Q232035: AS/400 Password Change Using Host Security May Not Complete

Article: Q232035
Product(s): Microsoft SNA Server
Version(s): WINDOWS:3.0,3.0SP1,3.0SP2,3.0SP3,4.0,4.0SP1,4.0SP2
Operating System(s): 
Keyword(s): kbsna300sp1 kbsna300sp2 kbsna300sp3 sna4 kbsna400sp1 kbsna400sp2kbfaq
Last Modified: 11-JUN-1999

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft SNA Server, versions 3.0, 3.0SP1, 3.0SP2, 3.0SP3, 4.0, 4.0SP1, 4.0SP2 
-------------------------------------------------------------------------------

SYMPTOMS
========

When you use Microsoft's SNA Server Host Security Integration (HSI) to make a
password change on an AS/400 system, the request will be sent to the AS/400
system, however, the password change may never reach the AS/400 User Database.

If a password change request doesn't work, end users have no way of knowing this
until the next time they try logging onto the AS/400 using the "new" AS/400
password. If using the 5250 applet that is included with Microsoft's SNA Server,
the following error message is displayed:

  The host system rejected the connection due to a security validation error.
  Please check your session configuration.

  [0003] [080F6051]

Here is the primary and secondary return code information:

  PRC = [0003] AP_ALLOCATION ERROR
  APPC has failed to allocate a conversation. The conversation state is set to
  RESET.

  SRC = [080F6051] AP_SECURITY_NOT_VALID
  The user ID or password specified in the allocation request was not accepted
  by the partner LU.

NOTE: Other third-party emulators may report a different error message.

ADDITIONAL INFORMATION
----------------------

During the time of a password change failure, the following entries are recorded
in the Event Viewer application log on the SNA Server:

- Event 6005 Source: AS400MDSI

  The SNA APPC service returned the following error when attempting an operation
  for [userid_name] in the [Host_Security_Domain_Name]:

  Receive and Wait verb has completed with primary return code Allocation Error.

- Event 1506 Source: SNA Host Security

  Security DLL could not establish network connection to host side components.

If an SNA Server DLC trace (nodemsg) is taken when the password request leaves
the SNA Server (node), the AS/400 rejects the Attach (02FF) with a 0846 0000
sense code promising the SNA Server the real error in a later message.

DLC   ----------------------------------------------- 12:39:53.0859
DLC   01020501->04160001 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      RQE FMD FI BC EC DR1 PI CD
DLC
DLC   ---- Header  at address 011946F0, 1 elements ----
DLC   0B050000 1D002C00 01010001 01009300     <......,.......l.>
DLC
DLC   ---- Element at address 01B83480, start 10, end 136 ----
DLC   0B912040 0502FF10 03D10000 0406F3F0     <.j @.....J....30>
DLC   F1120702 D4D6D5E3 C5C20901 36D18DB1     <1...MONTEB..6J..>
DLC   FE4EE330 140BC1D7 D7D54BD3 D6C3C2C9     <.NT0..APPNKLOCBI>
DLC   C707CF05 0C0C2700 01000800 00000000     <G.....'.........>
DLC   00000100 3C12FF00 38122100 34FF0408     <....<...8.!.4...>
DLC   01D4D6D5 E3C5C20A 07000000 00000000     <.MONTEB.........>
DLC   020A035A 2F306BE7 AD90A60A 05909504     <...Z/0kX..w...n.>
DLC   FE1D27EC 550A04C8 82A03363 31B53D       <..'.U..Hb.3c1.= >
DLC   ----------------------------------------------- 12:39:53.0869
DLC   04160001->01020501 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      +RSP FMD BC EC PI
DLC
DLC   ---- Header  at address 011946F0, 1 elements ----
DLC   0B050000 1D002C00 01010000 01004301     <......,.......C.>
DLC
DLC   ---- Element at address 01B83480, start 10, end 12 ----
DLC   830100                                  <c..             >
DLC   ----------------------------------------------- 12:39:53.0869
DLC   04160001->01020501 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      -RSP FMD SD BC EC DR1
DLC
DLC   ---- Header  at address 011946F0, 1 elements ----
DLC   0B050000 1D002C00 01018000 01004301     <......,.......C.>
DLC
DLC   ---- Element at address 01B83480, start 10, end 16 ----
DLC   87900008 460000                         <g...F..         >
           ^^ ^^^^^^  
----------------------------------------------- 12:39:53.0869

The 0846 0000 sense code means ERP Message Forthcoming.

Here is the actual error from the AS/400:

DLC   ----------------------------------------------- 12:39:53.0869
DLC   04160001->01020501 DLC DATA
DLC                      DAF:01 OAF:01 ODAI:off Normal
DLC                      RQE FMD FI BC EC DR1 PI CEB
DLC
DLC   ---- Header  at address 01194890, 1 elements ----
DLC   0B050000 1D002C00 01010001 01004301     <......,.......C.>
DLC
DLC   ---- Element at address 01B83A34, start 10, end 49 ----
DLC   0B910107 07084B60 3180001E 12E10018     <.j....K`1.......>
                ^^^^^^ ^^  

  Primary Sense Code: 084B - Requested Resources Not Available
  Secondary Sense Code: 6031 - Transaction Program Not Available

CAUSE
=====

The subsystem or job where this transaction program (TP) runs on the AS/400 is
not active.

RESOLUTION
==========

The transaction program to which SNA Server's Host Security talks is named
QACSOTP. This TP normally runs as a job under a particular subsystem on the
AS/400. For example, the AS/400 subsystem may be called QBASE, which is part of
a library called QSYS where the program job TP QACSOTP runs. If either the
subsystem QBASE, or the TP QACSOTP is not "active," password changes do not
work.

MORE INFORMATION
================

Microsoft's Host Security Integration components provides out of the box one-way
(unidirectional) password synchronization from Windows NT to IBM AS/400 systems
(V3R1 or later) without any additional host code being needed. This is made
possible by means of the Sec400.dll that gets installed with HSI and used after
configuring and setting up a Host Security Domain.

For two-way (bi-directional) password changes (AS/400 to Window NT), third-party
solutions are required. For a list of third-party independent software vendors
(ISVs), please see the Companion Product Catalog (Isvcatal.doc) on the SNA
Server CD.

The third-party products discussed in this article are manufactured by vendors
independent of Microsoft; we make no warranty, implied or otherwise, regarding
these products' performance or reliability.

Additional query words:

======================================================================
Keywords          : kbsna300sp1 kbsna300sp2 kbsna300sp3 sna4 kbsna400sp1 kbsna400sp2 kbfaq
Technology        : kbAudDeveloper kbSNAServSearch kbSNAServ300 kbSNAServ400
Version           : WINDOWS:3.0,3.0SP1,3.0SP2,3.0SP3,4.0,4.0SP1,4.0SP2
Issue type        : kbprb

=============================================================================