Microsoft® Provisioning Framework can be configured to use Kerberos delegation for authentication in domain deployments. Kerberos delegation is a form of impersonation. Microsoft distinguishes between delegation and impersonation, using the term delegation to refer to impersonation involving multiple computers that communicate over a network. In MPF, delegation refers to the ability of a calling process to execute based on the COM security credentials of the calling user.
MPF can use Kerberos delegation:
For an MPF server to delegate to another server, it must run under a client identity marked as trusted for delegation in Active Directory. Normally, this identity is MPFServiceAcct. Impersonation will not work if the client account is marked as sensitive and/or cannot be delegated. In addition, the MPF client properties must be configured to support dynamic cloaking and delegation.
There are two ways to configure Kerberos delegation. The easiest way is to install MPF in an unattended setup, specifying the MPF_IMPERSONATE=1 parameter. In an existing installation, you can manually configure impersonation as follows.
In requests, impersonation for procedure calls is specified using the impersonate attribute of individual execute and queue nodes. For Kerberos authentication, impersonate must be set to 1 and the request must not already contain a \securityContext\authentication\basic node. (If it does, MPF assumes the call uses basic authentication rather than Kerberos.)
Kerberos protocol in MSDN®