7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

This document specifies version-specific details in the Microsoft .NET Framework. For information about which versions of .NET Framework are available in each released Windows product or as supplemental software, see [MS-NETOD] section 4.

  • Microsoft Directory Services Markup Language (DSML) Services for Windows

  • Microsoft .NET Framework 2.0

  • Microsoft .NET Framework 3.0

  • Microsoft .NET Framework 3.5

  • Microsoft .NET Framework 4.0

  • Microsoft .NET Framework 4.5

  • Microsoft .NET Framework 4.6

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.2.1: The DSML client in DSML Services for Windows uses the prefix "ad:" for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace. The sender can use an arbitrary prefix for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace for BeginSession (section 3.1.4.1), Session (section 3.1.4.2), and EndSession (section 3.1.4.3) requests. The server processes BeginSession requests with no prefixes. Session and EndSession requests that do not use a prefix will generate a fault from the server. The server response to all successful requests uses the "ad:" prefix.  See Protocol Examples (section 4).

<2> Section 2.2.2.1: The DSML client in DSML Services for Windows uses the prefix "ad:" for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace. The sender can use an arbitrary prefix for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace for BeginSession (section 3.1.4.1), Session (section 3.1.4.2), and EndSession (section 3.1.4.3) requests. The server processes BeginSession requests with no prefixes. Session and EndSession requests that do not use a prefix will generate a fault from the server. The server response to all successful requests uses the "ad:" prefix. See Protocol Examples (section 4).

<3> Section 2.2.2.2: The DSML client in DSML Services for Windows uses the prefix "ad:" for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace. The sender can use an arbitrary prefix for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace for BeginSession (section 3.1.4.1), Session (section 3.1.4.2), and EndSession (section 3.1.4.3) requests. The server processes BeginSession requests with no prefixes. Session and EndSession requests that do not use a prefix will generate a fault from the server. The server response to all successful requests uses the "ad:" prefix. See Protocol Examples (section 4).

<4> Section 2.2.2.3: The DSML client in DSML Services for Windows uses the prefix "ad:" for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace. The sender can use an arbitrary prefix for the "urn:schema-microsoft-com:activedirectory:dsmlv2" namespace for BeginSession (section 3.1.4.1), Session (section 3.1.4.2), and EndSession (section 3.1.4.3) requests. The server processes BeginSession requests with no prefixes. Session and EndSession requests that do not use a prefix will generate a fault from the server. The server response to all successful requests uses the "ad:" prefix. See Protocol Examples (section 4).

<5> Section 3.1.1: DSML Services for Windows stores the LDAP connection to the directory server in the session. This ensures that all operations performed within a session are performed using the same LDAP connection. This is required to support the following LDAP controls [MS-ADTS] because the Active Directory service does not permit the cookies embedded in these controls to be used across LDAP connections.

  • LDAP_PAGED_RESULT_OID_STRING

  • LDAP_CONTROL_VLVREQUEST

<6> Section 3.1.3: DSML Services for Windows enforces the following limits by default:

  • MaxSessionsAllowed: 100 sessions

  • MaxSessionsAllowedPerIp: 5 sessions

  • MaxSessionIdleTimeAllowed: 10 minutes

<7> Section 3.1.4.1: DSML Services for Windows generates SessionID attribute values randomly. If the randomly generated value matches a SessionID attribute value that is currently in the SessionTable, then a new SessionID value is randomly generated. This process is repeated, if necessary, until a SessionID value that is not currently in the SessionTable is generated.

<8> Section 3.1.4.3: DSML Services for Windows immediately disposes of the state after removing it from the SessionTable. It does this by closing the LDAP connection.

<9> Section 5.1: DSML Services for Windows enforces the following validation checks by default:

  • The IP address of the client sending a <Session> or <EndSession> header for a given session matches the IP address of the client that performed the BeginSession operation to create that session.

  • The DSML request to which the <Session> or <EndSession> header is attached for a given session is authenticated as the same identity as the DSML request that created that session with a BeginSession operation.

Show: