Access Control Basics
As Microsoft Provisioning Framework (MPF) processes a provisioning request, it exercises two forms of access control:
Authentication - The process of assigning an identity to each step of the procedure in the request. MPF derives this identity from the step's security context. Basic authentication and Kerberos delegation are two authentication models supported by MPF. To simplify administration, users can be assigned to MPF accounts and groups. See Authentication.
Authorization - The process of verifying that an identity is allowed to call the procedure or access the resource named in a step of the procedure. When a client receives a request, it builds the COM security context for the request and passes it to the provisioning server. When converting SOAP requests into MPF requests, Simple Object Access Protocol (SOAP) Internet Server Application Programming Interface (ISAPI) verifies that the caller is allowed to submit SOAP requests. For more information, see Authorization
For access control, MPF supports the scenarios listed in the following table.
Table: Scenarios Supported by MPF
Scenario | Description | Advantages | Disadvantages |
---|---|---|---|
Front-end access control |
A Web server or other front-end component performs all security checks before the request is submitted to MPF. MPF executes requests to external services based on the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. In the latter case, MPFServiceAcct must be granted access to the external services. |
|
|
Windows access control |
MPF executes requests based on the COM security context of the calling user, using Kerberos delegation or basic authentication to impersonate that user in requests to external services. MPF does not perform security checking. |
|
|
MPF access control |
Provisioning servers perform security checking based on the identity's right to access:
MPF executes requests to external services in the security context of a credential stored in the configuration database or (if there is no credential) MPFServiceAcct. For the latter, MPFServiceAcct must be granted access to the external services. For more information, see IProvQueue and IProvEngine. |
|
|