2.1 Transport
This protocol uses RPC dynamic endpoints as specified in [C706] part 4.
This protocol uses Security Support Provider (SSP) security as specified in [MS-RPCE].
This protocol MUST use the UUID, as specified in section 1.9. There are two versions of this protocol: ClusAPI Protocol version 2.0 and ClusAPI Protocol version 3.0. <2>
For ClusAPI Protocol version 2.0, this protocol uses the following RPC Protocol Sequence: RPC over UDP, as specified in [MS-RPCE]. The client MUST specify an RPC authentication level of at least RPC_C_AUTHN_LEVEL_CONNECT. The client SHOULD specify the RPC authentication level RPC_C_AUTHN_LEVEL_PKT_INTEGRITY except when the ApiSetServiceAccountPassword method, as specified in section 3.1.4.2.108, is called; the client MUST specify the RPC authentication level RPC_C_AUTHN_LEVEL_PKT_PRIVACY as defined in [MS-RPCE] section 2.2.1.1.8) if this method will be called as part of this RPC session. The client MUST specify the RPC Authentication Service as NTLM, as specified in [MS-RPCE]. The client MUST use the default security Quality of Service (QoS) settings for the NTLM Security provider.
For ClusAPI Protocol version 3.0, this protocol uses the following RPC Protocol Sequence: RPC over TCP, as specified in [MS-RPCE]. The client MUST specify an RPC authentication level of at least RPC_C_AUTHN_LEVEL_PKT_PRIVACY. The client SHOULD specify the RPC authentication level RPC_C_AUTHN_LEVEL_PKT_PRIVACY. The server MUST refuse clients that establish connections by using an RPC authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_PRIVACY. The client MUST specify the RPC Authentication Service as SPNEGO, as specified in [MS-RPCE].
For ClusAPI Protocol version 3.0, if the client connects to the server by using a computer name, the client SHOULD indicate a service principal name as specified below. If the client connects to the server by using an IP address, the client SHOULD indicate a NULL security principal name, which causes the SPNEGO security provider to fall back to the NTLM security provider.
For ClusAPI Protocol version 3.0, if the client indicates a service principal name, the service principal name MUST be composed as follows: the Unicode string "MSServerClusterMgmtAPI", followed by the Unicode "/" character, followed by the server computer name. The client MUST then specify the following security QoS settings to the security provider.
|
Value |
Description |
|---|---|
|
RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH |
The security provider is required to perform mutual authentication of client and server. |
|
RPC_C_QOS_IDENTITY_STATIC |
The security context is created only one time and is never revised during the entire communication, even if the client-side changes it. |
|
RPC_C_IMP_LEVEL_IMPERSONATE |
The server can impersonate the client's security context on its local system, but not on remote systems. |
Otherwise, for ClusAPI Protocol version 3.0, if the client indicates a NULL service principal name, it MUST direct the security provider to use its default security QoS settings.
In ClusAPI Protocol version 2.0 and ClusAPI Protocol version 3.0, the server MUST allow calls only by clients that are permitted by the cluster security descriptor. The RPC Authentication Service is used to establish the identity of the client. The server MUST<3> validate that the authenticated client is authorized to call protocol methods by using the cluster security descriptor.
In ClusAPI Protocol version 2.0, the server MUST register the NTLM security provider.
In ClusAPI Protocol version 3.0, the server MUST register the SPNEGO security provider with the service principal name composed as follows: the Unicode string "MSServerClusterMgmtAPI", followed by the Unicode character "/", followed by the client name.