Host Account Cache

This component is installed in Windows NT resource domains. The resource domain contains either SNA Server computers or machine accounts for users who

will use this service. Setup prompts you to define the role of the Host Account Cache as master or backup. A master host account cache is installed on the Primary Domain Controller of the resource domain(s). A backup host account cache can be installed on backup domain controllers or on SNA Server member servers.

SNADATABASE Service

This Windows NT service is also known as Host Account Cache. As the name implies, this service implements the database of host accounts associated with Windows NT accounts. It also maintains a dynamic table of network locations for all other host integration service components.

Each Windows NT domain with Host Security Integration installed has a master copy of the host account cache. In the master role, it performs two functions: it is the resource locator within its Windows NT domain for SNAHOSTPROCESS, SNA Server, UDConfig, and the SNAPMP to locate each other; and it receives updates from SNAPMP and coordinates the updates with all the backup copies of the host account cache.

In backup role, the host account cache maintains a local copy of the user database that can be maintained for backup purposes only, or to eliminate network traffic for single sign-on lookups when installed on the same machine as SNA Server.

When the backup host account cache first activates, it locates the master host account cache and downloads a complete copy of the user database, providing synchronization with the master copy. If the backup cannot locate the master or cannot complete the copy, it will use the prior local copy and log a warning to the event log.

STI.DLL

This DLL provides the common communication routines used by all the other components of Host Security Integration. The Remote Procedure Call (RPC) facility is used for communications, with encryption specified for security. RPC is an intersystem communications standard provided by Windows NT.

For more information about the encryption capabilities of Host Security Integration, see the security section of this chapter.

UDConfig

UDConfig is the interactive tool used by system administrators and end users to manage individual user mapping in the host account cache. When run by a user with administrative privilege, UDConfig can manipulate any user record in the host account cache, but when run by an unprivileged Windows NT user, it can only change that user's record. UDConfig is supported on 32-bit clients only.

UDConfig performs the following functions:

It specifies the host account associated with individual Windows NT accounts in each host security domain.

It specifies individual user preferences (if permitted by the administrator) for replicated or mapped account names and passwords in the host security domain.

The Apply button sends a password change to some or all of the host security domains in which the user has a host account, as well as the host account cache. UDConfig cannot initiate a Windows NT password change directly. However, a change sent to a host computer may update the Windows NT password indirectly if the passwords are replicated and the administrator has enabled password synchronization in both directions with the host computer.

The Update Cache button sends changes to the host account cache, but not to any security domain. This is used to initialize the user's record just after the account is added to a host security domain, and to recover from any failures in the synchronization process that might occur.

SNA Server Node

When a client connects to an SNA Server computer for an LU session and the client-server protocol supports Windows NT authentication, the node starts monitoring the session data for the appearance of host account replacement tokens. These are strings starting with the characters "MS$SAME" that can appear where the host needs to see actual host account information. In APPC sessions, these strings can only appear as conversational security subfields in an LU6.2 Attach message, though they can appear elsewhere in LU0-3 sessions.

For a step-by-step description of the single sign-on process the section "Automatic Logon" later in this chapter.