As Microsoft Provisioning Framework (MPF) processes a
provisioning request, it exercises two forms of access control:
Authentication-The process of assigning an identity to
each step of the procedure in the request. MPF derives this
identity from the step's security context. Basic authentication and
Kerberos delegation are two authentication models supported by MPF.
To simplify administration, users can be assigned to MPF accounts
and groups. See Authentication.
Authorization-The process of verifying that an identity
is allowed to call the procedure or access the resource named in a
step of the procedure. When a client receives a request, it builds
the COM security context for the request and passes it to the
provisioning server. When converting SOAP requests into MPF
requests, Simple Object Access Protocol (SOAP) Internet Server
Application Programming Interface (ISAPI) verifies that the caller
is allowed to submit SOAP requests. For more information, see
Authorization During Request Submittal in Authorization.
Provisioning servers perform authorization during request
submission and during calls to namespaces, procedures, and external
services such as Active Directory. For more information, see the
Authorization During Calls to Namespaces and Procedures and
Authorization During Calls to External Services sections of
For access control, MPF supports the scenarios listed in the
Table: Scenarios Supported by MPF
Front-end access control
A Web server or other front-end component performs all security
checks before the request is submitted to MPF. MPF executes
requests to external services based on the security context of a
credential stored in the configuration database or (if there is no
credential) MPFServiceAcct. In the latter case, MPFServiceAcct must
be granted access to the external services.
Concentrates security checking onto the front end.
Does not require Kerberos delegation or basic
Loss of specificity on external access control.
Assumes that front end is secure.
Windows access control
MPF executes requests based on the COM security context of the
calling user, using Kerberos delegation or basic authentication to
impersonate that user in requests to external services. MPF does
not perform security checking.
Authentication is done at the back end, close to the actual
Makes use of Windows security context.
Requires either Kerberos delegation or basic authentication
Extra effort to set up users with security permissions for
MPF access control
Provisioning servers perform security checking based on the
identity's right to access:
A submit request or submit trusted request method for
IProvEngine or IProvQueue
Public and private procedures
External services (for example, before accessing Microsoft SQL
Server, a caller might have to be authorized to call Active
MPF executes requests to external services in the security
context of a credential stored in the configuration database or (if
there is no credential) MPFServiceAcct. For the latter,
MPFServiceAcct must be granted access to the external services.