PreviousNext

Name-Based Authorization

The Kerberos authentication service, upon which the DCE shared-secret authentication protocol is based, authenticates the string name representation of a principal. The DCE Security Service converts these string representations to UUIDs, and it is these UUIDs that an ACL manager uses to make authorization decisions. However, since some existing (non-DCE) applications implement Kerberos authentication, DCE security supports an authorization protocol based on principal string names: name-based authorization.

It is assumed that applications that use name-based authorization have a means to associate string names with permissions, since the DCE Security Service offers no such facility. Because in name-based authorization there is no UUID representation of privilege attribute data, and because DCE ACL managers recognize only UUIDs, if an application uses name-based authorization, then a principal's privilege attributes are represented as an anonymous PAC. Such PAC data can only match the ACL entry types other_obj, foreign_other, or any_other, and are masked by the unauthenticated mask.

Also note that there is essentially no intercell security for an application that uses the name-based authorization protocol because such applications never communicate with the privilege service, which evaluates intercell trust.