One way of submitting requests to Microsoft® Provisioning Framework (MPF) is by calling methods of the client interfaces. This approach is appropriate for provisioning within a local data center.
The client is a COM object (mapsclient.dll) installed during MPF setup. An instance of the client must reside on any computer that sends requests to MPF. The client runs in-process to the calling application.
The client interfaces are IProvEngine and IProvQueue. IProvEngine submits real-time requests to provisioning engines. IProvQueue submits queued requests to queue managers. For scripting examples, see the documentation for the respective APIs.
Note The client only supports synchronous communication (no callback).
How MPF handles calls to provisioning engines and queue managers is configurable as follows.
- Using Provisioning Manager, set properties in Microsoft Provisioning, Provisioning Servers, Clients.
- Using Configuration WMI Provider, set properties for class MSFT_MPFClient.
You can implement client properties for both provisioning engine clients and queue manager clients, but you cannot implement different values for individual clients. These settings are also used by SOAP ISAPI.
Property Description Authentication Level Authentication is the process of assigning a security identity to each step in a provisioning request. MPF supports the following authentication levels.
- None: No authentication occurs.
- Connect: Authentication occurs only once the connection is made.
- Call (default): The client authenticates at the beginning of every call.
- Packet: The client authenticates and verifies that all call data is received.
- Packet Integrity: The client authenticates and verifies that none of the call data was modified in transit.
- Packet Privacy: The client authenticates and encrypts the packet, including the data and the sender's identity and signature.
- Default: The client authenticates based on the local computer's setting for COM+ authentication.
Exclusion Interval Amount of time that a client will withhold requests to a failed server.
Clients forward requests to queue managers and provisioning engines. If a queue manager, provisioning engine, or network connection experiences a failure, as indicated by specific error codes, MPF stops sending requests to the component for the amount of time specified in Exclusion Interval. The default interval is 300 seconds.
This option minimizes unnecessary resource consumption of network bandwidth, CPU cycles, and other system resources during a failure. It also enables the provider to generate a more immediate error to alert the caller that the server is not available.
You can also configure an individual request with an connectionExclusionInterval node or set an individual computer's ConnectionExclusionInterval registry value. For more information on these options, see HTTP and SOAP Provider.
Capabilities The Capabilities property identifies the COM+ cloaking capability (none, static, or dynamic) to use when determining the identity to pass from an MPF client to an external server. The following table describes the supported cloaking capabilities. For an extended discussion of cloaking and impersonation, see "Cloaking" in MSDN®.
- Static: COM+ uses the client identity from the first proxy call for all subsequent calls. If a proxy identity was set during a previous call, this becomes the client identity; otherwise, the client identity is based on the identity associated with the thread token (if any) or process token (if there is no thread token).
- Dynamic: COM+ re-evaluates the client identity after each call to a proxy to determine whether it has changed. If it has, the client is re-authenticated. If a proxy identity was set during a previous call, this becomes the client identity; otherwise, the client identity is based on the one associated with the thread token (if any) or process token (if there is no thread token). For dynamic cloaking, servers see the identity of the client that originated the call, which is generally the desired behavior. However, dynamic cloaking incurs an additional performance cost.
- None (default): The connection has no cloaking capabilities.
Connection Hold Time Amount of time to hold connections open to unused provisioning engines and queue managers. Clients cache connections and then release them once the specified hold time elapses. The default hold time is 300 seconds. Impersonation Level Indicates how much authority the client gives the provisioning server to represent the calling user. The supported impersonation levels are as follows:
- Anonymous: The client is anonymous to the server application. The server can impersonate the client, but the impersonation token does not contain any information about the client.
- Identify: The server can obtain the client's identity and impersonate the client only when checking discretionary access control lists (DACLs). The server cannot access system objects as the client.
- Impersonate (default): The server can impersonate the client while acting on its behalf, but only if the server and the client both reside on the same computer. The impersonation token can only be passed across one computer boundary. The SChannel authentication service only supports this level of impersonation.
- Delegate: The server can impersonate the client regardless of where it resides in the network. If delegation is required, Capabilities must be set to "Dynamic Cloaking." The impersonation token can be passed across any number of computer boundaries.
- Default: This is the default local setting for COM+ impersonation. COM+ chooses the impersonation level using its normal security blanket negotiation algorithm. For more information, see "Security Blanket Negotiation" in MSDN®.
Max Pool Size This option controls the maximum number of simultaneous connections that clients hold open with provisioning engines or queue managers. MPF stores these open connections in a cache. The default value is 100 connections. Principal Identifies the user principal name (UPN) of the account under which the provisioning manager or queue manager runs. Configuring the impersonation level of the client to support delegation requires a UPN for the engine or queue manager. The user name should be in the format username@domain, whereby domain is the Active Directory domain. The default user principal name is the user name specified during MPF setup.
Architecture, SOAP ISAPI, MPF Accounts, MPF Groups
Top of Page
© 1999-2002 Microsoft Corporation. All rights reserved.