2.1 Transport

The Distributed Component Object Model (DCOM) Remote Protocol [MS-DCOM] is used as the transport protocol.

The Windows Client Certificate Enrollment Protocol uses DCOM to create and use DCOM object (2) references to server objects.

Windows Client Certificate Enrollment Protocol clients initialize a connection to the Windows Client Certificate Enrollment Protocol server by creating and executing a DCOM activation request. As a result of this DCOM activation, the Windows Client Certificate Enrollment Protocol client can use the DCOM client to call the methods specified in this document. The activation process is detailed in [MS-DCOM] section 3.2.4.

The RPC version number for all interfaces MUST be 0.0.

[MS-DCOM] section 3.2.4.1 specifies the various elements that an application using DCOM passes to the DCOM client as part of the initial activation request. Below are the values that the Windows Client Certificate Enrollment Protocol sends to the DCOM layer.

General DCOM settings:

  • Remote server name the application-supplied remote server name as specified in [MS-DCOM] section 3.2.4.2. The Windows Client Certificate Enrollment Protocol client sends the name of the CA server.

  • Class identifier (CLSID) of the object requested. This value is implementation-specific.

  • Interface identifier(s) (IID) of interface(s) requested (see section 1.9).

Security settings ([MS-DCOM] section 3.2.4.1.1.2):

  • Security provider: RPC_C_AUTHN_GSS_NEGOTIATE (9).

  • Authentication level: SHOULD be set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY (0x06).

    Windows clients typically set the authentication level to RPC_C_AUTHN_LEVEL_PKT_PRIVACY (0x06).<6>

    If a certificate authority (CA) server has IF_ENFORCEENCRYPTICERTREQUEST set (section 3.2.1.1.4) and the RPC_C_AUTHN_LEVEL_PKT_PRIVACY (0x06) authentication level ([MS-RPCE] section 2.2.1.1.8) is not specified by the client for certificate-request operations, the CA MUST deny a connection to the client and return a non-zero error. If a CA server has IF_ENFORCEENCRYPTICERTADMIN set (section 3.2.1.1.4) and the RPC_C_AUTHN_LEVEL_PKT_PRIVACY (0x06) authentication level is not specified by the client for certificate administrative operations, the CA MUST deny a connection to the client and return a non-zero error.<7> <8>

    As a result of the security provider and authentication level used, there is a negotiation between the client and server security providers that results in either NTLM, as specified in  [MS-NLMP], or Kerberos, as specified in [RFC4120] and [MS-KILE], being used as the authentication method.

  • Impersonation level: RPC_C_IMP_LEVEL_IMPERSONATE (3).

    This means the server can use the client's security context while acting on behalf of the client, to access local resources such as files on the server.

  • Authentication identity and credentials: NULL.

Passing NULL authentication identity and credentials for the RPC_C_AUTHN_GSS_NEGOTIATE security provider means that the ORPC call uses the identity and credentials of the higher-layer application.

Default values, as specified in [MS-DCOM], are used for all DCOM inputs not specified above, such as Security Principal Name (SPN), client and prototype context property buffers, and their context property identifiers.