NTLMSSP, whose authentication service identifier is RPC_C_AUTHN_WINNT, is a security support provider that is available on all versions of DCOM. It uses the NTLM (Windows NT LAN Manager) protocol for authentication. NTLM never actually transmits the user's password to the server during authentication. Therefore, the server cannot use the password during impersonation to access network resources that the user would have access to. Only local resources can be accessed.
NTLM works both locally and cross machine. That is, if the client and server are on different machines, NTLM can still make sure the client is who it claims to be.
With NTLM, the client's identity is represented by a domain name, user name, and a password or token. When a server calls CoQueryClientBlanket, the client's domain name and user name are returned. However, when a server calls CoImpersonateClient, the client's token is returned. If there is no trust relationship between client and server, and if the server has a local account with the same name and password as the client, that account will be used to represent the client.
NTLM supports mutual authentication cross thread and cross process on Windows NT 5.0 (locally only). If the client specifies the principal name of the server in the form domain\user in a call to SetBlanket, the server's identity must match that principal name or the call will fail. If the client specifies NULL, the server's identity will not be checked.
On Windows NT 4.0, NTLM supports the impersonation levels identify and impersonate. In Windows NT 4.0, if a server has a process token that has used its one machine hop and it attempts to make a secure call to the client using a connection-oriented protocol, NTLM will allow the call to succeed. The call will use the NULL session as the server's identity, and the call will appear to be secure when it is not. With Windows NT 5.0, NTLM additionally supports the delegate impersonation level cross thread and cross process (locally only).