3.1.4.3 Security Context of Operations

  • Article

When the server receives an Active Directory Web Services: Custom Action Protocol request, the operations are performed under the caller's security context. The caller's security context is established as specified in [MS-NNS] section 3.1.4. The client MUST allow the server to impersonate its credentials; otherwise, the server returns a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.1.8.8, 3.3.4.5.8.8, 3.3.4.6.8.3, 3.4.4.1.8.6, 3.4.4.2.8.4, 3.4.4.3.8.4, 3.4.4.4.8.3, 3.4.4.5.8, and 3.4.4.6.8.6.

For the GetADGroupMember, GetADPrincipalAuthorizationGroup, and GetADPrincipalGroupMembership custom actions, if any of the following is true:

  • The GetADGroupMemberRequest/GroupDN element of GetADGroupMember specifies a group from a domain that is different from what is hosted by the target server (specified by the Server element (section 2.2.3.5) in the SOAP header).

  • The GetADPrincipalAuthorizationGroupRequest/PrincipalDN element of GetADPrincipalAuthorizationGroup specifies an object from a domain that is different from what is hosted by the target server (specified by the Server element in the SOAP header).

  • The GetADPrincipalGroupMembershipRequest/PrincipalDN element of GetADPrincipalGroupMembership specifies an object from a domain that is different from what is hosted by the target server (specified by the Server element in the SOAP header).

  • The group specified in GetADGroupMemberRequest/GroupDN contains security principals that are defined in a domain that is different from what is hosted by the target server (specified by the Server element in the SOAP header).

  • The security principal specified in GetADPrincipalAuthorizationGroupRequest/PrincipalDN is part of a security-enabled group defined in a domain that is different from what is hosted by the target server (specified by the Server element in the SOAP header).

  • The security principal specified in GetADPrincipalGroupMembershipRequest/PrincipalDN is part of a group defined in a domain that is different from what is hosted by the target server (specified by the Server element (section 2.2.3.5) in the SOAP header).

Then, these custom actions rely on implementation specific server-to-server protocol behavior to retrieve information from remote servers in order to populate their response elements. For such requests, in addition to allowing the server to impersonate the client's credentials, the client MUST allow the server to delegate its credentials and execute operations on remote servers using the client's security context. Otherwise, the server returns a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.2.8.7, 3.3.4.3.8.7, and 3.3.4.4.8.8.

If none of the above is true, these custom actions populate their response elements by retrieving information from the target server (specified by the Server element in the SOAP header). For such requests, the client MUST allow the server to impersonate its credentials; otherwise, the server returns a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.2.8.6, 3.3.4.3.8.6, and 3.3.4.4.8.7.