If we take a look at the COSERVERINFO structure again, there's a member of the structure that we didn't cover at any length. It was the COAUTHINFO structure which is the actual client security blanket.
typedef struct _COSERVERINFO
{
DWORD dwReserverd1;
LPWSTR pwszName;
COAUTHINFO* pAuthInfo;
DWORD dwReserved2;
} COSERVERINFO;
pAuthInfo is the security blanket which gets passed through the COM runtime to the server for negotiation. It's instructive to look at the details of the structure since some fields will be identical to the one for the CoInitializeSecurity() call that we'll be covering later. You can find this definition in Wtypes.h:
typedef struct _COAUTHINFO
{
DWORD dwAuthnSvc;
DWORD dwAuthzSvc;
LPWSTR pwszServerPrincName;
DWORD dwAuthnLevel;
DWORD dwImpersonationLevel;
COAUTHIDENTITY * pAuthIdentityData;
DWORD dwCapabilities;
} COAUTHINFO;
dwAuthnSvc signifies the authentication service. It's a value from the enumeration RPC_C_AUTHN_xxx:
dwAuthnSvc Value |
Meaning |
RPC_C_AUTHN_DCE_PRIVATE |
DCE private key authentication. |
RPC_C_AUTHN_DCE_PUBLIC |
DCE public key authentication. |
RPC_C_AUTHN_DEC_PUBLIC |
DEC public key authentication. |
RPC_C_AUTHN_DEFAULT |
The system default authentication service. NT 4.0 defaults to DCE private key authentication. |
RPC_C_AUTHN_WINNT |
The NTLM Security Support Provider. Except for the default and this one, these services do not currently have native NT 4.0 support. |
RPC_C_AUTHN_NONE |
No authentication. |
dwAuthzSvc signifies the authorization service. In other words, what should the server use in order to check the access rights it should have on behalf of the client. The values are from the RPC_C_AUTHZ_xxx enumeration:
dwAuthzSvr Value |
Meaning |
RPC_C_AUTHZ_NONE |
Server performs no authorization. |
RPC_C_AUTHZ_NAME |
Server performs authorization using the client’s name. |
RPC_C_AUTHZ_DCE |
Server performs authorization using the client’s DCE privileges. |
pwszServerPrincName points to a wide character string indicating the principal name to use on the server with the authentication name. If the service chosen is RPC_C_AUTHN_WINNT, the value should be NULL.
dwAuthnLevel specifies the level of authentication required ranging from once when connecting, to packet-level authentication and encryption.
DwAuthnLevel Value |
Meaning |
RPC_C_AUTHN_LEVEL_NONE |
No authentication. |
RPC_C_AUTHN_LEVEL_CONNECT |
Authenticates only when client establishes a connection. |
RPC_C_AUTHN_LEVEL_CALL |
Authenticates at the beginning of each remote procedure call. |
RPC_C_AUTHN_LEVEL_PKT |
Authenticates origin of all data. Used by datagram transports. |
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY |
Authenticates origin and integrity of data. |
RPC_C_AUTHN_LEVEL_PKT_PRIVACY |
Authenticates origin and integrity of data and encrypts remote procedure call arguments. |
dwImpersonationLevel specifies the impersonation level. Corresponds to the levels of impersonation specified in NT 4.0
DwImpersonationLevel Value |
Meaning |
RPC_C_IMP_LEVEL_ANONYMOUS |
The server doesn't get any information about the client identification and doesn't attempt to impersonate the client. |
RPC_C_IMP_LEVEL_IDENTIFY |
The server can get security information about the client—for example, security identifiers and privileges—but it can't impersonate the client. The significance of this is that the server can make decisions about whether the client has the right to access resources, however, it can't use system resources or access objects 'as the client'. |
RPC_C_IMP_LEVEL_IMPERSONATE |
The server can impersonate the client’s security context. Note that this is valid only on the server's local systems. It is not supported on remote systems. In other words, the server can't access resources over the network as if it were the client. |
RPC_C_IMP_LEVEL_DELEGATE |
This level allows the server to impersonate the client over a network. It isn't currently supported by the default SSPs on NT 4.0. It will, however, be supported by the Kerberos SSP which will be an integral part of the Distributed Security Services in the next major release of NT. |
pAuthIdentityData: specific to the authentication service. Usually left as NULL.
dwCapabilities: extra capabilities to be defined.