Authentication in COM+

Authentication is the process of determining that callers are actually who they say they are—verifying the authenticity of a claim of identity. In general, this can be done by both server and client, each authenticating the other. But it is especially important for a server application that is authorizing clients, as with role-based security, to do authentication as well. Authenticating clients is a prerequisite for a meaningful authorization policy because if you don't know for certain that the client identity you are checking is authentic, your application is basically relying on the honor system.

For COM+ applications, you can turn on and configure authentication administratively, after which it works transparently. You specify an authentication level administratively by using the Component Services administrative tool or the Administrative SDK functions.

For a COM+ server application, you can choose from several authentication levels that provide varying degrees of security, ranging from no authentication to encryption of every packet and all method call parameters. Higher security comes with some performance cost, however, which you should take into consideration when configuring your application. COM+ negotiates between the authentication level specified by client and server and uses the more secure of the two. This enables you to administratively control the minimum authentication level from the server side alone.

Note   You should never specify an authentication level programmatically by using CoInitializeSecurity within a COM+ application. COM+ calls CoInitializeSecurity for you, and this can be called only once per process.

For a COM+ library application, authentication is largely controlled by the hosting process. However, you can configure the library application so that it does not participate in authentication. That is, calls into the application can be authenticated or unauthenticated, and in the latter case, authentication of clients always succeeds. For information about this, see Library Application Security.

For a description of authentication levels, see Authentication Level.

For step-by-step instructions for setting the authentication of COM+ server and library applications, see Setting Authentication in COM+.