Basic Authentication
For basic authentication, Microsoft® Provisioning Framework (MPF) authenticates callers using a credential comprised of a user name, password, and Windows domain name. MPF uses basic authentication in trusted requests and as a means of standardizing access privileges for a procedure.
Trusted Requests
Trusted requests pass basic authentication credentials in the \securityContext\authentication\basic node. MPF delegates authentication responsibility to the calling process. If the request calls external services such as Microsoft® Active Directory®, MPF passes the basic credential on to the service, which can then use it to authorize callers. For more information on trusted requests, see Authorization During Request Submittal.Execute As
When all authorized callers for a namespace procedure are entitled to the same security privileges, it can be convenient to associate these privileges with a credential stored in the configuration database. This credential is assigned to the procedure as an "execute as" credential so that all callers are treated as if they are the same user.
- Using Provisioning Manager, define credentials in Credentials, Add Credential. Assign the credential to the procedure in Namespaces, namespace name, procedure name, Properties. The credential is the procedure's Execute as property.
- Using Configuration WMI Provider, create an instance of class MSFT_MPFCredential. For class MSFT_MPFProcDefinition, set the property MSFT_MPFCredential ref RunAsCredential.
When a caller passes a user name in the request, MPF looks for the corresponding credential and places it in the request's securityContext\authentication\basic\@username node. However, the credential is only used if the procedure call specifies the impersonate attribute for the respective execute or queue node.
For example, a request to implement a new Microsoft® Internet Information Services (IIS) server might involve the following procedure calls and credentials.
| Procedure Call | Task | Credential |
|---|---|---|
| Active Directory Provider::Create Object | Create a new user account in Active Directory. | None. If no credentials are specified, the security context for the call will be the COM context of the calling user. |
| File System Provider::CreateDirectory | Create a new directory. | CreateDirectory has an administrator credential specified as the Execute as property. |
| CoreRMO::Add Resource Group | Create resource groups. | Add Resource Group has an administrator credential specified as the Execute as property. |
Since CreateDirectory and Add Resource Group have an administrator credential, anyone authorized to call those procedures will have administrator permissions for those two procedures. However, they will not have administration permissions for other procedures.
See Also
Access Control Basics, Kerberos Delegation, Procedures
Top
of Page
© 1999-2002
Microsoft Corporation. All rights reserved.