Kerberos Delegation

Microsoft® Provisioning Framework can be configured to use Kerberos delegation for authentication in domain deployments. Kerberos delegation is a form of impersonation. Microsoft distinguishes between delegation and impersonation, using the term delegation to refer to impersonation involving multiple computers that communicate over a network. In MPF, delegation refers to the ability of a calling process to execute based on the COM security credentials of the calling user.

MPF can use Kerberos delegation:

Configuring Kerberos Delegation

For an MPF server to delegate to another server, it must run under a client identity marked as trusted for delegation in Active Directory. Normally, this identity is MPFServiceAcct. Impersonation will not work if the client account is marked as sensitive and/or cannot be delegated. In addition, the MPF client properties must be configured to support dynamic cloaking and delegation.

There are two ways to configure Kerberos delegation. The easiest way is to install MPF in an unattended setup, specifying the MPF_IMPERSONATE=1 parameter. In an existing installation, you can manually configure impersonation as follows.

  1. Navigate to Administrative Tools (for example, by clicking Start, Settings, Control Panel, Administrative Tools).
  2. Click Active Directory Users and Computers.
  3. In the details pane, right-click the user MPFServiceAcct and then click Properties option
  4. In the pop-up dialog, select the Account tab.
  5. In the Account Options section of the tab, check the box for Account is trusted for delegation.
  6. Click OK to exit the dialog.
  7. In Provisioning Manager, Provisioning Servers, Clients, Properties, set the following properties. (For more information on these properties, see Clients.)
    • Capabilities: Set to "Dynamic Cloaking".
    • Impersonation Level: Set to "Delegate".
    • Principal: Set to the user principal name (UPN) of MPFServiceAcct.
  8. Click OK.

In requests, impersonation for procedure calls is specified using the impersonate attribute of individual execute and queue nodes. For Kerberos authentication, impersonate must be set to 1 and the request must not already contain a \securityContext\authentication\basic node. (If it does, MPF assumes the call uses basic authentication rather than Kerberos.) 

See Also

Kerberos protocol in MSDN®

Up Top of Page
© 1999-2002 Microsoft Corporation. All rights reserved.