Settings for User Impersonation Security

This topic covers the machine.config settings to configure user impersonation.

Setting impersonation behavior

Use these settings together to configure user impersonation behavior.

Security.users.impersonateUsers

Set to True to enable impersonation of explicitly logged on users. The default is false.

For example:
<MicroFocus.SEE>
    ...
    <add key="Security.users.impersonateUsers" value="true"/>
    ...
 </MicroFocus.SEE>
Security.users.impersonateDefaultUser

Set to True to enable impersonation of the default user. The default is false.

For example:
<MicroFocus.SEE>
    ...
    <add key="Security.users.impersonateDefaultUser" value="true" />
    ...
</MicroFocus.SEE>

You enable or disable these options in conjunction with each other to set the configuration that you want. The four combinations available are detailed below:

impersonateUsers False, impersonateDefaultUser False
This is the default setting. All code runs under the user account that started the session.
impersonateUsers False, impersonateDefaultUser True

Sessions always run under the default user account. EXEC CICS SIGNON verifies user credentials, but does not change the session's impersonation identity.

This setting is useful when you want to run all application code under a reduced-privilege account and stitching identities it is not necessary.

impersonateUsers True, impersonateDefaultUser True

Impersonation is fully enabled, and sessions run under the default user account. EXEC CICS SIGNON changes the user account to the logged on user account.

impersonateUsers True, impersonateDefaultUser False

Sessions run under the user account that started the session. EXEC CICS SIGNON changes the user account to the logged on user account.

This configuration is useful for testing user-based security or if only some applications need to run under a special account.

Setting the default user

Use these settings to configure the default user for impersonation functionality.

Important: The default user that you configure must exist on your system, and must have sufficient permissions to log on to Windows interactively (or using the configured logon type, if you change the logon type with Security.users.logonType).
Security.users.defaultUser

Set to the name of the default user. The default is: mfuser

For example:
<MicroFocus.SEE>
    ...
    <add key="Security.users.defaultUser" value="cicsuser" />
    ...
</MicroFocus.SEE>
Note: For this example to work, you need to create the cicsuser user ID.
Security.users.defaultUserPassword

Set to the password of the default user. The default is: mfuser

For example:
<MicroFocus.SEE>
    ...
    <add key="Security.users.defaultUserPassword" value="password" />
    ...
</MicroFocus.SEE>

Setting the token creation method

For multiple-machine environments such as clusters, these settings control how user tokens are created to handle log ins across the multiple machines.

Security.users.tokenCreationMode
  • transition

    Sets user impersonation on a multiple machine system to Protocol Transition (PT) mode. This is the default mode for event monitors in a scale-out environment

  • credentials

    Sets user impersonation on a multiple machine system to Credentials (CP) mode.

For example, the following line sets user impersonation on a multiple machine system to Credentials (CP) mode.
<MicroFocus.SEE>
    ...
    <add key="Security.users.tokenCreationMode" value="credentials" />
    ...
</MicroFocus.SEE>

Setting user domain options

Use these settings to configure how the system performs log ons across domains.

Security.users.domain
Set this to authenticate users in a domain other than the one the system belongs to. Event monitor processes running on a computer not joined to a domain will authenticate users locally. This can also be set to . (a period or full-stop character) to force systems to authenticate locally.
Security.users.searchDomains
If this is set to true, and a log on request for a user finds the user is not defined in the default domain, the event monitor process searches the local system and any other domains trusted by the system for the user, and attempt to authenticate in the first domain where the user is found.
Security.users.tryLocalLogon
  • If set to true, the event monitor process attempts to authenticate the user first in the default domain, then in the local system.
  • If set to first, the event monitor process attempts to authenticate the user first in the local system, then the specified domain or domain search.

If neither of these options are set, the system attempts to log users on to the local domain if the computer is joined to one, or to the local system if it is not.

Setting the Windows logon type

By default, Enterprise Server for .NET logs users on to Windows using the LOGON32_LOGON_INTERACTIVE logon type. For impersonated users, you can configure the Windows logon type by setting security.users.logonType to one of the following:

security.users.logonType
Type Value
LOGON32_LOGON_INTERACTIVE (This is the default type.) interactive
LOGON32_LOGON_BATCH batch
LOGON32_LOGON_SERVICE service
LOGON32_LOGON_NETWORK network
LOGON32_LOGON_NETWORK_CLEARTEXT cleartext

See the Microsoft Windows SDK documentation for the LogonUser API for more information on logon types.

Setting a surrogate user

You can specify that all users are granted surrogate authority.

allowSurrogate
  • True

    All user accounts are granted surrogate authority. That is, all users can specify any recognized user name in the USERID parameter of the EXEC CICS START macro.

  • Any other value, or not set

    The only values that are accepted in the USERID parameter are:

    • The name of the user who is currently signed on in the session where the application is running.
    • The default user.