1.3.4 Security

  • Article

The protocol offers the capability to send a collection of security identities and other security information along an ORPC call chain; each element in the collection represents a caller in the ORPC call chain. At any point in the call chain, an object can query, in an implementation-specific manner, the following security attributes associated with each upstream caller:

  • The caller's identity (specified by a security identifier (SID) or Windows NT operating system account name).

  • The authentication service of the call.

  • The authentication level of the call.

  • The impersonation level of the call.

In addition, an object in the call chain can also query the minimum authentication level used across the entire call chain.

The protocol uses the security context property to send security information in ORPC calls as described in section 1.3.1.3. When an object is marshaled, the protocol uses the security envoy property (section 2.2.4.2) as described in section 1.3.1.2 to send information about the domain and computer of the object. The protocol uses this information to translate SIDs to Windows NT account names when sending the security identity of the caller in cross-computer and cross-domain ORPC calls.