Authorization During Calls to External Services
In Microsoft® Provisioning
Framework (MPF), requests that call external services such as
Microsoft® Active Directory® pass their security context to
providers as follows. Once the service receives the MPF security
context, it can perform its own authorization.
- To pass security context to a provider, the trusted
attribute in the request's execute or queue node must be set to 1. The
provider can then use this information to modify the security
context of the call to the external service. For example, HTTP and SOAP
Provider does this when initiating an HTTP request with
basic authentication.
- If the request's execute or queue node sets the
impersonate attribute to 1, what happens next depends on
whether the request's securityContext node contains basic or
Kerberos authentication credentials.
- MPF passes basic credentials unchanged to external services.
For more information, see Basic
Authentication.
- For Kerberos, MPF impersonates the COM credentials of the
calling user that submitted the request. For more information, see
Kerberos Authentication.
- If security checking will take place at another level (for
example during calls to namespaces), it may be desirable to
configure MPFServiceAcct with
all rights and simply pass that context instead of implementing
Kerberos delegation.
See Also
Access Control Basics
Top
of Page
© 1999-2002
Microsoft Corporation. All rights reserved.