Specify how Microsoft Provisioning Framework (MPF) handles
client connections
You can control how MPF handles client connections by modifying
the properties of clients. You set properties for all provisioning
engine clients and for all queue manager clients, not for specific
servers.
You can modify the following transaction properties for
clients:
Authentication level
This flag is used by developers to set the level at which
Component Object Model (COM) applications should verify the
identity of clients. The options, from lowest to highest security,
are as follows:
- None
No authentication occurs.
- Connect
Authenticates client credentials only when the connection is
initiated with the server.
- Call
Authenticates client credentials at the beginning of each remote
procedure call when the server receives the request. This is the
default setting.
- Packet
Authenticates and verifies that all data received is from the
expected client.
- Packet integrity
Authenticates and verifies that none of the data has been
modified in transit between the client and the server.
- Packet privacy
Authenticates and encrypts the packet, including the data and
the sender's identity and signature.
- Default
Lets Distributed Component Object Model (DCOM) specify the
authentication level by using the default security blanket
negotiation algorithm used by the local computer for COM
authentication.
Exclusion interval
Clients forward requests to queue managers and provisioning
engines. If a queue manager, provisioning engine, or network
connection experiences a failure, as indicated by specific error
codes, MPF excludes that component, which means that MPF stops
sending requests to the component. The exclusion interval option
specifies the amount of time to wait before MPF again starts
sending requests to the excluded component. The default exclusion
interval is 300 seconds.
This option minimizes unnecessary resource consumption of
network bandwidth, CPU cycles, and other system resources during a
failure. It also enables the provider to generate a more immediate
error to alert the caller that the server is not available.
Note
- You can configure the exclusion interval by configuring an
individual request to use the connectionExclusionInterval option
and by setting the ConnectionExclusionInterval registry key. If no
value is specified for connectionExclusionInterval, requests use
the default registry value. For more information on using these
options to control the exclusion interval, see the Microsoft
Provisioning Framework SDK documentation.
Capabilities
Clients must establish an identity to submit requests. You can
modify this property to change how MPF implements this process. The
options are as follows:
- Static cloaking
When this flag is set, DCOM uses the calling thread token (if
present) when determining the identity of the client.
- Dynamic cloaking
When this flag is set, DCOM uses the thread token (if present)
when determining the identity of the client. On each call to a
proxy, the current thread token is examined to determine whether
the identity of the client has changed (incurring an additional
performance cost) and the client is authenticated again if
necessary.
- None
This is the default setting.
Connection hold time
This option controls the amount of time that clients hold
connections open to provisioning engines and queue managers that
are not being used. Clients cache connections to the provisioning
engines and the queue managers and then release the unused
connections after the specified hold time has elapsed. The default
hold time is 300 seconds.
Impersonation level
This option controls the level of authority that the client
grants to applications when they are acting on its behalf. The
levels are as follows:
- Anonymous
The client is anonymous to the server application. The server
can impersonate the client, but the impersonation token does not
contain any information about the client.
- Identify
The server application can obtain the identity of the client.
The server application can impersonate the client to do
discretionary access control list (DACL) checks, but cannot access
system objects as the client.
- Impersonate
The server application can impersonate the client while acting
on its behalf, with the following restrictions. The server can
access resources on the same computer as the client. If the server
is on the same computer as the client, it can access network
resources as the client. If the server is on a different computer
from the client, it can only access resources that are on the same
computer as the server. This is the default setting.
- Delegate
The server application can impersonate the client while acting
on its behalf, whether or not on the same computer as the client.
During impersonation, all of the credentials belonging to the
client can be passed to any number of computers.
- Default
This is the default setting you have on your computer for COM+
impersonation level.
Max
pool size
This option controls the maximum number of simultaneous
connections that clients hold open with the provisioning engines or
with the queue managers. MPF stores these open connections in a
cache. The default max pool size is 100 connections.
Principal
This option determines the user principal name of the account
under which the process controller executes. This is required in
order to enable Active Directory delegation. The user name should
be entered in the format username@domain.extension,
where domain is the Active Directory domain. The default
user principal name is the user name specified during MPF
installation, and is usually
MPFServiceAcct@domain.extension.
For more information about these properties, see Managing
security and Managing
performance.
Caution
- The default settings for these properties are set during
installation. It is recommended that you use the default settings.
Changing these properties, especially those related to
authentication, may prevent appropriate transaction processing. You
should modify these properties only if you understand the impact of
the modification.