Negotiation of Authentication Level
Both client and server must participate in authentication, and each party indicates that it wants to perform a certain level of authentication. At the beginning of a call, the authentication level is negotiated between the two parties, an appropriate service is chosen, and the call is authenticated and proceeds (with possible encryption, depending on the authentication level chosen). The authentication level negotiated between client and server is determined as Maximum(Client preference, Server preference). The effect of this means that the server can always dictate a minimum level of authentication that it is comfortable with; that is, authentication can be administratively dictated from the server.
The client specifies that it wants to perform authentication at a certain level as with any COM application. The client authentication level can be indicated as follows:
- Per client machine, with the machine-wide COM authentication level set by using either DCOMCNFG or the Component Services administrative tool.
- Per client application administratively, using DCOMCNFG or using the Component Services administrative tool if the client should be a COM+ application.
- Per client process programmatically, with CoInitializeSecurity.
- At any point programmatically, using CoSetProxyBlanket.
The COM+ server application specifies an authentication level administratively by using the Component Services administrative tool (or through an administrative script).
Negotiating authentication for a call proceeds in the following sequence:
- Authentication level is chosen as MAX(client, server).
- Negotiation of authentication protocol.
- Server authenticates client identity.
- Optionally, client authenticates server identity, depending on the authentication protocol.
- Method calls are communicated with the chosen level of authentication.
Related topics