COM doesn't have a built in security mechanism, but relies on Windows authentication services (Security Service Providers). When you access a resource or invoke a method in a remote DCOM server (or MTS package / COM+ Application), security checks cannot be performed in the standard way if the client is not running into the same domain (or the same workstation, but in this case there would be no remote communication) where the server is).
1) The server tries to see if there is a user that matches the client identity in the domain or workstation account database he belongs to.
2) If step one succeds then Windows check if this user password match the password of the client identity.
If both steps succeeded then the client is "indirectly" authenticated and then, form this point, all access control is performed using this "matching" user. Fallback autientication is not easy to maintain, since two accounts must be kept in synch, but in some situations this mechanism can be usefull, if not the only one available.