This parameter determines how and where authentication of a user takes place.
If authentication is SERVER, then the user ID and password are sent from the client to the server so authentication can take place on the server. The value SERVER_ENCRYPT provides the same behavior as SERVER, except that any passwords sent over the network are encrypted.
A value of CLIENT indicates that all authentication takes place at the client, so no authentication needs to be performed at the server.
A value of DCS indicates that authentication takes place at the host or AS/400 system. The value DCS_ENCRYPT provides the same behavior as DCS, except that any passwords sent over the network are encrypted. If you are using APPC and a communications product that does not expose the client's password to the DB2 server, you can specify DCS to obtain:
A value of DCE means that authentication is performed at the DCE server using DCE Security Services. The value DCE_SERVER_ENCRYPT provides the same behavior as DCE, except any passwords sent over the network are encrypted. The DCE_SERVER_ENCRYPT value is for use on a server only. This value indicates that the server can accept either DCE authentication or SERVER_ENCRYPT authentication.
A value of KERBEROS means that authentication is performed at a Kerberos server using the Kerberos security protocol for authentication. With an authentication type of KRB_SERVER_ENCRYPT at the server and clients that support the Kerberos security system, then the effective system authentication type is KERBEROS. If the clients do not support the Kerberos security system, then the effective system authentication type is equivalent to SERVER_ENCRYPT.
| Note: | The Kerberos authentication types are only supported on servers running Windows 2000. |
Authentication values that support password encryption include: SERVER_ENCRYPT, DCS_ENCRYPT, DCE_SERVER_ENCRYPT, and KRB_SERVER_ENCRYPT. These values provide the same function as SERVER, DCS, DCE, and KERBEROS respectively in terms of authentication location, except that any passwords that flow are encrypted at the source and require decryption at the target, as specified by the authentication type cataloged at the source. Encrypted and non-encrypted values with matching authentication locations can then be used to choose different encryption combinations between the client and gateway or the gateway and server, without affecting where authentication occurs.
For the numeric equivalents and API constants for these values, refer to the Administrative API Reference.
Recommendation: Typically, the default (SERVER) is adequate.