This topic covers the machine.config settings to configure user impersonation.
Use these settings together to configure user impersonation behavior.
Set to True to enable impersonation of explicitly logged on users. The default is false.
<MicroFocus.SEE> ... <add key="Security.users.impersonateUsers" value="true"/> ... </MicroFocus.SEE>
Set to True to enable impersonation of the default user. The default is false.
<MicroFocus.SEE> ... <add key="Security.users.impersonateDefaultUser" value="true" /> ... </MicroFocus.SEE>
You enable or disable these options in conjunction with each other to set the configuration that you want. The four combinations available are detailed below:
Sessions always run under the default user account. EXEC CICS SIGNON verifies user credentials, but does not change the session's impersonation identity.
This setting is useful when you want to run all application code under a reduced-privilege account and stitching identities it is not necessary.
Impersonation is fully enabled, and sessions run under the default user account. EXEC CICS SIGNON changes the user account to the logged on user account.
Sessions run under the user account that started the session. EXEC CICS SIGNON changes the user account to the logged on user account.
This configuration is useful for testing user-based security or if only some applications need to run under a special account.
Use these settings to configure the default user for impersonation functionality.
Set to the name of the default user. The default is: mfuser
<MicroFocus.SEE> ... <add key="Security.users.defaultUser" value="cicsuser" /> ... </MicroFocus.SEE>
Set to the password of the default user. The default is: mfuser
<MicroFocus.SEE> ... <add key="Security.users.defaultUserPassword" value="password" /> ... </MicroFocus.SEE>
For multiple-machine environments such as clusters, these settings control how user tokens are created to handle log ins across the multiple machines.
Sets user impersonation on a multiple machine system to Protocol Transition (PT) mode. This is the default mode for event monitors in a scale-out environment
Sets user impersonation on a multiple machine system to Credentials (CP) mode.
<MicroFocus.SEE> ... <add key="Security.users.tokenCreationMode" value="credentials" /> ... </MicroFocus.SEE>
Use these settings to configure how the system performs log ons across domains.
If neither of these options are set, the system attempts to log users on to the local domain if the computer is joined to one, or to the local system if it is not.
By default, Enterprise Server for .NET logs users on to Windows using the LOGON32_LOGON_INTERACTIVE logon type. For impersonated users, you can configure the Windows logon type by setting security.users.logonType to one of the following:
Type | Value |
---|---|
LOGON32_LOGON_INTERACTIVE (This is the default type.) | interactive |
LOGON32_LOGON_BATCH | batch |
LOGON32_LOGON_SERVICE | service |
LOGON32_LOGON_NETWORK | network |
LOGON32_LOGON_NETWORK_CLEARTEXT | cleartext |
See the Microsoft Windows SDK documentation for the LogonUser API for more information on logon types.
You can specify that all users are granted surrogate authority.
All user accounts are granted surrogate authority. That is, all users can specify any recognized user name in the USERID parameter of the EXEC CICS START macro.
The only values that are accepted in the USERID parameter are: