2.1 Transport

DCOM, as specified in [MS-DCOM], is used as the transport protocol.

This protocol uses the DCOM Remote Protocol, to create and use DCOM object references to server objects.

Certificate Services Remote Administration Protocol clients initialize a connection to the Certificate Services Remote Administration server by creating and executing a DCOM activation request. As a result of this DCOM activation, the Certificate Services Remote Administration client can use the DCOM client to call the methods specified in this document. The activation process is detailed in [MS-DCOM] section 3.2.4.

The RPC version number for all interfaces MUST be 0.0.

[MS-DCOM] section specifies the various elements that a DCOM-using application passes to the DCOM client as part of the initial activation request. Below are the values the Certificate Services Remote Administration Protocol client sends to the DCOM layer.

General DCOM settings:

  • Remote server name, which is the application-supplied remote server name as specified in [MS-DCOM] section The Certificate Services Remote Administration Protocol client sends the name of the CA server.

  • Class identifier (CLSID) of the object requested. This value is d99e6e73-fc88-11d0-b498-00a0c90312f3.

  • Interface identifier(s) (IID) of interface(s) requested.

    • ICertAdminD: d99e6e71-fc88-11d0-b498-00a0c90312f3

    • ICertAdminD2: 7fe0d935-dda6-443f-85d0-1cfb58fe41dd<1>

Security settings ([MS-DCOM] section

  • Security provider: RPC_C_AUTHN_GSS_NEGOTIATE (9)

  • Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY (6).

    As a result of the security provider and authentication level used, there is a negotiation between the client and server security providers that results in either NTLM, as specified in [MS-NLMP], or Kerberos, as specified in [RFC4120] and [MS-KILE], being used as the authentication method.

  • Impersonation level: RPC_C_IMP_LEVEL_IMPERSONATE (3).

    This means the server can use the client's security context while acting on behalf of the client, to access local resources such as files on the server.

  • Authentication identity and credentials: NULL.

Passing NULL authentication identity and credentials for the RPC_C_AUTHN_GSS_NEGOTIATE security provider means that the OPRC call uses the identity and credentials of the higher-layer application.<2>

Default values, as specified in [MS-DCOM], are used for all DCOM inputs not specified above, such as Security Principal Name (SPN), and client and prototype context property buffers and their context property identifiers.