Authorization during calls to external services

In Microsoft Provisioning Framework (MPF), requests that call external services such as Active Directory pass their security context to providers. Once the service receives the MPF security context, it can perform its own authorization.

To pass security context to a provider, the trusted attribute in the request's execute or queue node must be set to 1. The provider can then use this information to modify the security context of the call to the external service. For example, HTTP and SOAP Provider does this when initiating an HTTP request with basic authentication. If the request's execute or queue node sets the impersonate attribute to 1, what happens next depends on whether the request's securityContext node contains basic or Kerberos authentication credentials:

If security checking will take place at another level (for example during calls to namespaces), it might be preferable to configure MPFServiceAcct with all rights and simply pass that context instead of implementing Kerberos delegation.