OLE DB allows authentication through different mechanisms depending on the layer that enforces authentication: operating system, network, or data provider. In password-based authentication, the consumer authenticates itself to the data provider by supplying a name and a password. The data provider enforces authentication in this case. When the consumer and provider operate in-process, passwords can be passed directly to the provider.
In situations where a network connection is involved, the password must be sent to the provider over the network, which presents additional security problems. Domain-based authentication implies the availability of an authentication service provided by the operating system, such as Windows NT. In this environment, users authenticate themselves to the domain by providing a password when logging in to the system. Once the user is authenticated to the domain, the domain provides identification information on behalf of the user in a trusted manner.
Distributed authentication assumes the existence of a distributed authentication service, such as the one provided by the Microsoft Security Support Provider Interface (SSPI), which is modeled after the General Security Support API from Digital Equipment Corporation. In OLE DB, consumers call IDBProperties to request the type of authentication mechanism they want to use. They can also request the quality of service they expect when communicating to the provider across a network.