COM Authentication
A version of this page is also available for
4/8/2010
Authentication is the process of verifying the identity of a user, based on the established credentials of the user (typically a user name and password). Windows Embedded CE uses the NTLM protocol (RPC_C_AUTHN_WINNT) to authenticate callers. This is the default authentication service for Component Object Model (COM) over Windows NT. However, there are some differences in the way Windows Embedded CE uses the authentication service.
Note
For Windows Mobile: For information about differences between the COM implementation available for Windows Mobile devices and that available for Windows Embedded CE devices, see COM and DCOM in Windows Mobile Devices.
Authentication Levels
Windows NT supports several levels of authentication for COM objects. For example, authentication can be disabled, or authentication can take place each time the client establishes a connection with the server, each time the client calls, or each time the client and the server exchange a packet of data.
Windows Embedded CE supports disabling authentication (RPC_C_AUTHN_LEVEL_NONE) and authentication at the connect level (RPC_C_AUTHN_LEVEL_CONNECT) only. At the connect level, DCOM does an authentication check the first time a client calls the server. If the client passes the check, no further authentication takes place on subsequent calls.
A DCOM object on Windows Embedded CE can make calls at any authentication level, but incoming calls will never arrive with an authentication level that is higher than "CONNECT" (RPC_C_AUTHN_LEVEL_NONE or RPC_C_AUTHN_LEVEL_CONNECT).
Impersonation
NTLM authentication is done without transferring the credentials of the user, which means that the server does not have access to the user name or password. On Windows NT, when a user is authenticated and connected to an object, the object runs with security credentials that belong to a connected client, an interactive user, or an explicitly specified user account. The security credentials that the object acquires in this process (called "impersonation") control the access of the object to system resources.
Because Windows Embedded CE does not provide access to control mechanisms for individual objects, impersonation is not supported, and the user has access to all system resources, except as protected by the Windows Embedded CE trust level.
See Also
Concepts
COM and DCOM Security
COM Access Control
DCOM Security Configuration Utility
Developing Secure ActiveX Controls
COM and DCOM Registry Settings