Select the product you need help with
SNA applications that run as Windows services do not connect to a Host Integration Server 2004-based server and log an event 705 messageArticle ID: 888478 - View products that this article applies to. SYMPTOMSSNA applications that run as a Windows service do not
connect to Microsoft Host Integration Server 2004-based servers when the
service is started by using the LocalSystem account. When this problem occurs,
the following event is logged on the system where the SNA application is
installed: Event ID: 705 Source: SNA APPC Application Description: Logon Failed. EXPLANATION Access denied on client-server or Distributed Link Service connection request. Access denied --- Error Code : 43 Event ID: 705
Source: SNA Server Description: Logon Failed. EXPLANATION Access denied on client-server or Distributed Link Service connection request. Unknown user name or bad password from client Client name --- Error Code : 4097 CAUSEBy default, support for anonymous logons is disabled in Host
Integration Server 2004. Therefore, any user or application that tries to
access resources on a Host Integration Server 2004-based server by using null
credentials will be denied access to the request resource. For example, a
Windows service that was started by using the LocalSystem account on a remote
system may be denied access. RESOLUTIONTo resolve this problem, configure SNA applications that
operate as Windows services to use user credentials that can access resources
on the Host Integration Server 2004-based server. Do not configure SNA
applications to run under the LocalSystem account. WORKAROUNDTo work around this problem if the SNA application service
on a Host Integration Server 2004 system must use the LocalSystem account, you
can add the following registry entry to let the SNA Server service
(Snaservr.exe) accept anonymous logons:
STATUS This
behavior is by design. MORE INFORMATIONSupport for anonymous logons was disabled in Host
Integration Server 2004 to help make the product more secure. Instead of
enabling support for anonymous logons, we recommend that you modify
applications or services that use the LocalSystem account to use valid user
credentials to access remote resources. If anonymous logon support is enabled, any service or application that passes null credentials can access the Host Integration Server 2004-based server without having to provide valid user credentials. Null credentials are a null user account name, password, and domain. The application or service could possibly take disruptive or destructive actions. For more information about the LocalSystem account and the extensive user rights it has on the local computer, visit the following Microsoft Developer Network (MSDN) Web site: http://msdn2.microsoft.com/en-us/library/ms684190.aspx We do not recommend that you use the LocalSystem account unless a
service actually must have all the user rights that are provided by this
account. Additionally, services that run under the LocalSystem account use null
credentials when they access remote resources.
(http://msdn2.microsoft.com/en-us/library/ms684190.aspx)
Logon method for anonymous logonsSNA Server 4.0 and Host Integration Server 2000 use the LSA logon method for anonymous logons. If an SNA application that is running as a Windows service is started under the LocalSystem account, SNA Server 4.0 and Host Integration Server 2000 try to use the LSA logon method. This also applies to the SNA services that are installed by SNA Server 4.0 and Host Integration Server 2000, such as the SnaBase service.If the SnaBase service is started under the LocalSystem account, it will use the LSA logon method when connecting to the SnaBase service on a SNA Server 4.0, Host Integration Server 2000, or Host Integration Server 2004 server. Host Integration Server 2004 does not support the LSA logon method. Support for LSA logons was removed from Host Integration Server 2004 to help make the product more secure. For additional information about another issue where the lack of LSA logon support may cause a problem, click the following article number to view the article in the Microsoft Knowledge Base: 888762
(http://support.microsoft.com/kb/888762/
)
Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers
Distributed Link Services that are started by using the LocalSystem account do not connect to Host Integration Server 2004-based servers. Host Integration Server 2004 was changed to use the NTLM logon method for anonymous logons. If the SNA application that is running as a Windows service is installed on a Host Integration Server 2004 system, and it is configured to start by using the LocalSystem account, Host Integration Server 2004 uses NTLM for the anonymous logon. By default, this process fails unless the DenyAnonymousLogon entry is changed to allow anonymous logons. Any Windows service that is running on SNA Server 4.0 or Host Integration Server 2000 by using the LocalSystem account cannot connect to a Host Integration Server 2004 server because LSA logons are not supported and cannot be enabled. REFERENCES
For additional information, click the following article numbers to view the
articles in the Microsoft Knowledge Base: 143474
(http://support.microsoft.com/kb/143474/
)
Restricting information available to anonymous logon users
278259
(http://support.microsoft.com/kb/278259/
)
Everyone group does not include Anonymous security identifier
PropertiesArticle ID: 888478 - Last Review: December 4, 2007 - Revision: 3.2
|
Back to the top
