Agramont.net

Coding, Hosting, Software + Services....and other stuff
Welcome to Agramont.net Sign in | Join | Help
in Search
Home Blogs Forums Photos Downloads

Conrad Agramont's Blog

How MPF Stored Credentials are used with the Plans Database Registry Values

There was a question posted in the MPS Forum (http://forums.asp.net/thread/1235615.aspx) of the asp.net forum that I thought I'd answer here.

Issue:

our provisioning sample site works fine with an administrator account. when a try to create a customer organisation with reseller rights i receive the following error message :

Error: Failed to get the registry value specified. Machine:'.', Rootkey:'HKEY_LOCAL_MACHINE', Subkey:'SOFTWARE\Microsoft\Provisioning\CustomerPlansDb', Item:'Customer Database'./Access is denied./GetRegValue

Is there anyone that solved this problem ? Maybe there a problems with the ACE Rights.

Response:

During a provisioning request that requires some reading/writing to the Plans Database (HECustomerDB), the provisioning system needs to get the connection string information in order to make that call. This information is stored in the registry and thus the call to the "GetPlanDBConnString_" procedure.  The person submitting the request normally doesn't have rights to read that registry key for good reason (e.g. a non Domain Admin person).  So in order for MPS to be able to get that information from the registry, it needs to be elevated to a credential that does.  A feature of MPF is to have "Stored Credentials" (SC).  These SC's are predefined in the Provisioning Manager MMC.  The MPSPrivAcct-xxxx has a fair amount of rights and one of those rights is the ability to read from the local registry (this is a step in the HMC Deployment Walkthrough).  So by setting "GetPlanDBConnString_" procedure "Execute As" property to use the "MPSPrivAcct-xxxx" account, anyone other procedure that calls this method will be able to complete this tasks because it will run with an account with the proper amount of rights to perform that task.  Also, these procedures are marked as "Private", so you can't just call it directly to work around the system.

There is a whitepaper that I wrote that does provide more details on this and other security settings and MPS Configurations:

http://go-planet.com/community/files/folders/207/download.aspx

Hope this helps someone! 

Published Sep 06 2006, 08:42 PM by agramont
Filed under: , ,

Comments

 

Ben Drake said:

This is great information, but it fails to answer the question of how to fix the problem.
January 23, 2007 7:07 PM
 

agramont said:

You'll need to download the whitepaper mentioned above and ensure the register permissions are set properly.

January 23, 2007 10:01 PM
 

parke said:

thank youu

September 4, 2008 8:18 AM

Leave a Comment

(required) 
(optional)
(required) 
Submit

About agramont

Conrad Agramont is a Partner Technology Specialist (PTS) focused on the Microsoft Server product lines in the Small and Mid-Market Solutions and Partners (SMSP) area for the Mid-Atlantic district. Conrad was previously the Senior Architect for a Microsoft Gold Partner where he was responsible for product planning, software architecture, and technical evangelism focusing on Service Providers around the world. Agramont was previously a Program Manager at Microsoft driving hosting scenarios and architecting components for the Microsoft Provisioning System, Service Provisioning component in Microsoft Solutions for Hosted Messaging & Collaboration, Hosted Exchange 2003, and Windows based Hosting 3.0. Conrad has over 8 years of experience in the Microsoft automation and hosting space, speaking at public events, and publishing articles in magazines. Conrad Agramont is also an active blogger focusing on many Microsoft Hosting related topics. His blog can be found at http://agramont.net/

This Blog

Syndication

Community Tools
Copyright Agramont.net, 2006. all rights reserved