Using Transport-Level Security on the Client

The client specifies how the server impersonates the client when the client establishes the string binding. This quality-of-service information is provided as an endpoint option in the string binding. The client can specify the level of impersonation, dynamic or static tracking, and the effective-only flag.

To supply quality-of-service information for the server, the client performs the following steps:

1. Imports a handle from the name-service database.

   The client specifies the name of the name-service database entry and obtains a binding handle.

2. Calls RpcBindingToStringBinding to obtain the protocol sequence, network address, and endpoint.
3. Calls RpcStringBindingParse to split the string binding into its component substrings.
4. Verifies that the protocol sequence is equal to ncacn_np or ncalrpc.

   Client quality-of-service information is supported only on named pipes and LRPC in Microsoft RPC.

5. Adds the security information to the endpoint string as an option.

   For more information about the syntax, see String Binding.

6. Calls RpcStringBindingCompose to reassemble the component strings, including the new endpoint options, in the correct string-binding syntax.
7. Calls RpcBindingFromStringBinding to obtain a new binding handle and to apply the quality-of-service information for the client.
8. Makes remote procedure calls using the handle.

Microsoft RPC supports Windows NT security features only on ncacn_np and ncalrpc. Windows NT security options for other transports are ignored.

Note  Because it does not support the Windows NT security model, the Windows 95 run-time library ignores the security descriptors ncalrpc and ncacn_np.

The following security parameters can be associated by the client with the binding for the named-pipe transport ncacn_np or ncalrpc:

• Identification, Impersonation, or Anonymous. Specifies the type of security used.
• Dynamic or Static. Determines whether security information associated with a thread is a copy of the security information created at the time the remote procedure call is made (static) or a pointer to the security information (dynamic).

  Static security information does not change. The dynamic setting reflects the current security settings, including changes made after the remote procedure call is made.

• TRUE or FALSE. Specifies the value of the effective-only flag. A value of TRUE indicates that only security settings set to "on" at the time of the call are effective. A value of FALSE indicates that all security settings are available and can be modified by the application.

Any combination of these settings can be assigned to the binding, as shown in the following example:

"Security=Identification Dynamic True"
"Security=Anonymous Static True"
"Security=Impersonation Static False"
 

Default security-parameter settings vary according to the transport protocol.

For more information about the security features of Windows NT, see your Microsoft Windows NT documentation. For information about the syntax of the endpoint options, see endpoint.