I know that 3.2.x doesn't support CSIv2. But I believe that 4.0.x does - correct? We are stuck on 3.2.3 for now. I am using IIOP.NET to connect a C# client to our secured ejbs (and there lies the problem). I need to somehow get security working. I know I can write an EJB interceptor that extracts the user/pass out of some "piggy-backed" data (such as for WebSservices we stuff in soap header). Where can I write extra "header" data on each call so that I can extract it and manually authenticate?