3.4.4.1.1.1.3 RequestSecurityToken using On-Premise Authentication

Authentication MUST be implemented for this message as defined in section 3.4. In summary, the following elements and attributes MUST be specified in the SOAP header:

wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.

wsse:UsernameToken: The <wsse: UsernameToken> element MUST be a child of <wsse:Security> in <s:Header>.

wsse:UsernameToken/attributes/u:Id: The type MUST be "uuid-cc1ccc1f-2fba-4bcf-b063-ffc0cac77917-4" for on-premise authentication.

wsse:UserName: The <wsse: Username> element MUST be a child of <wsse:UsernameToken> in <s:Header>and the value specifies the user name.

wsse:Password: The <wsse: Password> element MUST be a child of <wsse:UsernameToken> in <s:Header> and the value specifies the user password.

wsse:Password/attributes/Type: This value MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText".

Namespace: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

The following elements and attributes are specified in the SOAP body of the request message.

wst:RequestSecurityToken: The <wst:RequestSecurityToken> element MUST be a child of <s:Body>.

wst:RequestType: The <wst:RequestType> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" (see [WSTrust1.3] section 3.1).

wst:TokenType: The <wst:tokentype> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/ Enrollment/DeviceEnrollmentToken" (see [WSTrust1.3] section 3.1).

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wst:RequestSecurityToken> and MUST contain a base64-encoded certificate signing request.

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/windows/pki/2009/01/ enrollment#PKCS10".

wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".

The following elements and their values are specified in the SOAP body of the request message.

ac:AdditionalContext: The <ac:AdditionalContext> element MUST be a child of <wst:RequestSecurityToken> (see [MS-WSTEP] section 3.1.4.1.3.3).

ac:ContextItem: One or more <ac:ContextItem> Name attribute MUST be specified as child elements of < ac:AdditionalContext >.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSEdition".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be set to the decimal value as an int of the product enumeration defined in section 2.2.9.6.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceName".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) name of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentType.

ac:Value: The <ac:Value> element is a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) that MUST be Full or Device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceType".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF 8) that MUST be WindowsPhone for mobile devices, CIMClient_Windows for desktop devices, or WindowsHandheld for enterprise handheld devices.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ApplicationVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string that specifies the application version in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value specifies the unique device identifier. 

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentData"

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value contains the enrollment data.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "MAC". Multiple MAC addresses are supported if a device has multiple NICs.

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that specifies the MAC address of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "IMEI".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is an int that specifies the mobile equipment ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "TargetedUserLoggedIn".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is true or false that indicates whether the user is logged in.

The following fourteen elements are supported in an implementation-specific manner.<16>

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "Locale".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that specifies the locale of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "HWDevID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a 64 hex character length UTF-8 string that specifies the hardware device ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ZeroTouchProvisioning". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that represents a GUID used by Zero Touch Provisioning.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OfflineAutoPilotEnrollmentCorrelator". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that serves as a correlator from the offline registration initiator to the enrollment server. The string length must be greater than 0 and less than or equal to 100, contains alphanumeric character and single hyphen only, and cannot be started with a hyphen.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "UXInitiated".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the enrollment is user-initiated from the Settings page.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ExternalMgmtAgentHint".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string the agent uses to give hints the enrollment server may need.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DomainName".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string specifying the fully qualified domain name, if the device is domain-joined.

Namespace: http://schemas.xmlsoap.org/ws/2006/12/authorization