Agramont Services: Consulting by Conrad Agramont   |    Controls Panels for Hosted Exchange (HMC)

Agramont.net

Sr. Product Manager, Enterprise Tech for Accelrys
Welcome to Agramont.net Sign in | Join | Help
in Search
Home Blogs Forums Photos Downloads

Conrad Agramont's Blog

How MPF Stored Credentials are used with the Plans Database Registry Values

There was a question posted in the MPS Forum (http://forums.asp.net/thread/1235615.aspx) of the asp.net forum that I thought I'd answer here.

Issue:

our provisioning sample site works fine with an administrator account. when a try to create a customer organisation with reseller rights i receive the following error message :

Error: Failed to get the registry value specified. Machine:'.', Rootkey:'HKEY_LOCAL_MACHINE', Subkey:'SOFTWARE\Microsoft\Provisioning\CustomerPlansDb', Item:'Customer Database'./Access is denied./GetRegValue

Is there anyone that solved this problem ? Maybe there a problems with the ACE Rights.

Response:

During a provisioning request that requires some reading/writing to the Plans Database (HECustomerDB), the provisioning system needs to get the connection string information in order to make that call. This information is stored in the registry and thus the call to the "GetPlanDBConnString_" procedure.  The person submitting the request normally doesn't have rights to read that registry key for good reason (e.g. a non Domain Admin person).  So in order for MPS to be able to get that information from the registry, it needs to be elevated to a credential that does.  A feature of MPF is to have "Stored Credentials" (SC).  These SC's are predefined in the Provisioning Manager MMC.  The MPSPrivAcct-xxxx has a fair amount of rights and one of those rights is the ability to read from the local registry (this is a step in the HMC Deployment Walkthrough).  So by setting "GetPlanDBConnString_" procedure "Execute As" property to use the "MPSPrivAcct-xxxx" account, anyone other procedure that calls this method will be able to complete this tasks because it will run with an account with the proper amount of rights to perform that task.  Also, these procedures are marked as "Private", so you can't just call it directly to work around the system.

There is a whitepaper that I wrote that does provide more details on this and other security settings and MPS Configurations:

http://go-planet.com/community/files/folders/207/download.aspx

Hope this helps someone! 

Published Sep 06 2006, 08:42 PM by agramont
Filed under: , ,

Comments

 

Ben Drake said:

This is great information, but it fails to answer the question of how to fix the problem.
January 23, 2007 7:07 PM
 

agramont said:

You'll need to download the whitepaper mentioned above and ensure the register permissions are set properly.

January 23, 2007 10:01 PM
 

parke said:

thank youu

September 4, 2008 8:18 AM

Leave a Comment

(required) 
(optional)
(required) 
Submit

About agramont

Conrad Agramont is focused on .NET Development, Virtualization, Windows 7, Windows Server 2008, Virtual Desktop, and Microsoft Business Productivity (Exchange, Office, Live Communications)
For more information on Conrad and Agramont Services, please visit: http://agramontservices.com
Follow Me On Twitter (@agramont)

This Blog

Syndication

News

Add to Technorati Favorites

Community Tools
Copyright Agramont.net, 2009. all rights reserved