3.1 IWindowsDeviceEnrollmentService Server Details

The IWindowsDeviceEnrollmentService hosts a message endpoint that receives RequestSecurityToken messages (section 3.1.4.1). When received, the server processes the client request, creates and signs an X.509 certificate [RFC5280], and then contacts the directory server to create a device object. Upon receiving a response from the directory server, a response is generated, and the server sends either a RequestSecurityTokenResponse message (section 3.1.4.1.1.2) or a SOAP fault. When the message has been sent to the client, the server returns to the waiting state.

State model for security token service

Figure 3: State model for security token service

The items of information that are communicated between the server and the directory server are specified in subsequent sections of this document.

Authentication

The WS-Trust X.509v3 Enrollment Protocol Extensions [MS-WSTEP] use the authentication provisions in WS-Security [WSS] to enable the X.509v3 Security Token issuer to authenticate the X.509v3 Security Token requestor. The following information defines the schema used to express the credential descriptor for each supported credential type.

  • Token Authentication

    The token credential is provided in a request message by using the WS-Trust BinarySecurityToken definition as defined in section 3.1.4.1.2.3.