at 000890B8, pTokenUser at 000890F8
|00000630.000007ac NTLOG Signaling the Logging thread
|00000630.000007ac DINIT RegisterLogonProcess Failed
|00000630.000007ac DINIT Initialization done
|00000630.000007ac IBASE sbpdinit failed rc = 567
|00000630.000007ac main Result of deleting remaevent = 0
"Neil Pike" wrote:
| Quote: | HASCH,
With HIS 2004 MS have tightened up the security of HIS. With HIS2000/SNA4
there was a completely open COMFCFG$ share - no authentication was needed to
get to it, which wasn't a good idea!
I've always used a domain account for my SNA services, because I enforce
encryption (localsystem won't work for encrypted connections). That's probably
why I've not see the issue.
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise)
|
|
|
| Back to top |
|
|
Jeremy Remlinger [MSFT]
Guest
|
| Posted:
Wed Oct 06, 2004 2:05 am Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
HS.
By the looks of the following lines:
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed, retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12, msgnum = 705
You are getting rejected due to a seruity violation. It appears that your
SNA Base Service is running under the Local System Account. You should
double check the account that the client is runnign under on the client
machine.
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸
Jeremy "Rem" Remlinger, MSCE
SNA/HIS Engineer
Microsoft
This posting is provided 'AS IS' with no warranties, and confers no rights.
© 2004 Microsoft Corporation. All rights reserved.
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸
--------------------
Thread-Topic: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2004 Se
thread-index: AcSq8So7ABv1Chj+StmeZnCUTyrgGw==
X-WBNR-Posting-Host: 155.140.121.227
From: "=?Utf-8?B?SEFTQ0g=?=" <HASCH@discussions.microsoft.com>
References: <DD44FDF2-BDCB-4D6F-B3C7-B59F9B49E03A@microsoft.com>
<VA.0000624b.07933d69@compuserve.com>
<C4B0D070-CAC4-4ECE-8A9E-46BC2E4166ED@microsoft.com>
<VA.0000624c.09177790@compuserve.com>
<48BF45B9-62D5-4B99-A245-8946BEFA6264@microsoft.com>
<VA.0000624d.0456c94f@compuserve.com>
Subject: Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2004 Se
Date: Tue, 5 Oct 2004 08:37:04 -0700
Lines: 62
Message-ID: <A51045FB-E02E-4873-9A24-8C87E026579C@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.hiserver.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.hiserver.general:4137
X-Tomcat-NG: microsoft.public.hiserver.general
next problem,
conneccting XP with HIS 2000 Client to HIS server 2004,
running snabase service with the service account from HIS server 2004,
failed to start snabase.
From NT with SNA Client 4.0 it works in this manner
Here is the trace.log:
00000630.000007ac DNSRF Comname: SNABASE
|00000630.000007ac ISNAS Entry 377 has Inuse flag 1
|00000630.000007ac EATPS Open Key
System\CurrentControlSet\Services\SnaBase\Parameters\TPs
|00000630.000007ac EATPS Open Key Failed rc 2
|00000630.000007ac FSNAS Leaving rc=00000000
|00000630.000007ac IBASE Succeeded with services
|00000630.000007ac IBASE Stu1Event created handle=000000FC
|00000630.000007ac IBASE Stu2Event created handle=00000100
|00000630.000007ac IBASE succeeded with events
|00000630.000007ac DROUT Adding Routing proc 002C86D0 to rout_proc[0]
|00000630.000007ac DROUT My rout_cnt is now 1
|00000630.000007ac IBASE Domain: SNA
|00000630.000007ac DINIT Creating semaphore for pipe use
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is SEM_COMNAP
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is EVN_COMNAP
|00000630.000007ac ADACL Set new security for kernel object succeeded
|00000630.000007ac DINIT Granted SYNCHRONIZE+PROCESS_Q+STANDARD_R
(1F0400H)
access for EVERYONE
|00000630.000007ac ADACL Set new security for kernel object succeeded
|00000630.000007ac DINIT AddAce to process token 268 returned 0
|00000630.000007ac APRIV Enabled SE_TCB_NAME privilege
|00000630.000007ac APRIV Enabled SE_AUDIT_NAME privilege
|00000630.000007ac DINIT Calling SNASecRegisterLogonProcess
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed, retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12, msgnum = 705
|00000630.000007ac NTLOG Log Thread 272 (id 2720) and Log Event created OK
|00000630.000007ac NTLOG pLog at 000890B8, pTokenUser at 000890F8
|00000630.000007ac NTLOG Signaling the Logging thread
|00000630.000007ac DINIT RegisterLogonProcess Failed
|00000630.000007ac DINIT Initialization done
|00000630.000007ac IBASE sbpdinit failed rc = 567
|00000630.000007ac main Result of deleting remaevent = 0
"Neil Pike" wrote:
| Quote: | HASCH,
With HIS 2004 MS have tightened up the security of HIS. With
HIS2000/SNA4
there was a completely open COMFCFG$ share - no authentication was needed
to
get to it, which wasn't a good idea!
I've always used a domain account for my SNA services, because I enforce
encryption (localsystem won't work for encrypted connections). That's
probably
why I've not see the issue.
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated
otherwise)
|
|
|
| Back to top |
|
|
lring
Guest
|
| Posted:
Wed Oct 06, 2004 7:52 am Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Is there a Q article on what rights are required by the
service account used for the SNA Base Client. I would use
a domain account but not the same account that is used by
the SNA Server Services on the server. This seems to work
for us with HIS 2000 but I have been having problems with
security on XP workstations as well.
| Quote: | -----Original Message-----
HS.
By the looks of the following lines:
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed,
retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12,
msgnum = 705
You are getting rejected due to a seruity violation. It
appears that your
SNA Base Service is running under the Local System
Account. You should
double check the account that the client is runnign under
on the client
machine.
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°
º¤ø,¸¸,ø¤º°`°º¤ø,¸
Jeremy "Rem" Remlinger, MSCE
SNA/HIS Engineer
Microsoft
This posting is provided 'AS IS' with no warranties, and
confers no rights.
© 2004 Microsoft Corporation. All rights reserved.
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°
º¤ø,¸¸,ø¤º°`°º¤ø,¸
--------------------
Thread-Topic: connect with SNA Client 4.0 and HIS 2000
Client to HIS 2004 Se
thread-index: AcSq8So7ABv1Chj+StmeZnCUTyrgGw=>X-WBNR-Posting-Host: 155.140.121.227
From: "=?Utf-8?B?SEFTQ0g=?="
HASCH@discussions.microsoft.com
References: <DD44FDF2-BDCB-4D6F-B3C7-
B59F9B49E03A@microsoft.com
VA.0000624b.07933d69@compuserve.com
C4B0D070-CAC4-4ECE-8A9E-46BC2E4166ED@microsoft.com
VA.0000624c.09177790@compuserve.com
48BF45B9-62D5-4B99-A245-8946BEFA6264@microsoft.com
VA.0000624d.0456c94f@compuserve.com
Subject: Re: connect with SNA Client 4.0 and HIS 2000
Client to HIS 2004 Se
Date: Tue, 5 Oct 2004 08:37:04 -0700
Lines: 62
Message-ID: <A51045FB-E02E-4873-9A24-
8C87E026579C@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.hiserver.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa06.phx.gbl
microsoft.public.hiserver.general:4137
X-Tomcat-NG: microsoft.public.hiserver.general
next problem,
conneccting XP with HIS 2000 Client to HIS server 2004,
running snabase service with the service account from HIS
server 2004,
failed to start snabase.
From NT with SNA Client 4.0 it works in this manner
Here is the trace.log:
00000630.000007ac DNSRF Comname: SNABASE
|00000630.000007ac ISNAS Entry 377 has Inuse flag 1
|00000630.000007ac EATPS Open Key
System\CurrentControlSet\Services\SnaBase\Parameters\TPs
|00000630.000007ac EATPS Open Key Failed rc 2
|00000630.000007ac FSNAS Leaving rc=00000000
|00000630.000007ac IBASE Succeeded with services
|00000630.000007ac IBASE Stu1Event created
handle=000000FC
|00000630.000007ac IBASE Stu2Event created
handle=00000100
|00000630.000007ac IBASE succeeded with events
|00000630.000007ac DROUT Adding Routing proc 002C86D0 to
rout_proc[0]
|00000630.000007ac DROUT My rout_cnt is now 1
|00000630.000007ac IBASE Domain: SNA
|00000630.000007ac DINIT Creating semaphore for pipe use
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is SEM_COMNAP
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is EVN_COMNAP
|00000630.000007ac ADACL Set new security for kernel
object succeeded
|00000630.000007ac DINIT Granted
SYNCHRONIZE+PROCESS_Q+STANDARD_R
(1F0400H)
access for EVERYONE
|00000630.000007ac ADACL Set new security for kernel
object succeeded
|00000630.000007ac DINIT AddAce to process token 268
returned 0
|00000630.000007ac APRIV Enabled SE_TCB_NAME privilege
|00000630.000007ac APRIV Enabled SE_AUDIT_NAME privilege
|00000630.000007ac DINIT Calling
SNASecRegisterLogonProcess
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed,
retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12,
msgnum = 705
|00000630.000007ac NTLOG Log Thread 272 (id 2720) and
Log Event created OK
|00000630.000007ac NTLOG pLog at 000890B8, pTokenUser at
000890F8
|00000630.000007ac NTLOG Signaling the Logging thread
|00000630.000007ac DINIT RegisterLogonProcess Failed
|00000630.000007ac DINIT Initialization done
|00000630.000007ac IBASE sbpdinit failed rc = 567
|00000630.000007ac main Result of deleting remaevent = 0
"Neil Pike" wrote:
HASCH,
With HIS 2004 MS have tightened up the security of
HIS. With
HIS2000/SNA4
there was a completely open COMFCFG$ share - no
authentication was needed
to
get to it, which wasn't a good idea!
I've always used a domain account for my SNA services,
because I enforce
encryption (localsystem won't work for encrypted
connections). That's
probably
why I've not see the issue.
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless
indicated
otherwise)
|
|
|
| Back to top |
|
|
HASCH
Guest
|
| Posted:
Wed Oct 06, 2004 2:05 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hi,
No, the SNABASE service account on XP/HIS 2000 Client is running
under the same DOMAIN Account as the W2k/HIS 2004 Server.
Running the SNABASE service under a local account, it is starting,
but the error in the Log of HIS 2004 is:
Connection from PC7009 denied because LSA logons are not supported. ---
Error Code : 4097
"Jeremy Remlinger [MSFT]" wrote:
| Quote: | HS.
By the looks of the following lines:
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed, retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12, msgnum = 705
You are getting rejected due to a seruity violation. It appears that your
SNA Base Service is running under the Local System Account. You should
double check the account that the client is runnign under on the client
machine.
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸
Jeremy "Rem" Remlinger, MSCE
SNA/HIS Engineer
Microsoft
This posting is provided 'AS IS' with no warranties, and confers no rights.
© 2004 Microsoft Corporation. All rights reserved.
ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø,¸
--------------------
Thread-Topic: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2004 Se
thread-index: AcSq8So7ABv1Chj+StmeZnCUTyrgGw==
X-WBNR-Posting-Host: 155.140.121.227
From: "=?Utf-8?B?SEFTQ0g=?=" <HASCH@discussions.microsoft.com
References: <DD44FDF2-BDCB-4D6F-B3C7-B59F9B49E03A@microsoft.com
VA.0000624b.07933d69@compuserve.com
C4B0D070-CAC4-4ECE-8A9E-46BC2E4166ED@microsoft.com
VA.0000624c.09177790@compuserve.com
48BF45B9-62D5-4B99-A245-8946BEFA6264@microsoft.com
VA.0000624d.0456c94f@compuserve.com
Subject: Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2004 Se
Date: Tue, 5 Oct 2004 08:37:04 -0700
Lines: 62
Message-ID: <A51045FB-E02E-4873-9A24-8C87E026579C@microsoft.com
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.hiserver.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.hiserver.general:4137
X-Tomcat-NG: microsoft.public.hiserver.general
next problem,
conneccting XP with HIS 2000 Client to HIS server 2004,
running snabase service with the service account from HIS server 2004,
failed to start snabase.
From NT with SNA Client 4.0 it works in this manner
Here is the trace.log:
00000630.000007ac DNSRF Comname: SNABASE
|00000630.000007ac ISNAS Entry 377 has Inuse flag 1
|00000630.000007ac EATPS Open Key
System\CurrentControlSet\Services\SnaBase\Parameters\TPs
|00000630.000007ac EATPS Open Key Failed rc 2
|00000630.000007ac FSNAS Leaving rc=00000000
|00000630.000007ac IBASE Succeeded with services
|00000630.000007ac IBASE Stu1Event created handle=000000FC
|00000630.000007ac IBASE Stu2Event created handle=00000100
|00000630.000007ac IBASE succeeded with events
|00000630.000007ac DROUT Adding Routing proc 002C86D0 to rout_proc[0]
|00000630.000007ac DROUT My rout_cnt is now 1
|00000630.000007ac IBASE Domain: SNA
|00000630.000007ac DINIT Creating semaphore for pipe use
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is SEM_COMNAP
|00000630.000007ac DNAM2 Name generated is COMNAP
|00000630.000007ac DNAME Name generated is EVN_COMNAP
|00000630.000007ac ADACL Set new security for kernel object succeeded
|00000630.000007ac DINIT Granted SYNCHRONIZE+PROCESS_Q+STANDARD_R
(1F0400H)
access for EVERYONE
|00000630.000007ac ADACL Set new security for kernel object succeeded
|00000630.000007ac DINIT AddAce to process token 268 returned 0
|00000630.000007ac APRIV Enabled SE_TCB_NAME privilege
|00000630.000007ac APRIV Enabled SE_AUDIT_NAME privilege
|00000630.000007ac DINIT Calling SNASecRegisterLogonProcess
|00000630.000007ac LOGOR About to register DMOD with LSA
|00000630.000007ac LOGOR DMOD LSA register failed, retcode C0000041
|00000630.000007ac SNLOG Logging 38 chars, level = 12, msgnum = 705
|00000630.000007ac NTLOG Log Thread 272 (id 2720) and Log Event created OK
|00000630.000007ac NTLOG pLog at 000890B8, pTokenUser at 000890F8
|00000630.000007ac NTLOG Signaling the Logging thread
|00000630.000007ac DINIT RegisterLogonProcess Failed
|00000630.000007ac DINIT Initialization done
|00000630.000007ac IBASE sbpdinit failed rc = 567
|00000630.000007ac main Result of deleting remaevent = 0
"Neil Pike" wrote:
HASCH,
With HIS 2004 MS have tightened up the security of HIS. With
HIS2000/SNA4
there was a completely open COMFCFG$ share - no authentication was needed
to
get to it, which wasn't a good idea!
I've always used a domain account for my SNA services, because I enforce
encryption (localsystem won't work for encrypted connections). That's
probably
why I've not see the issue.
Neil Pike MVP/MCSE. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated
otherwise)
|
|
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Wed Oct 06, 2004 10:19 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hasch - try giving the service "act as part of the operating system" right.
Maybe that is needed...
Neil Pike. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise) |
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Wed Oct 06, 2004 10:19 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hasch,
Why are you even running it as a service? Why not just have it running as an
executable? Or do you need it running as a service for some reason?
Neil Pike. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise) |
|
| Back to top |
|
|
HASCH
Guest
|
| Posted:
Thu Oct 07, 2004 4:09 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hi Neil,
giving "act as part of..." and now the service is starting, but I get the
same error
message in the HIS 2004 Server log as I start with the local account:
"Connection from PC7009 denied because LSA logons are not supported. ---
Error Code : 4097"
The SNABASE Service is needed for the WRQ Reflection Application
"Neil Pike" wrote:
| Quote: | Hasch,
Why are you even running it as a service? Why not just have it running as an
executable? Or do you need it running as a service for some reason?
Neil Pike. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise)
|
|
|
| Back to top |
|
|
Charles Ezzell (MSFT)
Guest
|
| Posted:
Thu Oct 07, 2004 8:44 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Hoping to explain this a tad better here.
Host Integration Server 2004 does not support LSA Logons.
When you install HIS 2004, or do an upgrade, the COMCFG nullsession share is
removed from the registry.
COMNAP and COMNODE are also removed.
In addition, anonymous logon would ONLY work over named pipes.
Enabling any of the above is not recommended (adding the above to
nullsession shares would NOT be supported).
Named pipes is not as robust and reliable as sockets. Opening the
nullsession shares is a security vulnerability. Running the service as local
system is also a security vulnerability. You open yourself up if the service
is compromised.
In previous versions (HIS 2000, SNA4) the dmod for Server and Admin clients
used to fail over to named pipes if there was a problem (such as logon
failures or socket failures). In HIS 2004 this only occurs for protocol
failures, not logon failures. And, only if named pipes is enabled.
If your client is HIS 2000 or better AND using a domain account AND having
problems connecting to the HIS 2004 server, then I would suggest using
filemon and regmon on those boxes to track down why they are being denied
access so the proper ACLs could be determined.
Thanks,
Charles |
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Thu Oct 07, 2004 11:18 pm Post subject:
Re: connect with SNA Client 4.0 and HIS 2000 Client to HIS 2 |
|
|
Most peculiar! I one of the MS folks doesn't come up with anything soon you'll
need to raise it as an MS PSS case.
If you do, post the result/fix back here!
cheers
| Quote: | giving "act as part of..." and now the service is starting, but I get the
same error
message in the HIS 2004 Server log as I start with the local account:
"Connection from PC7009 denied because LSA logons are not supported. ---
Error Code : 4097"
The SNABASE Service is needed for the WRQ Reflection Application
|
Neil Pike. Protech Computing Ltd
(Please post ALL replies to the newsgroup only unless indicated otherwise) |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in