As Microsoft Provisioning Framework (MPF) processes a provisioning request, it exercises two forms of access control: authentication and authorization.
For access control, MPF supports scenarios such as the following.
Scenario | Advantages | Disadvantages |
---|---|---|
Front-end access control: A Web server or other front-end component performs all security checks before the request is submitted to MPF. MPF executes requests to external services based on the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. In the latter case, MPFServiceAcct must be granted access to the external services. |
|
|
Windows access control: MPF executes requests based on the COM security context of the calling user, using Kerberos delegation or basic authentication to impersonate that user in requests to external services. MPF does not perform security checking. |
|
|
MPF access control: Provisioning servers perform
security checking based on the identity's right to access:
MPF executes requests to external services in the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. For the latter, MPFServiceAcct must be granted access to the external services. The Microsoft Provisioning Framework Software Development Kit (SDK) contains additional resources and information about the IProvQueue and IProvEngine interfaces. For more information on the SDK and how to use it, see Microsoft Provisioning Framework SDK and documentation. |
|
|