For basic authentication, Microsoft® Provisioning Framework (MPF) authenticates callers using a credential comprised of a user name, password, and Windows domain name. MPF uses basic authentication in trusted requests and as a means of standardizing access privileges for a procedure.
Trusted RequestsTrusted requests pass basic authentication credentials in the \securityContext\authentication\basic node. MPF delegates authentication responsibility to the calling process. If the request calls external services such as Microsoft® Active Directory®, MPF passes the basic credential on to the service, which can then use it to authorize callers. For more information on trusted requests, see Authorization During Request Submittal.
When all authorized callers for a namespace procedure are entitled to the same security privileges, it can be convenient to associate these privileges with a credential stored in the configuration database. This credential is assigned to the procedure as an "execute as" credential so that all callers are treated as if they are the same user.
- Using Provisioning Manager, define credentials in Credentials, Add Credential. Assign the credential to the procedure in Namespaces, namespace name, procedure name, Properties. The credential is the procedure's Execute as property.
- Using Configuration WMI Provider, create an instance of class MSFT_MPFCredential. For class MSFT_MPFProcDefinition, set the property MSFT_MPFCredential ref RunAsCredential.
When a caller passes a user name in the request, MPF looks for the corresponding credential and places it in the request's securityContext\authentication\basic\@username node. However, the credential is only used if the procedure call specifies the impersonate attribute for the respective execute or queue node.
For example, a request to implement a new Microsoft® Internet Information Services (IIS) server might involve the following procedure calls and credentials.
Procedure Call Task Credential Active Directory Provider::Create Object Create a new user account in Active Directory. None. If no credentials are specified, the security context for the call will be the COM context of the calling user. File System Provider::CreateDirectory Create a new directory. CreateDirectory has an administrator credential specified as the Execute as property. CoreRMO::Add Resource Group Create resource groups. Add Resource Group has an administrator credential specified as the Execute as property.
Since CreateDirectory and Add Resource Group have an administrator credential, anyone authorized to call those procedures will have administrator permissions for those two procedures. However, they will not have administration permissions for other procedures.
Access Control Basics, Kerberos Delegation, Procedures
Top of Page
© 1999-2002 Microsoft Corporation. All rights reserved.