Basic authentication

For basic authentication, Microsoft Provisioning Framework (MPF) authenticates callers using credentials, including a user name, password, and Windows domain name. MPF uses basic authentication in trusted requests and as a means of standardizing access permissions for a procedure.

Trusted requests

Trusted requests pass basic authentication credentials in the \securityContext\authentication\basic node. MPF delegates authentication responsibility to the calling process. If the request calls external services, such as the Active Directory directory service, MPF passes the basic credential on to the service, which can then use it to authorize callers. For more information on trusted requests, see Authorization during request submittal.

"Execute as" credentials

When all authorized callers for a namespace procedure are entitled to the same security permissions, it can be convenient to associate these permissions with a credential stored in the configuration database. Credentials are defined in Provisioning Manager using the Add Credential option of Credentials. Credentials are assigned to procedures using the Execute as property of each procedure.

For example, a request to implement a new Internet Information Services (IIS) server might involve the procedure calls and credentials described in the following table:

Procedure call Task Credential
Active Directory Provider::Create Object Create a new user account in Active Directory. None. If no credentials are specified, the security context for the call will be the COM context of the calling user.
File system Provider::CreateDirectory Create a new directory. CreateDirectory has administrator credentials specified in the Execute as property.
CoreRMO::Add Resource Group Create resource groups. Add Resource Group has administrator credentials specified in the Execute as property.

Because CreateDirectory and Add Resource Group have administrative credentials, anyone authorized to call those procedures will have administrative permissions for those two procedures. They will not, however, have administration permissions for other procedures.

A procedure can have only a single set of "execute as" credentials. Multiple procedures can have separate credentials, or the same credentials can be assigned to multiple procedures. Therefore, the caller's identity can change over time as different procedures are executed.

"Execute as" places the basic authentication credentials into the security context for the procedure. To be used, however, the procedure call must specify the Impersonate attribute for the respective execute or queue node.