The default model for server authentication consists of the following steps:
1. The server specifies a server-specific keytab file and server-specific principal name when it calls rpc_server_register_auth_info( ).
2. The server acquires valid credentials for its server-specific identity via a series of sec API calls.
3. The server does periodic key management by establishing a separate thread that calls sec_key_mgmt_manage_key( ). This keeps the server's key up to date according to local key management policies and thus prevents the server from becoming inoperable because of an expired key.
4. The server contains code to check and, if necessary, revalidate and recertify its credentials when undertaking operations that require valid credentials (such as name service export and unexport operations).
The following sample functions, reproduced from the sample DCE application documented in full in A Sample Application, implement credential acquisition, credential revalidation, and key management.
In order to save space and to improve the readability of the text, the code shown below has been slightly edited: all status checks, and all calls to the DCE serviceability interface (to print or log status or informational messages), have been removed.
More:
The server_get_identity Routine
The server_renew_identity Routine