- Authentication - verify a user is who he/she claims to be.
- Authorization - Determine if user is permitted access to data.
- Access Control - Manage access to business data exposed using BDC.
When BDC is crawled (search) to index content, it runs in the filter daemon process (msadmn.exe).
- Trusted Subsystem - System account is used ot access services and resources on behalf of all authenticated users. Fixed identiy is the application pool ID or group ID retrieved from Single Sign-On (SSO) database.
- Impersonation and Delegation - Delegates authentication to the WFEs and application pool ID impersonates the user. App pool Id connects to business application servers on user's behalf using Kerberos or SSO.
Four Authentication Modes: (Defined on the LOBSystemInstance XML tag in the ADF)
- PassThrough - Users authentication is passed to back-end server.
- RevertToSelf - (Windows Authentication) App Pool ID is used to impersonate user. Reverts back to IIS aplication pool ID before requesting data from back-end LOB system. This is the default option if no authentication mode is specified.
- Credentials - (Database of users) Uses database credentials from default SSO service.
- WindowsCredentials - Uses Microsoft Windows credentials from default SSO Service.