Windows11 Client Access - Install Problems

Installing the legacy IBM Client Access on Windows 11 can be a bit of a wrestling match, thanks to its age and Windows 11’s modern quirks. 

You’ll need a Windows 11 machine (obviously), the original install files (like a CD or an image from your IBM i system’s IFS at /QIBM/ProdData/CA400/Express/Install), and admin rights to muscle through the setup. 

The old Client Access—think versions like V5R1 or Client Access Express—was built for Windows XP or earlier, so compatibility is a big hurdle. Windows 11’s tighter security and lack of support for ancient 32-bit apps often cause the installer to choke, throwing errors like “not a valid Win32 application” or just silently failing. 

You might also hit snags with missing .NET Framework versions or Visual C++ redistributable that the legacy software expects but Windows 11 doesn’t provide by default.

To fight back, try running the installer (e.g., setup.exe) in compatibility mode—right-click it, hit Properties, and set it to Windows XP SP3 mode. If that flops, a virtual machine running Windows XP or 7 is your best bet, though it’s a hassle. 

Another gotcha: even if you get it installed, features like 5250 emulation might crash or refuse to connect due to outdated networking protocols. You’ll need about 200-500 MB of space and a TCP/IP link to your IBM i system, but don’t expect miracles—this relic wasn’t built for 2025

system i navigator

If it’s too much grief, IBM i Access Client Solutions (ACS) is the modern alternative that actually plays nice with Windows 11. 

** PROBLEMS I ENCOUNTERED **

Verifying the IBM i Connection throws a lot of exceptions

This is an indication that you are going to have some fun trying to get this to work 🙂

Windows11 Client Access - Install Problems 1

ERROR: CWBSY1008 - General Security Error occurred rc=000

Windows11 Client Access - Install Problems 2

Cause - A general security error was returned to the client from the System i platform. This error may be the result of one of the following:

  •  The user profile being used has no password (*NONE) assigned to it.
  • The password validation program being used (system value QPWDVLDPGM on the system) has a program name defined and this program found an error in the password.
  • The password for QUSER profile needs to be reset.

Recovery - Check to see if the user profile has a password assigned to it. If no password is assigned, you must assign one. Also, look at the job log for user QUSER, job QZSOSIGN to see if the password validation program found an error. To do this:

  •  Type WRKACTJOB at the IBM i command prompt to bring up the list of active jobs.
  • Press F14 (shift+F2) to include prestarted jobs.
  • Find the QZSOSIGN job running in the QSYSWRK subsystem in the job list. If there are multiple QZSOSIGN jobs, repeat the following steps for each job.
  • Type a 5 next to each QZSOSIGN to work with it and press Enter.
  • On the Work with Job panel, type a 10 to display the job log.
  • Look for a message in the job log similar to 'SIGNON server job' for the user who had the CWBSY1008 message. The message listed after this message should help solve the problem. If the error message says the password for QUSER has expired, change the password for QUSER fixes the problem. For other causes, look at the error message details help and take the recommended action.

ERROR: This Module Is Blocked from Loading into Local Security Authority (CWBNETNT.DLL)

Windows11 Client Access - Install Problems 3

Windows 11 users installing the Legacy IBM Client Access may encounter the error message - "This module is blocked from loading into Local Security Authority" with the client access dll CWBNETNT.DLL

This CWBNETNT.DLL issue is because the file is being blocked from loading into the Local Security Authority (LSA) on Windows 11 which has tightened security settings. This DLL is tied to IBM Client Access (or IBM i Access Client Solutions’ Windows Application Package), often used for network authentication features like WINLOGON.

Local Security Authority (LSA) protection is a Windows security feature to help prevent the theft of credentials used for signing into Windows.

If you’re seeing a popup like “This module is blocked from loading into the Local Security Authority” pointing to CWBNETNT.DLL (typically in C:\Program Files\IBM\Client Access\Shared), it’s LSA protection doing its job. 

Why It’s Happening: Windows 11 24H2 disabled legacy WINLOGON support by default, breaking older IBM Client Access functionality that relies on this DLL for credential passing. Windows 11 enforces LSA protection, blocking unsigned or untrusted DLLs like CWBNETNT.DLL from loading into sensitive processes. Legacy Client Access hasn’t kept up, and Microsoft’s deprecated the old credential-passing method it used.


Quick Fix Options:

  • Switch to IBM i ACS: The simplest fix is to ditch the legacy IBM Client Access and install IBM i Access Client Solutions (ACS). ACS is Java-based, doesn’t depend on CWBNETNT.DLL for authentication, and works smoothly on Windows 11. Download it from IBM’s Entitled Systems Support site (you’ll need an IBM ID and entitlement), unzip the acsbundle.jar, and run it—no DLL drama required.
  • IF YOU MUST USE LEGACY CLIENT ACCESS then try to re-enable WINLOGON (Temporary Workaround): If you’re stuck with legacy Client Access, you can manually re-enable the network provider:
    • Open regedit.exe as an admin.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
    • Edit the ProviderOrder value (a comma-separated list) and add Cwbnetnt at the start (e.g., Cwbnetnt,rpcrt4).
    • Restart your PC. This tells Windows to load the DLL again, but it’s a security risk—Microsoft and IBM both warn against it long-term.

Remember, IBM i ACS is the future-proof fix, don’t fight the tide unless you must.

Done?
 Mark lesson complete
Previous Lesson
Next Lesson
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>