Authentication Level

The authentication level controls how much security a client or server wants from its SSP. The authentication level is set by passing an appropriate RPC_C_AUTHN_LEVEL_xxx value to CoInitializeSecurity or CoSetProxyBlanket through the dwAuthnLevel parameter. The authentication levels from the client and server are compared during the handshake, and the higher level security protection setting is used for the connection.

The different authentication levels are described as follows, from lowest level security protection to highest:


No authentication is performed during the communication between client and server. All security settings are ignored. This authentication level can be set only if the authentication service level is RPC_C_AUTHN_NONE.


COM chooses the authentication level by using its normal security blanket negotiation. It will never choose an authentication level of None.


The normal authentication handshake occurs between the client and server, and a session key is established but that key is never used for communication between the client and server. All communication after the handshake is nonsecure.


Only the headers of the beginning of each call are signed. The rest of the data exchanged between the client and server is neither signed nor encrypted. Most SSPs do not support this authentication level and silently promote it to Packet.


The header of each packet is signed but not encrypted. The packets themselves are not signed or encrypted.


Each packet of data is signed in its entirety but is not encrypted. Because all of the data is signed by the sender, the recipient can be certain that none of the data has been tampered with during transit.


Each data packet is signed and encrypted. This helps protect the entire communication between the client and server.