is the process of verifying that an identity is allowed to call the
procedure or access the resource named in the procedure step When a
receives a request, it builds the COM security context for the
request and passes it to the provisioning server. When converting
SOAP requests into MPF requests, SOAP ISAPI verifies
that the caller is allowed to submit SOAP requests. For more
information, see . Provisioning servers perform authorization
during request submission and during calls to namespaces,
procedures, and external services such as Microsoft® Active
Directory®. For more information, see Authorization
During Calls to Namespaces and Procedures and Authorization
During Calls to External Services.
For access control, MPF supports scenarios such as the
Client-side access control: A Web server or other
front-end component performs all security checks before the request
is submitted to MPF. MPF executes requests to external services
based on the security context of a credential stored in the
configuration database or (if there is no credential) MPFServiceAcct.
For the latter, MPFServiceAcct must be granted access to the
Concentrates security checking on the front end.
Does not require Kerberos delegation or basic
Loss of granularity on external access control.
Assumes that the client that invokes MPF is secure.
Windows® access control: MPF executes requests based on
the COM security context of the calling user, using Kerberos
delegation or basic authentication to impersonate that user in
requests to external services. MPF does not perform security
Authentication is done at the back end, close to the actual
Leverages Windows security context.
Requires either Kerberos delegation or basic authentication
Extra effort to set up users with security privileges for
MPF access control: Provisioning servers perform
security checking based on the identity's right to access:
External services (for example, before accessing Microsoft® SQL
Server, a caller may have to be authorized to call Active
MPF executes requests to external services based on the security
context of a credential stored in the configuration database or (if
there is no credential) MPFServiceAcct. For the latter,
MPFServiceAcct must be granted access to the external