3.1.5.1.1.3 Processing Details

  • Article

The HTTP POST request is processed as follows.

  1. The server checks for the following claims and values in the JWT sent by the client in the HTTP Authorization Header:

    Claim

    Value

    http://schemas.microsoft.com/authorization/claims/PermitDeviceRegistrationClaim

    The value MUST be the string "true".

    http://schemas.microsoft.com/ws/2012/01/accounttype

    The value MUST be the string "DJ".

    http://schemas.microsoft.com/identity/claims/onpremobjectguid

    A unique id generated by the client. The value MUST be binary and base64-encoded.

    primarysid

    The SID of the identity that authenticated to the Web service.

    If any of the claims from the table is not present, or if the value of the claim does NOT match the corresponding value in the table, the server MUST respond to the HTTP POST in the following manner:

    • The DRS server responds with an HTTP response with the HTTP status code set to 400 ("Bad Request").

    • The body of the HTTP response contains an ErrorDetails object (section 2.2.3.1) that provides the client with additional, implementation-specific information about the error.

  2. The server adds the following object identifiers (OIDs) and values to the X.509 certificate request [RFC4211] contained in the CertificateRequest object of the client HTTP request.

    OID

    Value

    1.2.840.113556.1.5.284.2

    The DRS server MUST generate a globally unique identifier (GUID) and include it as the value.

    1.2.840.113556.1.5.284.3

    The Object-Guid attribute ([MS-ADA3] section 2.44) of the User object ([MS-ADSC] section 2.269) on the directory server that corresponds to the authenticating user.

    1.2.840.113556.1.5.284.4

    The Object-Guid attribute of the Domain object ([MS-ADSC] section 2.43) on the directory server.

    1.2.840.113556.1.5.284.1

    The Invocation-Id attribute ([MS-ADA1] section 2.314) of the NTDS-DSA object ([MS-ADSC] section 2.205) for the directory server.

  3. The server signs the request by using the issuer certificate stored in the ms-DS-Issuer-Certificates attribute of the ms-DS-Device-Registration-Service object with the most recent timestamp (see section 2.3.1). The server MUST use a SHA256WithRSAEncryption signature algorithm and a SHA256 hash algorithm.

  4. The server sends a request to the directory server to locate a device object where the ms-DS-Device-ID attribute ([MS-ADA2] section 2.304) equals the value of the http://schemas.microsoft.com/identity/claims/onpremobjectguid JWT claim from step 1.

  5. If the device object from step 4 is NOT located, the server sends a request to the directory server to create a device record as an instance of the ms-DS-Device class as a child of the container specified in the ms-DS-Device-Location attribute of the ms-DS-Device-Registration-Service object. The ms-DS-Device-ID attribute of the device object MUST be set to the base64-decoded value of the http://schemas.microsoft.com/identity/claims/onpremobjectguid JWT claim from step 1.

  6. The server sends a request to the directory server to set the following attributes on the device object:

    • The SHA1 hash of the certificate thumbprint plus certificate public key, added as an additional value of the Alt-Security-Identities attribute (see section 2.3.3).

    • The device type that corresponds to the DeviceType value sent in the request (section 3.1.5.1.1.1), stored as the ms-DS-Device-OS-Type attribute ([MS-ADA2] section 2.308).

    • The device operating system version that corresponds to the OSVersion value sent in the request (section 3.1.5.1.1.1), stored as the ms-DS-Device-OS-Version attribute ([MS-ADA2] section 2.309).

    • The SID of the identity that authenticated to the Web service, stored as the ms-DS-Registered-Users attribute ([MS-ADA2] section 2.442).

    • The SID of the user account that authenticated to the Web service, stored as the ms-DS-Registered-Owner attribute ([MS-ADA2] section 2.441).

    • The friendly name of the device that corresponds to the DeviceDisplayName value sent in the request (section 3.1.5.1.1.1), stored as the Display-Name attribute ([MS-ADA1] section 2.175).

    • The ms-DS-Is-Enabled attribute to true.

    • The ms-DS-Device-Trust-Type attribute ([MS-ADA2] section 2.311) to 2.

    • The ms-DS-Device-Object-Version attribute ([MS-ADA2] section 2.307) to 2.

    • The ms-DS-Cloud-IsManaged attribute ([MS-ADA2] section 2.291) to false.

    • The ms-DS-Approximate-Last-Logon-Time-Stamp attribute ([MS-ADA2] section 2.223) to a time that is generated by the server, represented in FILETIME format ([MS-DTYP] section 2.3.3).

    • Remove existing ms-DS-Key-Credential-Link values from the device object. Add a new value to the ms-DS-Key-Credential-Link attribute of the device object.

      The KEYCREDENTIALLINK_BLOB MUST be created according to [MS-ADTS] section 2.2.20 and section 2.3.4 in this specification. In addition, the following KEYCREDENTIALLINK_ENTRY identifiers ([MS-ADTS] section 2.2.20.6) MUST be present.

      KEYCREDENTIALLINK_ENTRY identifier

      Value

      KeyMaterial

      The base64-decoded TransportKey property from the HTTP POST.

      KeyUsage

      0x02

      CustomKeyInformation

      The Version field MUST be set to 1 and the Flags field MUST be set to 0.

      KeySource

      KEY_SOURCE_AD

      KeyApproximateLastLogonTimeStamp

      MUST be set to a time that is generated by the server represented in FILETIME format.

      KeyCreationTime

      MUST be set to a time that is generated by the server represented in FILETIME format.

      DeviceId

      MUST be the value of the ms-DS-Device-ID attribute of the device object, formatted as specified in [MS-ADTS] section 2.2.20.

  7. The DRS server responds to the HTTP POST request with an HTTP response with the HTTP status code set to 200 ("OK"). The response body contains the signed X.509 certificate from step 3.