Figure 5.2 This figure represents bidirectional password synchronization between the Windows NT Account Synchronization, Host Account Cache, Host Account Synchronization and ISV DLLs.
On a local area network, SNAHOSTPROCESS, security integration DLLs provided by independent service vendors (ISVs), and SNAPMP cooperate with each other to support password synchronization. On the host, ISV products are usually required.
Working together, these components support bidirectional password synchronization. Changes made on the host computer can update Windows NT and other host computers. Changes made in the Windows NT security domain are sent to all the host computers.
Cooperating software must be installed on the host computer to trap password changes initiated by users logged into the host computer. This software is available from third-party vendors; a list of currently available solutions is located in the Companion Product Catalog on the SNA Server 3.0 CD-ROM.
As described under SNAHOSTPROCESS, the security integration DLL is initialized for a given host security domain when that service starts. The DLL uses any proprietary protocol, not necessarily SNA, to establish a session with the host computer. Once the session is started, the host computer will send notification of changes that are made in the host security domain to the DLL.
The third-party vendor DLL forwards the host-initiated change to SNAHOSTPROCESS. Then, SNAHOSTPROCESS uses the resource location of the master SNADATABASE to find the network address of the primary SNAPMP. After SNAPMP is located, SNAHOSTPROCESS sends the host-initiated change to SNAPMP via encrypted RPC. Once SNAPMP receives the change, it drives the execution of the change in all affected security domains. The process it uses is the same regardless of the origin of the change.
SNAPWDCHG.DLL is installed on the primary domain controller of the Windows NT domain or domains that support user accounts. It is registered with the Security Account Manager (SAM) in those domains to receive notice of password changes that arise in the Windows NT domain, regardless of how the change was initiated. SNAPWDCHG.DLL uses Registry information provided by Setup to locate the master SNADATABASE in a resource domain. It uses resource location of the master SNADATABASE to locate the primary SNAPMP.
SNAPWDCHG.DLL sends the Windows NT-initiated change to the SNAPMP, via encrypted RPC. Once SNAPMP receives the change, it drives the execution of the change in all affected domains. The process it uses is the same, regardless of the origin of the change.
UDConfig can also initiate password changes. It collects change information using a graphical interface provided to the end user.
UDConfig uses the resource location of the master SNADATABASE to find the network address of the primary SNAPMP. It then sends the user-initiated change to SNAPMP via encrypted RPC. Once SNAPMP receives the change, it drives the execution of the change in all affected domains. The process it uses is the same, regardless of the origin of the change.
When the primary SNAPMP receives notice of a requested change, it forms a global view of the user's mapping for all the domains, determines which agents must be notified of the change, and proceeds to notify each one. The following can be notified:
Setup creates Registry information to identify all the resource domains containing master SNADATABASE components.
SNAPMP sends a query to each SNADATABASE to gather the user information in all host security domains that are defined. If the change was initiated by the host, the lookup key is the host account within the host security domain. If the change was initiated by UDConfig or Windows NT, the lookup key is the Windows NT account and domain. In either case, SNADATABASE returns the same format record.
SNAPMP then consolidates the information into an updated user record and then sends it to each master SNADATABASE in each resource domain.
If the user has configured a replicated password using the Use Windows NT Password checkbox in UDConfig, the change will affect Windows NT as well as the host security domains. To change a Windows NT password, SNAPMP uses the Win32 API to perform the password change directly. This operation requires that SNAPMP itself run in a Windows NT account that has security administrator privilege in all Windows NT domains that support user accounts. Generally, the change will affect host passwords in host security domains. However, UDConfig changes may not: The user can request that only the Host Account Cache be updated by clicking the Update Cache button. Alternatively, the user can specify that a password change be sent to only one host security domain by clicking the Apply button when changing mapped rather than replicated passwords. SNAPMP determines which host security domains must be notified of the change.
SNAPMP uses resource location to find the SNAHOSTPROCESS that supports that host security domain, and then sends an update to SNAHOSTPROCESS for the host security domain. SNAHOSTPROCESS passes the change across the third-party API to the host security integration DLL, which then passes it on to the host computer. The host computer then responds with a status indication of the successful change and sends it to SNAPMP. If an error occurs in the change for a single host security domain, SNAPMP will log the failure, but will not retry the operation.