Client Authentication Credentials

Each authenticated client must provide authentication credentials to the server. Under RPC, the client stores its authentication credentials in the binding between the client and the server. To do this, the client calls RpcBindingSetAuthInfo or RpcBindingSetAuthInfoEx.

There are two types of credentials—implicit and explicit:

  • Explicit credentials exist when the client supplies username, password, and domain.
  • Implicit credentials exist when the client uses credentials from the thread or process token calling the RpcBindingSetAuthInfo or RpcBindingSetAuthInfoEx functions.

Clients should refrain from supplying explicit credentials because storing, manipulating, and retrieving a user password can introduce a security vulnerability into a distributed system if explicit credentials are used.

To use implicit credentials, the client calls RpcBindingSetAuthInfo(Ex). The security system and RPC obtain credentials from the thread or process token for use in the authentication session.

If the client uses explicit credentials, the fifth parameter of these two functions is of type RPC_AUTH_IDENTITY_HANDLE. This is a flexible type that is a pointer to a data structure. The contents of the data structure can differ with each authentication service. Currently, the SSPs that RPC supports require that your application set RPC_AUTH_IDENTITY_HANDLE to point to a SEC_WINNT_AUTH_IDENTITY structure. The SEC_WINNT_AUTH_IDENTITY structure contains fields for a user name, domain, and password.