Authorization During Calls to External Services
In Microsoft® Provisioning Framework (MPF), requests that call external services such as Microsoft® Active Directory® pass their security context to providers as follows. Once the service receives the MPF security context, it can perform its own authorization.
- To pass security context to a provider, the trusted attribute in the request's execute or queue node must be set to 1. The provider can then use this information to modify the security context of the call to the external service. For example, HTTP and SOAP Provider does this when initiating an HTTP request with basic authentication.
- If the request's execute or queue node sets the
impersonate attribute to 1, what happens next depends on
whether the request's securityContext node contains basic or
Kerberos authentication credentials.
- MPF passes basic credentials unchanged to external services. For more information, see Basic Authentication.
- For Kerberos, MPF impersonates the COM credentials of the calling user that submitted the request. For more information, see Kerberos Authentication.
- If security checking will take place at another level (for example during calls to namespaces), it may be desirable to configure MPFServiceAcct with all rights and simply pass that context instead of implementing Kerberos delegation.
See Also
Top
of Page
© 1999-2002
Microsoft Corporation. All rights reserved.