|
|
|
|
For basic authentication, Microsoft® Provisioning Framework (MPF) authenticates callers using a credential comprised of a user name, password, and Windows domain name. MPF uses basic authentication in trusted requests and as a means of standardizing access privileges for a procedure.
When all authorized callers for a namespace procedure are entitled to the same security privileges, it can be convenient to associate these privileges with a credential stored in the configuration database. This credential is assigned to the procedure as an "execute as" credential so that all callers are treated as if they are the same user.
When a caller passes a user name in the request, MPF looks for the corresponding credential and places it in the request's securityContext\authentication\basic\@username node. However, the credential is only used if the procedure call specifies the impersonate attribute for the respective execute or queue node.
For example, a request to implement a new Microsoft® Internet Information Services (IIS) server might involve the following procedure calls and credentials.
| Procedure Call | Task | Credential |
|---|---|---|
| Active Directory Provider::Create Object | Create a new user account in Active Directory. | None. If no credentials are specified, the for the call will be the COM context of the calling user. |
| File System Provider::CreateDirectory | Create a new directory. | CreateDirectory has an administrator credential specified as the Execute as property. |
| Create resource groups. | Add Resource Group has an administrator credential specified as the Execute as property. |
Since CreateDirectory and Add Resource Group have an administrator credential, anyone authorized to call those procedures will have administrator permissions for those two procedures. However, they will not have administration permissions for other procedures.