Microsoft Provisioning System Security

  • Article

When planning for the delegation of administrative tasks, you must consider how you want to implement security. In Microsoft Provisioning System (MPS), there are several ways of managing the security of delegated tasks. The scenarios present examples of how you can implement different types of security for provisioning requests that create a user account. The procedures required to perform this task are contained within the Managed Active Directory namespace, which is provided with MPS.

Benefits of Providing Security

By implementing security in your MPS deployment, you can control who can or cannot submit XML provisioning requests to MPS and you can define the security context under which your provisioning procedures run. This ensures that provisioning actions are performed securely in delegated administration environments.

Security Planning Tasks

When planning for MPS security, you need to consider the following options:

  • Which type of authentication you want to use for running the provisioning tasks.

  • The type of requests you want to provide, either trusted or untrusted.

  • How you want to secure the running of the provisioning procedures.

The sections that follow provide the concepts and procedures you will need to understand before deciding on the options you want. However, it is not imperative that you choose any of these options prior to deploying MPS. Rather, after you deploy MPS in your environment you can decide how these issues will affect requests submitted by the MPF Client.

MPS Authentication Models

The two authentication models supported by MPS are basic authentication and Kerberos delegation. These two models provide the means of passing security identities into MPS from a request.

Basic Authentication

In MPS, basic authentication is the ability to provide a set of credentials that are passed into MPS with an XML request. When credentials consisting of the domain\username and password pair are specified in an XML request, MPS uses them as the calling user and does not use the Kerberos credentials to perform the requested provisioning actions.

MPS uses basic authentication in trusted requests. A trusted request is one that explicitly defines its security context by using basic credentials. Only members of the MPFTrustedUsers, Administrators, and MPFAdmin groups are allowed to submit trusted requests.

Kerberos Authentication

Kerberos authentication is employed by MPS when credentials for the calling user are unspecified in a provisioning request. By using Kerberos delegation, MPS can allow procedures called by a request to run under the Component Object Model (COM) security context of the calling user or application, providing that procedure level security - such as a stored credential - does not require the procedure to run in another context.

MPS uses Kerberos delegation for untrusted requests. An untrusted request is one that contains only data and the name of a procedure to call. Because untrusted requests do not contain a security context, MPS must authenticate this type of request based on the security context of the calling COM or Hypertext Transfer Protocol (HTTP) application.