The connection requirements of your users determine how you configure client connections for both provisioning engine clients and queue manager clients. If you find that the default settings do not meet performance, security, or other requirements, you can modify the settings.
You can use Provisioning Manager to administer clients as follows:
You can control how MPF handles client connections by modifying the properties of clients. You set properties for all provisioning engine clients and for all queue manager clients, not for specific servers.
You can modify the following transaction properties for clients:
This flag is used by developers to set the level at which Component Object Model (COM) applications should verify the identity of clients. The options, from lowest to highest security, are as follows:
No authentication occurs.
Authenticates client credentials only when the connection is initiated with the server.
Authenticates client credentials at the beginning of each remote procedure call when the server receives the request. This is the default setting.
Authenticates and verifies that all data received is from the expected client.
Authenticates and verifies that none of the data has been modified in transit between the client and the server.
Authenticates and encrypts the packet, including the data and the sender's identity and signature.
Lets Distributed Component Object Model (DCOM) specify the authentication level by using the default security blanket negotiation algorithm used by the local computer for COM authentication.
Clients forward requests to queue managers and provisioning engines. If a queue manager, provisioning engine, or network connection experiences a failure, as indicated by specific error codes, MPF excludes that component, which means that MPF stops sending requests to the component. The exclusion interval option specifies the amount of time to wait before MPF again starts sending requests to the excluded component. The default exclusion interval is 300 seconds.
This option minimizes unnecessary resource consumption of network bandwidth, CPU cycles, and other system resources during a failure. It also enables the provider to generate a more immediate error to alert the caller that the server is not available.
Clients must establish an identity to submit requests. You can modify this property to change how MPF implements this process. The options are as follows:
When this flag is set, DCOM uses the calling thread token (if present) when determining the identity of the client.
When this flag is set, DCOM uses the thread token (if present) when determining the identity of the client. On each call to a proxy, the current thread token is examined to determine whether the identity of the client has changed (incurring an additional performance cost) and the client is authenticated again if necessary.
This is the default setting.
This option controls the amount of time that clients hold connections open to provisioning engines and queue managers that are not being used. Clients cache connections to the provisioning engines and the queue managers and then release the unused connections after the specified hold time has elapsed. The default hold time is 300 seconds.
This option controls the level of authority that the client grants to applications when they are acting on its behalf. The levels are as follows:
The client is anonymous to the server application. The server can impersonate the client, but the impersonation token does not contain any information about the client.
The server application can obtain the identity of the client. The server application can impersonate the client to do discretionary access control list (DACL) checks, but cannot access system objects as the client.
The server application can impersonate the client while acting on its behalf, with the following restrictions. The server can access resources on the same computer as the client. If the server is on the same computer as the client, it can access network resources as the client. If the server is on a different computer from the client, it can only access resources that are on the same computer as the server. This is the default setting.
The server application can impersonate the client while acting on its behalf, whether or not on the same computer as the client. During impersonation, all of the credentials belonging to the client can be passed to any number of computers.
This is the default setting you have on your computer for COM+ impersonation level.
This option controls the maximum number of simultaneous connections that clients hold open with the provisioning engines or with the queue managers. MPF stores these open connections in a cache. The default max pool size is 100 connections.
This option determines the user principal name of the account under which the process controller executes. This is required in order to enable Active Directory delegation. The user name should be entered in the format email@example.com, where domain is the Active Directory domain. The default user principal name is the user name specified during MPF installation, and is usually MPFServiceAcct@domain.extension.
The information provided in Provisioning Manager about each client includes the name of each server acting as a client.
For more information, see To view the names and status of provisioning servers.
For more information about clients, see Clients.