Authorization During Request Submittal
Microsoft® Provisioning Framework (MPF) recognizes two types of provisioning requests: simple and trusted.
- A simple request executes a single procedure whose name and namespace are passed as parameters. Simple requests can contain only data (if required) and/or a security context (depending on the user's privileges). For security reasons, simple requests are the standard approach for invoking MPF for both COM and HTTP/SOAP applications. Simple requests are authenticated based on their COM security context.
- In some situations, it can be desirable to submit a trusted request that explicitly defines the procedure steps as well as any data or security context. By default, only members of the groups Administrators, MPFAdmins, and MPFTrustedUsers can submit trusted requests.
MPF provides two application programming interfaces (APIs) that submit requests to the framework: IProvEngine and IProvQueue. IProvEngine is for real-time requests, IProvQueue for queued requests, and SOAP ISAPI for SOAP requests. The methods for simple and trusted requests are listed below.
| Type of Request | Submitted To... | API/Method |
|---|---|---|
| Simple requests | Provisioning engines | IProvEngine::SubmitRequest |
| Queue managers | IProvQueue::SubmitRequest | |
| Trusted requests | Provisioning engines | IProvEngine::SubmitTrustedRequest SOAP ISAPI |
| IProvQueue::SubmitTrustedRequest | ||
| Queue managers |
A caller's authority to execute these APIs is governed by the Requests Security properties in Provisioning Manager. For more information, see Provisioning Engines and Provisioning Queue Manager Service.
Once they receive a request, MPF clients build the request's COM security context and pass it to the provisioning engine. The two client properties MPF uses to do this, Capabilities and Impersonation Level, are configured in Provisioning Manager. For more information, see Clients.
SOAP ISAPI verifies that callers are allowed to submit SOAP requests when it creates the corresponding MPF requests. By default, SOAP ISAPI runs under the MPFClientAcct user account, so the COM security context is MPFClientAcct. Incoming requests are initially authorized by Microsoft® Internet Information Server (IIS). The way SOAP ISAPI continues this process once it receives a request is determined by:
- The Capabilities and Impersonation Level properties.
- Two registry keys located in
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\ISAPI.
Property Description PassportEnabled Determines whether the ISAPI authenticates users against Microsoft® .NET Passport. 0 (default): The ISAPI does not perform Passport authentication.
1: The ISAPI extracts the Passport Unique ID (PUID) from the returned Passport cookie and passes it as part of the request's security context (\securityContext\passport\@puid). When the provisioning engine receives the request, it attempts to authenticate users against Passport and redirects them to Passport if they are not accepted. Passport then handles its own authentication.SecurityType Enumeration that determines whether the ISAPI generates the security context for the call before passing the request to MPF via IProvEngine::SubmitTrustedRequest.
0: The ISAPI extracts basic authentication credentials from the incoming call and builds a security context. If the incoming HTTP request contains a basic authentication header, the ISAPI extracts the user name and password and constructs a basic authentication credential for the request's security context (\securityContext\authentication\basic). The ISAPI deletes any security context passed in with the request.
1: The ISAPI passes the security context unchanged from the incoming call. This is the weakest security setting.
2 (default): The ISAPI passes the request through with no security context. The ISAPI extracts the namespace name and procedure from the incoming SOAP request header and constructs a simple request from the data node of the SOAP request. As a result, the request does not pass a security context, and the provisioning server will therefore authorize the request based on the COM security context. This is the strongest security setting.
See Also
Access Control Basics, Authorization, XML Schema for Requests
Top
of Page
© 1999-2002
Microsoft Corporation. All rights reserved.