Provisioning Framework (MPF) has two user accounts:
MPFServiceAcct and MPFClientAcct. For domain deployments, these
accounts are installed in Microsoft® Active Directory®; for local
installations, they are installed in Microsoft® Windows® as
Multiple forests with different provisioning engines should not
use the same MPFServiceAcct password. If they do, MPF replicates
objects across the forests. This is appropriate only if all domains
use the same provisioning engine.
MPFServiceAcct is a member of the MPFServiceAccts and
MPFTrustedUsers groups .
Whenever a request uses basic
delegation, and/or has a procedure with an "execute as"
credential, these credentials take precedence over MPFServiceAcct.
In MPF deployments that perform security checking outside of MPF,
it may be desirable to grant privileges to MPFServiceAcct so it can
perform actions on external services.
MPFClientAcct is only used to submit SOAP requests to MPF via
MPFClientAcct is a member of the MPFClientAccts group.
When setting the password for MPFClientAcct during setup, be
aware that if you change the password for the MPFClientAcct, you
will also be required to change the password for SOAP ISAPI.
Accounts are created during MPF setup. If you have a setup
failure, you must delete these accounts manually before
re-attempting setup. The Readme.htm file on the MPF CD has the
instructions for deleting MPF accounts and other recovery steps for