If you are using the default security values (from the registry) for a process for authentication and authorization, no security initialization call is necessary. If, however, you want to set values for that process that differ from the default values, you can call CoInitializeSecurity. This function both initializes and registers these values, which then become the default values for that process.
However, sometimes the client needs finer-grained control over the security on calls to particular interfaces. For example, security can be set at a low level for the process, but calls to a particular interface might require a higher authentication level, such as encryption. The methods of the IClientSecurity interface allow the client to change the security settings associated with calls to a particular interface by controlling the security settings at the interface-proxy level.
The IClientSecurity interface is implemented locally for the client by the interface remoting layer (the proxy manager). Some custom marshaled objects might not support IClientSecurity.
The client can query an existing object for IClientSecurity and then call the IClientSecurity::QueryBlanket method to find out what the current security settings are for a particular interface proxy. You can use the IClientSecurity::SetBlanket method to modify the security settings for an individual interface proxy on the object prior to making a call on one of the interface methods. The new settings apply to any future callers of this particular interface. The CopyProxy method provides a way for the client to copy an interface proxy so that subsequent calls to SetBlanket on the copy do not affect callers of the original proxy.
SetBlanket is commonly used to raise the authentication level for a particular interface proxy to a more secure level. But, in some situations, it might also be helpful to lower the authentication level for a particular interface proxy. For instance, suppose the default authentication level for the process is some value other than RPC_C_AUTHN_LEVEL_NONE, and the client and server are in separate domains that do not trust each other. In this case, calls to the server will fail unless the client calls SetBlanket to lower the authentication level to RPC_C_AUTHN_LEVEL_NONE.
Clients using the default implementation of IClientSecurity provided by the proxy manager can call the CoQueryProxyBlanket, CoSetProxyBlanket, and CoCopyProxy helper functions instead of calling IClientSecurity methods directly. The helper functions simplify the code but are slightly less efficient than calling the corresponding IClientSecurity methods directly.
IClientSecurity works with all supported authentication services (currently NTLMSSP, SChannel, Kerberos).