Directory Services

Mutual Authentication in RPC Applications

RPC services can use service connection points to publish themselves, or they can use the RPC name service (RpcNs) APIs. This topic discusses how to perform mutual authentication with an RPC service that publishes itself using the RPC name service (RpcNs) APIs.

To register an SPN in the directory

  1. Call the DsGetSpn function to compose a service principal name (SPN) for the service.
  2. Call the DsWriteAccountSpn function to register the SPN on the service account or computer account in whose context the service will run.

To register a service with the RPC naming service

  1. Verify that the appropriate SPNs are registered on the account under which the service is running. For more information, see Logon Account Maintenance Tasks.
  2. Call the RpcServerRegisterAuthInfo function to register the service SPN with the RPC authentication service, and specify RPC_C_AUTHN_GSS_NEGOTIATE as the authentication service to use.

For more information about performing mutual authentication in an RPC service, see Writing an Authenticated SSPI Server.

To authenticate the service from the client

  1. Extract the host name from the RPC Binding.
  2. Compose the SPN for the service by calling the DsMakeSpn function with the service class, the DNS host name, and the service name; that is the distinguished name of the connection point in the case of RpcNs.

    For more information about composing an SPN for an RpcNs service, see Composing SPNs for an RpcNs Service.

  3. Set up an RPC_SECURITY_QOS structure to request mutual authentication.
  4. Call the RpcBindingSetAuthInfoEx function to set the authentication data for the RPC binding. The client must request at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY to ensure that communications have not been tampered. For increased security, the client should specify RPC_C_AUTHN_LEVEL_PKT_PRIVACY to request encryption.
  5. Perform the RPC call.

For more information about performing mutual authentication in an RPC client, see Writing an Authenticated SSPI Client.

To authenticate the client from the service

  1. Call the RpcBindingInqAuthClient function to verify the authentication parameters specified by the client. If the client has not requested the desired level of authentication, reject the call. Be aware that an RPC service must verify the authentication level, authentication service, and client identity on every call to ensure that the client has been properly authenticated.
  2. Call the RpcImpersonateClient function to impersonate the client.
  3. Perform the requested operation.
  4. Call the RpcRevertToSelf function to revert to the service security context.

For more information about RPC client impersontation, see Client Impersonation.

For more information, see: