Authentication

Authentication is the process of verifying that a user with a unique name is the actual user that the name implies. This verification process is also applied to applications running in the security context of a user. Typically, authentication is implemented by giving the user a password.

Authentication of trustees can be accomplished in either of two ways. One way is to associate a trustee name with a password stored with the data store and require both name and password on the initial connection to the data source object. The second and preferred way is to use secure access tokens granted by the operating system only to authentic users. These access tokens contain a security identification descriptor (SID) that can be matched against a discretionary access control list stored in the data store. Although this is generally the preferred and most secure method, it can be more difficult to implement than the first method.

With Microsoft® Windows NT®/Windows® 2000, the data provider can authenticate trustees by using the Windows NT LAN Manager (NTLM) Security Support Provider Interface (SSPI). With Windows 2000, the provider might use the Kerberos security protocol instead of SSPI. If the provider can use SSPI or Kerberos security, the provider should implement the DBPROP_AUTH_INTEGRATED property. (A full discussion of securing objects with SSPI or Kerberos is beyond the scope of this guide. For more information, see the Access Control section of the Microsoft Platform SDK.)

The alternative to using Windows NT/Windows 2000 security is any proprietary technique for storing authorized users and groups. If the data provider uses such a technique, merely support the appropriate DBPROP_AUTH* properties in the IDBInitialize interface. The properties you support depend on the data source object. For more information on implementing the IDBInitialize interface, see IDBInitialize and OLE DB Properties in the OLE DB Programmer's Reference.