In a multi-machine environment, a region can operate across multiple systems. For example in a cluster environment, network load balancing uses SEPs running on more than one system.
Users typically sign on once during a session. The event monitor on the signed-on system accesses the user's credentials (username and password) and generates user impersonation tokens as needed.
In a multi-machine environment, SEPs can run on machines other than the signed-on system. These SEPs do not have access to the user's credentials. In these environments, there are additional considerations for user impersonation.
Enterprise Server for .NET provides two mechanisms to support this architecture. Both use the Server EE for .NET monitor service (seemonitor.exe) to obtain user tokens for SEPs. In a scale-out environment with user-impersonation enabled, you can use one of the following mechanisms:
Protocol transition uses a feature of Windows 2003 (and later) domains to create tokens for users without having their passwords. This is the default mode for monitors in a scale-out environment. If all of your systems are joined to a Windows 2003 domain, and the monitor process is running under a trusted account (the default SYSTEM account for Windows services is trusted in a standard installation), you can generally use PT mode without any further configuration.
In environments where you cannot use PT, you can enable CP mode. CP mode is more complex, and involves transmitting encrypted user passwords between event monitor processes. CP can be used in non-domain configurations.
You configure the token creation mode in machine.config:
<MicroFocus.SEE> ... <add key="Security.users.tokenCreationMode" value="transition"/> ... </MicroFocus.SEE>
<MicroFocus.SEE> ... <add key="Security.users.tokenCreationMode" value="credentials"/> ... </MicroFocus.SEE>