The client makes the following call in order to set up the security characteristics of the communications it is about to enter into with the server:
rpc_binding_set_auth_info(binding, server_princ_name, protect_level, \
authn_svc, login_context, authz_svc, &status);
The security parameters specified here include protect_level for level of protection performed (for example, authenticate only at the beginning of each RPC, or authenticate everything received by the server), authn_svc for the authentication service (including "none"), and authz_svc for the type of client authorization information that will be supplied to the server.
The usual practice is to pass NULL for login_context here, and thus use the default context.
Note that it is the client who chooses whether or not to use authenticated RPC, as well as the level of authentication, and how much authorization information about itself to send. It is then up to the server to accept this arrangement or reject it, or to allow some limited operation with the client, or whatever else it might decide. The server decides which authentication to use. The client also specifies an authentication service (in authn_svc), but if this differs from what the server specified, the call to rpc_binding_set_auth_info( ) will fail and an error will be returned to the client.
There is an important difference between the rationales of authentication and authorization. Authentication is performed by the RPC runtime and is only indirectly felt by client and server; authorization, however, is for the most part implemented explicitly in the server code if it is implemented at all. This difference is the reason for the larger number of authentication-related arguments that have to be specified in this step.
For further information about authenticated RPC, see the OSF DCE Application Development Guide - Core Components.