Authentication is the process of verifying the identity of a user, based on the established credentials of the user (typically a user name and password). Windows CE uses the NTLM protocol (RPC_C_AUTHN_WINNT) to authenticate callers. This is the default authentication service for COM over Windows NT. However, there are some differences in the way Windows CE uses the authentication service.

Authentication Levels

Windows NT supports several levels of authentication for COM objects. For example, authentication can be disabled, or authentication can take place each time the client establishes a connection with the server, each time the client calls, or each time the client and the server exchange a packet of data. Windows CE supports disabling authentication (RPC_C_AUTHN_LEVEL_NONE) and authentication at the connectlevel (RPC_C_AUTHN_LEVEL_CONNECT) only. At the connectlevel, DCOM does an authentication check the first time a client calls the server. If the client passes the check, no further authentication takes place on subsequent calls.

A DCOM object on Windows CE can make calls at any authentication level, but incoming calls will never arrive with an authentication level that is higher than "CONNECT" (RPC_C_AUTHN_LEVEL_NONE or RPC_C_AUTHN_LEVEL_CONNECT).

Impersonation

NTLM authentication is done without transferring the credentials of the user, which means that the server does not have access to the user name or password. On Windows NT, when a user is authenticated and connected to an object, the object runs with security credentials that belong to either a connected client, an interactive user, or an explicitly specified user account The security credentials that the object acquires in this process (called "impersonation") control the access of the object to system resources.

Because Windows CE does not provide access to control mechanisms for individual objects, impersonation is not supported, and the user has access to all system resources, except as protected by the Windows CE trust level.

Authentication on a Windows CE Server

NTLM was designed to use the security credentials that are established with the domain controller whenever a user logs on to an NT domain (or to another domain that has an established trust relationship with an NT domain). When a Windows CE client is connected by a network to an NT domain, authentication can proceed normally. However, in a mobile environment, the Windows NT domain controller might not be available, or the network might not even have a Windows NT-based server.

In order to allow controlled access to a Windows CE-based server, you can create a local database of user names and passwords, which NTLM can use for verifying credentials. Use of this database, in lieu of the Windows NT domain controller, is invisible to clients.

Windows CE 3.0 provides three APIs for creating and managing a local security database:

NTLMEnumUserreturns the registered user name for any given index into the database.

NTLMSetUserInfocreates a user entry in the database (if none exists) and changes the information in that entry.

NTLMDeleteUserremoves a user from the database.

These APIs are exported by NTLMSSP.dll.

BOOL SEC_ENTRY NTLMEnumUser( IN DWORD index,//
0,1,2.. OUT LPTSTR pszUser, // returns the registered user name IN
OUT LPDWORD pcchUser // in - size of buffer in characters, out -
length used in characters ); BOOL SEC_ENTRY NTLMSetUserInfo( IN
LPTSTR pszUser, // user name ( will be be created if it does not
exist) IN LPTSTR pszPassword // password (maximum 15 characters) );
BOOL SEC_ENTRY ( IN LPTSTR pszUser // user name to delete );

To select between local and network-based NTLM, there is a registry key.

HKEY_LOCAL_MACHINE\Comm\Redir\DefaultDomain=" DomainName"

If the DefaultDomainregistry key is present, NTLM pass-through authentication is used. Otherwise, NTLM falls back to the local database of users.