Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Active Directory Management Gateway Service

  • Remote Server Administration Tools for Windows 7

  • Windows Server 2008 R2 operating system

  • Remote Server Administration Tools for Windows 8 operating system

  • Windows Server 2012 operating system

  • Remote Server Administration Tools for Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3.1: In Active Directory, the LDAP display name of an attribute is the value of its lDAPDisplayName attribute defined in section 2.356 of [MS-ADA1].

<2> Section 1.6: Active Directory Management Gateway Service contains the server implementation of WS-Transfer: Identity Management Operations for Directory Access Extensions; Remote Server Administration Tools for Windows 7, Remote Server Administration Tools for Windows 8, and Remote Server Administration Tools for Windows 8.1 contain the client implementation; and Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 have both the server and the client implementations.

Active Directory Management Gateway Service is available for Windows Server 2003 R2 with Service Pack 2 (SP2), Windows Server 2003 SP2, and Windows Server 2008.

<3> Section 2.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use SOAP 1.2 [SOAP1.2-1/2003]. The transports used, as well as the authentication mechanisms supported and the endpoints exposed, are specified in section 2.1 of [MS-ADDM].

<4> Section 2.2.3.3: While processing a WS-Transfer Message which uses IMDA extensions, the server will generate a wsman:CannotProcessFilter fault with AttributeTypeNotValidForDialect element as fault detail, if the client specified one or more identity attribute types that were not valid expressions in the dialect specified in the operation-specific SOAP message.

<5> Section 2.2.3.4: While processing a WS-Transfer Message which uses IMDA extensions, the server will generate a wsman:CannotProcessFilter fault with the AttributeTypeNotValidForEntry element as fault detail if the client specified an identity attribute that was not valid for the identity object that was the target of the operation specified in the SOAP message.

<6> Section 2.2.3.5: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions do not return this element. They use the fault detail containing the ad:FaultDetail/ad:DirectoryError element defined in section 2.6 of [MS-ADDM].

<7> Section 2.2.3.5: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions do not return this element.

<8> Section 2.2.4.3: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions format the identity attribute values using the rules specified in section 2.3 of [MS-ADDM], namely:

  • Each identity attribute value is contained in a separate "value" element in the http://schemas.microsoft.com/2008/1/ActiveDirectory XML namespace.

  • The "value" elements are contained inside a single element named for the LDAP display name of the directory attribute (or, for synthetic attributes [MS-ADDM], the name of the synthetic attribute).

One instance of the ValueXmlType (that is, an AttributeValue element) can contain a single instance of the element named for the attribute, but that element can in turn contain multiple "value" elements, allowing multiple identity attribute values to be specified.

<9> Section 2.3: For Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions, this mapping is defined in section 2.3 of [MS-ADDM]. Each identity object corresponds to exactly one directory object, and the identity attributes are the directory attributes and synthetic attributes of the directory object.

<10> Section 3.1.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the mapping defined in section 2.3 of [MS-ADDM].

<11> Section 3.1.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the XPath 1.0-derived selection language defined in section 2.4 of [MS-ADDM]. As specified there, the URI that identifies this dialect is http://schemas.microsoft.com/2008/1/ActiveDirectory/Dialect/Xpath-Level-1.

<12> Section 3.1.3: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the endpoints described in section 2.1 of [MS-ADDM].

<13> Section 3.1.4.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions do not support WS-Transfer Put and Create operations without use of the IMDA extensions and will reject any such operation that does not include the IdentityManagementOperation SOAP header by returning a WS-Addressing Action Not Supported SOAP fault[WSAddressing].

Additionally, Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions will return IMDA-specified SOAP faults (section 3.1.4.2) in response to WS-Transfer Get and Delete operations even if those operations do not include the IdentityManagementOperation SOAP header.

<14> Section 3.1.4.2.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM].

<15> Section 3.1.4.2.2: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM].

<16> Section 3.1.4.2.3: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions do NOT return a wsman:CannotProcessFilter fault if the request contains a rootDSE attribute, defined in [MS-ADTS] section 3.1.1.3.2, that is not supported by the AD DS or AD LDS instance running on the target server. In this case, the server returns one of the following responses:

  • An empty value for read operations.

  • A da:UnwillingToPerform SOAP fault for write operations. The fault detail contains the ad:FaultDetail/ad:DirectoryError element, as defined in [MS-ADDM] section 2.6.

<17> Section 3.1.4.2.3: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions always include an AttributeTypeNotValidForDialect element or an AttributeTypeNotValidForEntry element, as appropriate, except that they will generate a wsman:CannotProcessFilter fault with an empty fault detail if, while retrieving information from the directory service, they encounter a directory attribute whose Active Directory schema information cannot be retrieved.

<18> Section 3.1.4.2.4: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM] and the fault reason, “The failed operation was attempted on a non-existent directory object.”

<19> Section 3.1.4.2.4: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions generate a receiver fault, instead of a sender fault, as specified in section 3.1.4.2.4.

<20> Section 3.1.4.2.5: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions include the SizeLimit attribute specifying the maximum number of elements permitted by the server for the operation requested.

<21> Section 3.1.4.2.5: For Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions, the limit defaults to a maximum of 100 AttributeType elements in a Get operation and 100 AttributeTypeAndValue elements in a Put or Create operation.

<22> Section 3.1.4.2.6: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions generate this fault when the supply of connections to the directory service is exhausted.

<23> Section 3.1.4.2.6: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM] and the fault reason, "A connection to the directory on which to process the request was unavailable. This is likely a transient condition."

<24> Section 3.1.4.2.8: If the constraint violation occurs because of a Create operation, Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions generate a da:UnwillingToPerformSOAP fault. If it is a Put operation that causes constraint violation, Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions generate a wxf:InvalidRepresentationSOAP fault.

<25> Section 3.1.4.2.8: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access extensions use the fault detail defined in section 2.6 of [MS-ADDM].

<26> Section 3.1.4.2.8: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail containing the ad:FaultDetail/ad:DirectoryError element defined in section 2.6 of [MS-ADDM].

<27> Section 3.1.4.2.8: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions return this fault whenever a condition occurs that would cause Active Directory [MS-ADTS] to return the LDAP error code objectClassViolation. Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM].

<28> Section 3.1.4.2.9: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM].

<29> Section 3.1.4.2.10: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the fault detail defined in section 2.6 of [MS-ADDM].

<30> Section 3.2: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions specify the target via the "instance" and "objectReferenceProperty" SOAP headers defined in section 2.5 of [MS-ADDM].

<31> Section 3.2.4.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions use the XML view defined in section 2.3.2 of [MS-ADDM], namely, an identity object is represented as an XML element in the http://schemas.microsoft.com/2008/1/ActiveDirectory/Data XML namespace named for the most-specific structural class ([MS-ADTS] section 3.1.1.1.4) of the directory object to which the identity object corresponds.

<32> Section 3.2.4.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions exclude those identity attributes that correspond to constructed attributes in the corresponding directory object.

<33> Section 3.2.4.1.3.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions format identity objects and the identity attribute values using the rules specified in section 2.3 of [MS-ADDM], namely:

An identity object is represented as an XML element in the http://schemas.microsoft.com/2008/1/ActiveDirectory/Data XML namespace named for the most-specific structural class ([MS-ADTS] section 3.1.1.1.4) of the directory object to which the identity object corresponds.

Identity attribute values are formatted as follows:

  • Each identity attribute value is contained in a separate “value” element in the http://schemas.microsoft.com/2008/1/ActiveDirectory XML namespace.

  • The “value” elements are contained inside a single element named for the LDAP display name of the directory attribute (or, for synthetic attributes, the name of the synthetic attribute).

One instance of the PartialAttributeXmlType (that is, a PartialAttribute element) can contain a single instance of the element named for the attribute, but that element can in turn contain multiple “value” elements, allowing multiple identity attribute values to be specified.

<34> Section 3.2.4.2: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions perform modifications to the ad:container-hierarchy-parent and ad:relativeDistinguishedName synthetic attributes (see sections 2.3.3.2 and 2.3.3.4 of [MS-ADDM]) as an atomic transaction separate from the modification of any other identity attributes that are present in the Put request. A single Put request could consist of up to two atomic transactions: one for the ad:container-hierarchy-parent and/or ad:relativeDistinguishedName modifications and one for any remaining modifications in the Put request. The transactions are performed in that order, and a failure in the latter transaction will not undo the changes made by the proceding transaction.

If there is more than one modification to the ad:container-hierarchy-parent synthetic attribute, or more than one modification to the ad:relativeDistinguishedName synthetic attribute, in a single Put request, the server will reject the request with a UnwillingToPerform SOAP fault.

<35> Section 3.2.4.2: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions return da:UnwillingToPerformFault specified in section 3.1.4.2.10 without performing any modifications to the identity object if there are no change elements present in the ModifyRequest.

<36> Section 3.2.4.2.3.1: Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions permit an AttributeValue element to be specified in the Change element for a "delete" modification. In addition, the identity attribute value(s) to be deleted can also be specified by using an XPath 1.0-derived selection language expression containing a selection predicate (see section 2.4 of [MS-ADDM]) as the contents of the AttributeType element in the Change element.

If both a predicate selection element and one or more AttributeValue elements are supplied, the union of the two is processed. (In other words, both the values specified by the predicate and by the AttributeValues are deleted.)

If neither a selection predicate nor an AttributeValue elements is supplied, then all the values of the identity attribute are deleted.

<37> Section 3.3.4.1: In Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions, the identity objects correspond to directory objects in Active Directory, and the identity attributes correspond to directory attributes and synthetic attributes on the directory object [MS-ADDM]. Therefore, when an object is created, its attributes are defaulted in accordance with the Active Directory processing rules for object creation (see [MS-ADTS], in particular, section 3.1.1.5.2).

<38> Section 3.3.4.1.2.1: If the server does not permit more than one value to be added to the specified identity attribute, Microsoft implementations of WS-Transfer: Identity Management Operations for Directory Access Extensions generate a da:UnwillingToPerformSOAP fault.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.