EOLE_AUTHENTICATION_CAPABILITIES enumeration (objidlbase.h)

Specifies various capabilities in CoInitializeSecurity and IClientSecurity::SetBlanket (or its helper function CoSetProxyBlanket).

Syntax

typedef enum tagEOLE_AUTHENTICATION_CAPABILITIES {
  EOAC_NONE = 0,
  EOAC_MUTUAL_AUTH = 0x1,
  EOAC_STATIC_CLOAKING = 0x20,
  EOAC_DYNAMIC_CLOAKING = 0x40,
  EOAC_ANY_AUTHORITY = 0x80,
  EOAC_MAKE_FULLSIC = 0x100,
  EOAC_DEFAULT = 0x800,
  EOAC_SECURE_REFS = 0x2,
  EOAC_ACCESS_CONTROL = 0x4,
  EOAC_APPID = 0x8,
  EOAC_DYNAMIC = 0x10,
  EOAC_REQUIRE_FULLSIC = 0x200,
  EOAC_AUTO_IMPERSONATE = 0x400,
  EOAC_DISABLE_AAA = 0x1000,
  EOAC_NO_CUSTOM_MARSHAL = 0x2000,
  EOAC_RESERVED1 = 0x4000
} EOLE_AUTHENTICATION_CAPABILITIES;

Constants

 
EOAC_NONE
Value: 0
Indicates that no capability flags are set.
EOAC_MUTUAL_AUTH
Value: 0x1
If this flag is specified, it will be ignored. Support for mutual authentication is automatically provided by some authentication services. See COM and Security Packages for more information.
EOAC_STATIC_CLOAKING
Value: 0x20
Sets static cloaking. When this flag is set, DCOM uses the thread token (if present) when determining the client's identity. However, the client's identity is determined on the first call on each proxy (if SetBlanket is not called) and each time CoSetProxyBlanket is called on the proxy. For more information about static cloaking, see Cloaking.


CoInitializeSecurity and IClientSecurity::SetBlanket return errors if both cloaking flags are set or if either flag is set when Schannel is the authentication service.
EOAC_DYNAMIC_CLOAKING
Value: 0x40
Sets dynamic cloaking. When this flag is set, DCOM uses the thread token (if present) when determining the client's identity. On each call to a proxy, the current thread token is examined to determine whether the client's identity has changed (incurring an additional performance cost) and the client is authenticated again only if necessary. Dynamic cloaking can be set by clients only. For more information about dynamic cloaking, see Cloaking.


CoInitializeSecurity and IClientSecurity::SetBlanket return errors if both cloaking flags are set or if either flag is set when Schannel is the authentication service.
EOAC_ANY_AUTHORITY
Value: 0x80
This flag is obsolete.
EOAC_MAKE_FULLSIC
Value: 0x100
Causes DCOM to send Schannel server principal names in fullsic format to clients as part of the default security negotiation. The name is extracted from the server certificate. For more information about the fullsic form, see Principal Names.
EOAC_DEFAULT
Value: 0x800
Tells DCOM to use the valid capabilities from the call to CoInitializeSecurity. If CoInitializeSecurity was not called, EOAC_NONE will be used for the capabilities flag. This flag can be set only by clients in a call to IClientSecurity::SetBlanket or CoSetProxyBlanket.
EOAC_SECURE_REFS
Value: 0x2
Authenticates distributed reference count calls to prevent malicious users from releasing objects that are still being used. If this flag is set, which can be done only in a call to CoInitializeSecurity by the client, the authentication level (in dwAuthnLevel) cannot be set to none.

The server always authenticates Release calls. Setting this flag prevents an authenticated client from releasing the objects of another authenticated client. It is recommended that clients always set this flag, although performance is affected because of the overhead associated with the extra security.
EOAC_ACCESS_CONTROL
Value: 0x4
Indicates that the pSecDesc parameter to CoInitializeSecurity is a pointer to an IAccessControl interface on an access control object. When DCOM makes security checks, it calls IAccessControl::IsAccessAllowed. This flag is set only by the server.


CoInitializeSecurity returns an error if both the EOAC_APPID and EOAC_ACCESS_CONTROL flags are set.
EOAC_APPID
Value: 0x8
Indicates that the pSecDesc parameter to CoInitializeSecurity is a pointer to a GUID that is an AppID. The CoInitializeSecurity function looks up the AppID in the registry and reads the security settings from there. If this flag is set, all other parameters to CoInitializeSecurity are ignored and must be zero. Only the server can set this flag. For more information about this capability flag, see the Remarks section below.


CoInitializeSecurity returns an error if both the EOAC_APPID and EOAC_ACCESS_CONTROL flags are set.
EOAC_DYNAMIC
Value: 0x10
Reserved.
EOAC_REQUIRE_FULLSIC
Value: 0x200
Causes DCOM to fail CoSetProxyBlanket calls where an Schannel principal name is specified in any format other than fullsic. This flag is currently for clients only. For more information about the fullsic form, see Principal Names.
EOAC_AUTO_IMPERSONATE
Value: 0x400
Reserved.
EOAC_DISABLE_AAA
Value: 0x1000
Causes any activation where a server process would be launched under the caller's identity (activate-as-activator) to fail with E_ACCESSDENIED. This value, which can be specified only in a call to CoInitializeSecurity by the client, allows an application that runs under a privileged account (such as LocalSystem) to help prevent its identity from being used to launch untrusted components.

An activation call that uses CLSCTX_ENABLE_AAA of the CLSCTX enumeration will allow activate-as-activator activations for that call.
EOAC_NO_CUSTOM_MARSHAL
Value: 0x2000
Specifying this flag helps protect server security when using DCOM or COM+. It reduces the chances of executing arbitrary DLLs because it allows the marshaling of only CLSIDs that are implemented in Ole32.dll, ComAdmin.dll, ComSvcs.dll, or Es.dll, or that implement the CATID_MARSHALER category ID. Any service that is critical to system operation should set this flag.
EOAC_RESERVED1
Value: 0x4000

Remarks

When the EOAC_APPID flag is set, CoInitializeSecurity looks for the authentication level under the AppID. If the authentication level is not found, it looks for the default authentication level. If the default authentication level is not found, it generates a default authentication level of connect. If the authentication level is not RPC_C_AUTHN_LEVEL_NONE, CoInitializeSecurity looks for the access permission value under the AppID. If not found, it looks for the default access permission value. If not found, it generates a default access permission. All the other security settings are determined the same way as for a legacy application.

If the AppID is NULL, CoInitializeSecurity looks up the application .exe name in the registry and uses the AppID stored there. If the AppID does not exist, the machine defaults are used.

The IClientSecurity::SetBlanket method and CoSetProxyBlanket function return an error if any of the following flags are set in the capabilities parameter: EOAC_SECURE_REFS, EOAC_ACCESS_CONTROL, EOAC_APPID, EOAC_DYNAMIC, EOAC_REQUIRE_FULLSIC, EOAC_DISABLE_AAA, or EOAC_NO_CUSTOM_MARSHAL.

Requirements

Requirement Value
Minimum supported client Windows 2000 Professional [desktop apps only]
Minimum supported server Windows 2000 Server [desktop apps only]
Header objidlbase.h (include Objidl.h)

See also

CoInitializeSecurity

CoSetProxyBlanket

IAccessControl

IClientSecurity::SetBlanket