Authorization During Calls to External
Services
In
Microsoft®
Provisioning Framework (MPF), requests that call external
services such as Microsoft® Active Directory® pass their security
context to providers as follows. Once the service receives the MPF
security context, it can perform its own authorization.
- To pass security context to a provider, the trusted
attribute in the request's execute or queue node must be set to
1. The provider can then use this information to modify the
security context of the call to the external service. For example,
HTTP
and SOAP Provider does this when initiating an HTTP request
with basic authentication.
- If the request's execute or queue node sets the
impersonate attribute to 1, what happens next depends on
whether the request's securityContext node contains basic or
Kerberos authentication credentials.
- MPF passes basic credentials unchanged to external services.
For more information, see Basic
Authentication.
- For Kerberos, MPF impersonates the COM credentials of the
calling user that submitted the request. For more information, see
Kerberos
Authentication.
- If security checking will take place at another level (for
example during calls to namespaces), it may be desirable to
configure MPFServiceAcct
with all rights and simply pass that context instead of
implementing Kerberos delegation.
See Also
Access Control
Basics