Share via

2.1.2 Client Security Settings

  • Article

The DNS RPC client SHOULD use a security support provider (SSP) over RPC as specified in [MS-RPCE], for sessions using TCP as RPC transport protocol. A client SHOULD authenticate using:

  • RPC_C_AUTHN_GSS_NEGOTIATE

A client using TCP as the RPC transport requests RPC_C_AUTHN_LEVEL_PKT_INTEGRITY authentication with the DNS server.

For negotiating RPC security, the DNS RPC client uses the following parameters:

  • The client SHOULD<3> request mutual authentication by requesting the RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH capability. The client MAY additionally request the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE capability.

  • The identity tracking type is set to RPC_C_QOS_IDENTITY_STATIC.

  • The impersonation type is set to RPC_C_IMP_LEVEL_IMPERSONATE, indicating that the server can impersonate the client; the client MAY instead specify RPC_C_IMP_LEVEL_DELEGATE.<4>