As Microsoft Provisioning Framework (MPF) processes a
provisioning request, it exercises two forms of access control:
authentication and authorization.
Authentication is the process of assigning an identity to each
step of the procedure in the request. MPF derives this
identity from the step's security context. Basic authentication and
Kerberos delegation are two authentication models
supported by MPF. To simplify administration, users can be assigned
to MPF accounts and groups.
Authorization is the process of verifying that an identity is
allowed to call the procedure or access the resource named in a
step of the procedure. When a client receives
a request, it builds the COM security context for the request and
passes it to the provisioning server. When converting SOAP requests
into MPF requests, Simple Object Access Protocol (SOAP)Internet Server Application Programming Interface
(ISAPI) verifies that the caller is allowed to submit SOAP
requests. For more information, see Authorization During Request
Submittal. Provisioning servers perform authorization during
request submission and during calls to namespaces,
procedures, and external services such as Active Directory. For
more information, see Authorization During Calls to Namespaces and
Procedures and Authorization During Calls to External
For access control, MPF supports scenarios such as the
Front-end access control: A Web server or other
front-end component performs all security checks before the request
is submitted to MPF. MPF executes requests to external services
based on the security context of a credential stored in the configuration database or (if there is no
credential) MPFServiceAcct. In the latter case, MPFServiceAcct must
be granted access to the external services.
Concentrates security checking onto the front end.
Does not require Kerberos delegation or basic
Loss of specificity on external access control.
Assumes that front end is secure.
Windows access control: MPF executes requests based on
the COM security context of the calling user, using Kerberos
delegation or basic authentication to impersonate that user in
requests to external services. MPF does not perform security
Authentication is done at the back end, close to the actual
Leverages Windows security context.
Requires either Kerberos delegation or basic authentication
Extra effort to set up users with security permissions for
MPF access control: Provisioning servers perform
security checking based on the identity's right to access:
A submit request or submit trusted
request method for IProvEngine or IProvQueue
Public and private procedures
External services (for example, before accessing Microsoft SQL
Server, a caller might have to be authorized to call Active
MPF executes requests to external services in the security
context of a credential stored in the configuration database or (if
there is no credential) MPFServiceAcct. For the latter,
MPFServiceAcct must be granted access to the external services.
The Microsoft Provisioning Framework Software Development Kit
(SDK) contains additional resources and information about the
IProvQueue and IProvEngine interfaces. For more information on the
SDK and how to use it, see Microsoft Provisioning Framework SDK and