3.1.6.1 Three-phase authorization test

When a three-phase authorization test is performed, the following phases MUST be performed in order:

Phase 1: If the DNS server is directory server integrated then the client's credentials MUST be tested for Read privilege against the DNS Server Configuration Access Control List (see section 3.1.1). This tests whether or not the client can be granted access to any of the functionality of the DNS Server Management Protocol. If this test is passed, then the server MUST proceed to Phase 2. If the DNS server is not directory server integrated, and if the client is a member of either the Administrators group or the System Operators group, access MUST be granted and further authorization testing MUST NOT be performed. Otherwise access MUST be denied and the server MUST return an error.

Phase 2: If the authorization test in Phase 1 is passed and the DNS server is directory server integrated, then the DNS server MUST perform an explicit ACL check for either Read or Write privilege. The ACL used for this test MUST be one of the three listed in the following table, and, for either Read or Write privilege, as specified in the description of the request being processed.

Access Control List

Description

DNS Server Configuration Access Control List (see section 3.1.1)

This ACL is tested for Read privilege in Phase 1 to gate basic access to the protocol. It is also used to control access for any operation that is not performed against a specific zone or directory partition.

Application Directory Partition Access Control List (see section 3.1.1)

This ACL is used to control access for any operation that is performed against the directory partition. Operations that are performed against zones do not use this ACL.

Zone Access Control List (see section 3.1.1)

This ACL is used to control access for any operation that is performed against a zone that is stored in the directory server. If a zone is stored in the directory server inside a partition, any operation specific to the zone will use the Zone ACL.

Phase 3: If the authorization test in Phase 2 is passed and the DNS server is directory server integrated, then the DNS server MUST impersonate the client for any actions performed against a directory server (for impersonation details, see [MS-RPCE] section 2.2.1.1.9), unless the target of the modification is a dnsNode object whose Aging Time Stamp attribute (section 3.1.1.2.4) is older than the Time Zone Secured attribute of the zone (section 3.1.1). If the operation against the directory server fails, the DNS server MUST return an error.