Types of encryption that are included with SNA Server and with Host Integration Server

Article translations Article translations
Article ID: 321555 - View products that this article applies to.
This article was previously published under Q321555
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SUMMARY

This article explains the three types of data encryption that are included with SNA Server and with Host Integration Server:
  • Server-to-server
  • Client sponsor connection
  • Client-to-server application

MORE INFORMATION

About data encryption

  • Data encryption with SNA Server and Host Integration Server is implemented by using the Security Support Provider Interface (SSPI).
  • The supported data encryption levels are 40-bit, 56-bit, and 128-bit.
  • The level of encryption that is used is determined by the operating system (OS), not by either the SNA or Host Integration Server client or by the SNA or Host Integration Server application.
  • The level of encryption is determined by the maximum encryption strength that is possible over the Secure Sockets Layer (SSL). For example, if a client supports 40-bit encryption and the server supports 128-bit encryption, the negotiated encryption level will be at the 40-bit level.
Any third-party emulator or application that is written to use the SNA Server or Host Integration Server client application programming interface (API) will automatically benefit if encryption is enabled.

Server-to-server data encryption

Encryption of data is possible between two computers that are running SNA Server or Host Integration Server when you use the Distributed Link Service (DLS). You can use DLS encryption to provide secure communications across your network, the Internet, or any other wide area network (WAN).

When you use DLS, consider whether or not trust exists between the two Windows NT or Windows 2000 domains.

If trust does exist, note that for pass-through authentication to work, the branch (remote) SNA Server/Host Integration Server's link service must run under a domain user account that can be authenticated by the domain where the central (local) SNA Server or Host Integration Server computer resides. For example, the branch server's link service would be SNAREMx, that is, \\Central_Server\SnaDlcx.

If no Trust exists between the domains, the user account and password that the branch (remote) SNA Server/Host Integration Server's link service is running under must also exist in the accounts domain where the central (local) SNA Server or Host Integration Server computer resides for authentication to occur.

Also note that you cannot encrypt data by running the SNAREMx service under the local system account.

For more information about the Distributed Link Service, visit the following TechNet Web site:
http://www.microsoft.com/technet/archive/sna/plan/soga.mspx?mfr=true

Client sponsor connection data encryption

When an SNA or Host Integration Server client connects to a SNA Server or Host Integration Server computer over the sponsor connection, various messages are sent to the client. When you add the SecureSponsor registry parameter on the server that is running SNA Server or HIS, all sponsor connection data is encrypted.

For more information about how to use the SecureSponsor registry parameter, click the following article number to view the article in the Microsoft Knowledge Base:
159351 SecureSponsor disables SNA 3.0 Win 3.x Password Change feature
For more information about the sponsor connection, click the following article numbers to view the articles in the Microsoft Knowledge Base:
160849 How the SNA Server client chooses a "sponsor" SNA server
317805 Sponsor connection changes in Host Integration Server 2000

Client-to-server application data encryption

Client-to-server encryption prevents information from being sent in clear text between an SNA or Host Integration Server client and an SNA Server or Host Integration Server computer. You can enable client/server encryption on either a group or user-by-user basis.

Note By default, client/server encryption is enabled in Host Integration Server 2006 and in Host Integration Server 2004.

To configure users for client-server encryption, follow these steps:
  1. In the SNA Server Manager console tree, double-click Configured Users.
  2. Right-click the user or group that you want to configure, and then click Properties.
  3. On the Properties tab, click to select the Use Client/Server Encryption check box, and then click OK.
  4. In the Action list, click Save configuration.
  5. Restart the computer that is running SNA Server or Host Integration Server for the changes to take effect.
Note SSL support for TN3270 was added in Host Integration Server 2004. SSL support is not available for TN5250. Therefore, encryption is not available when you use the TN5250 service together with SNA Server or with Host Integration Server.

Properties

Article ID: 321555 - Last Review: February 27, 2014 - Revision: 4.0
APPLIES TO
  • Microsoft Host Integration Server 2006 Developer Edition
  • Microsoft Host Integration Server 2004 Standard Edition
  • Microsoft Host Integration Server 2000 Standard Edition
  • Microsoft SNA Server 4.0
  • Microsoft SNA Server 4.0 Service Pack 1
  • Microsoft SNA Server 4.0 Service Pack 2
  • Microsoft SNA Server 4.0 Service Pack 3
  • Microsoft SNA Server 4.0 Service Pack 4
Keywords: 
kbnosurvey kbarchive kbinfo KB321555

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com