RpcServerRegisterAuthInfo doesn't deny unauthorized users
When security providers are registered on the server with the RpcServerRegisterAuthInfo function, an authentication option is added; not an authentication requirement. That means that previous registrations with RpcServerRegisterAuthInfo aren't replaced. It also means that an unauthenticated client that could connect before can still connect.
Just calling the RpcServerRegisterAuthInfo function doesn't disallow unauthenticated clients from connecting. If they could connect before, then they can still connect; but function calls such as RpcImpersonateClient and RpcGetAuthorizationContextForClient will fail. So when the RpcServerRegisterAuthInfo function is called, potential attackers have not been weeded out—rather, authorized clients are given a chance to prove their identity. So you must still put in place checks to determine whether potential attackers are attempting to connect.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for