Kerberos authentication is employed by Microsoft Provisioning System (MPS) when credentials for the calling user are unspecified in a provisioning request. By using Kerberos delegation, MPS can allow procedures called by a request to run under the Component Object Model (COM) security context of the calling user or application, providing that procedure level security - such as a stored credential - does not require the procedure to run in another context.

MPS uses Kerberos delegation for untrusted requests. An untrusted request is one that contains only data and the name of a procedure to call. Because untrusted requests do not contain a security context, MPS must authenticate this type of request based on the security context of the calling COM or Hypertext Transfer Protocol (HTTP)/Simple Object Access Protocol (SOAP) application.