Which Security Provider to Use

All other things being equal, use RPC_C_AUTHN_GSS_KERBEROS or RPC_C_AUTHN_GSS_NEGOTIATE. Each provides the most scalable and secure service. If you use RPC_C_AUTHN_GSS_NEGOTIATE on the server, this allows down-level clients, such as NTLM clients, to connect to your server. If that is undesirable, either limit the choice to RPC_C_AUTHN_GSS_KERBEROS only, or call RpcBindingInqAuthClientEx to determine which security provider the client is using, and deny access to clients using NTLM. The preferred method of establishing which security provider the client is using is the RpcServerInqCallAttributes function.