none
SNA 4.0 client connection to HIS 2009 server RRS feed

  • Question

  • Hi,

         I have installed new HIS 2009 servers on Virtual Machines in my environment. While everything at the infrastructure looks good to go, there seems to be the legacy applications which are giving me some head ache.

         Few of our applications use the SNA 4.0 client. The client is unable to connect to the HIS 2009 server. The error I am receiving is as follows.

    SNA Server Error: 546

    Cannot establish connection with SNA Server <Server Name>

         The Even Viewer in the HIS 2009 server also provides a warning message for the SNA Base service. The error message is as follows.

    Connect from <client IP> denied because LSA logons are not supported --- Error Code : 4097

         There was a Hotfix provided for HIS 2004 server to allow LSA logon.

         Is there a similar Hotfix available for HIS 2009 server?

         Kindly help me in this situation.

         Thanks in advance.

    - Kumaran Ravichandran

    Tuesday, October 19, 2010 5:50 AM

Answers

  • As Andrew explained LSA support was originally removed from HIS 2004. This was due to the initiatives throughout the company to tighten security in our products. We did add LSA support back as an update to HIS 2004 because a number of customers were making use of LSA and we did not provide enough advance notice that this change was being made to increase security. Therefore, we added it back in to allow customers more time to make necessary changes to get away from the use of LSA authentication with their SNA applications.

    This decision was made at the time that this was a one time update that would not be moved forward to future versions of the product. This is why tLSA support was not moved forward into HIS 2006 or later. The bar to get LSA support added back into the product would be very high at this point due to ever increasing security requirements mandated for our released products.

    Thanks...  


    Stephen Jackson - MSFT
    Thursday, October 21, 2010 4:25 AM

All replies

  • Hi Kumar!

     

    There is no hotfix to provide LSA support in any version of HIS after HIS 2004 SP1. In other words, clients cannot connect to HIS 2009 if they want to use LSA Authentication - they must either use NTLM or Kerberos, or turn off authentication. NTLM is generally easier to use then Kerberos, for HIS client-server connections.

     

    Is the client running a 16-bit application? Or 32-bit?

     

    And is this a 3270 app (LU2) or APPC? By default, authentication is turned off for APPC applications, on the server.

     

    If the client app is a 32-bit ap, it may be possible to upgrade the HIS client on the workstation. The more recent clients are highly compatible at the API level, and can provide the necessary NTLM authentication.

     

    Cheers

    Andrew

     

    Wednesday, October 20, 2010 7:36 AM
  • Andrew,

                The Apps are 16-bit apps. They make use of the old SNA client. They call the "wnap.exe" to establish the SNA server connectivity.

                The Apps are providing GUI front-end for 3270 connectivity which is provided by Attachmate EXTRA 4.3 software.

                The EXTRA 4.3 eventually makes use of the old SNA client.

                I do not have the understanding of the underlying working of the apps. But I could see them making use of the old SNA client which uses LSA logon method.

                If I could not provide some migration path to those apps, I will be unable to decommission the HIS 2000 servers, which is very important.

    Regards,

    Kumaran Ravichandran.

    Wednesday, October 20, 2010 10:14 PM
  • As Andrew explained LSA support was originally removed from HIS 2004. This was due to the initiatives throughout the company to tighten security in our products. We did add LSA support back as an update to HIS 2004 because a number of customers were making use of LSA and we did not provide enough advance notice that this change was being made to increase security. Therefore, we added it back in to allow customers more time to make necessary changes to get away from the use of LSA authentication with their SNA applications.

    This decision was made at the time that this was a one time update that would not be moved forward to future versions of the product. This is why tLSA support was not moved forward into HIS 2006 or later. The bar to get LSA support added back into the product would be very high at this point due to ever increasing security requirements mandated for our released products.

    Thanks...  


    Stephen Jackson - MSFT
    Thursday, October 21, 2010 4:25 AM