Kerberos delegation

Microsoft Provisioning Framework (MPF) can be configured to use Kerberos delegation for authentication in domain deployments. Kerberos delegation is a form of impersonation. Microsoft documentation distinguishes between delegation and impersonation, using the term delegation to refer to impersonation involving multiple computers that communicate over a network. In MPF, delegation refers to the ability of a calling process to execute based on the COM security credentials of the calling user.

MPF can use Kerberos delegation under the following conditions:


To configure MPF to support Kerberos delegation, dynamic cloaking, and delegation must be set up on the client during MPF setup, and the MPFServiceAcct must be marked as trusted for delegation in Active Directory. You can do this in one of two ways, depending on the installation mode.

After impersonation is set up, impersonation for procedure calls is specified in requests using the impersonate attribute of the individual execute and queue nodes. For Kerberos authentication, impersonate must be set to 1 and the request must not contain a \securityContext\authentication\basic node. Otherwise, MPF assumes that the call uses basic authentication rather than Kerberos.