2.2.63 FW_AUTH_SUITE

  • Article

This structure specifies an IPsec authentication suite and includes certification selection criteria. An authentication suite is a proposal of a set of algorithms and parameters that specify the authentication method to be used. 

 typedef struct _tag_FW_AUTH_SUITE {
   [range(FW_AUTH_METHOD_INVALID+1, FW_AUTH_METHOD_MAX)] 
     FW_AUTH_METHOD Method;
   unsigned short wFlags;
   [switch_type(FW_AUTH_METHOD), switch_is(Method)] 
     union {
     [case(FW_AUTH_METHOD_MACHINE_CERT,FW_AUTH_METHOD_USER_CERT)] 
       struct {
       [ref, string] wchar_t* wszCAName;
       [unique] PFW_CERT_CRITERIA pCertCriteria;
     };
     [case(FW_AUTH_METHOD_MACHINE_SHKEY)] 
       struct {
       [ref, string] wchar_t* wszSHKey;
     } pCertCriteria;
     [case(FW_AUTH_METHOD_MACHINE_KERB, FW_AUTH_METHOD_USER_KERB)] 
       struct {
       [unique, string] WCHAR* wszProxyServer;
     };
     [default]       ;
   };
 } FW_AUTH_SUITE,
  *PFW_AUTH_SUITE;

Method: This field is of type FW_AUTH_METHOD. It specifies the authentication method that is suggested by this proposal suite.

wFlags: This flag is a combination of flags from FW_AUTH_SUITE_FLAGS.

wszCAName: A pointer to a Unicode string. This string represents the name of the certificate authority to be used to authenticate when using machine or user certificate methods.

pCertCriteria: A pointer to a structure of type PFW_CERT_CRITERIA. This field MUST NOT be present unless the Method field has the value FW_AUTH_METHOD_MACHINE_CERT or FW_AUTH_METHOD_USER_CERT.

It contains fields which are used when selecting a local certificate and validating a remote peer's certificate during certificate authentication.

wszSHKey: A pointer to a Unicode string. This string is the previous, manually shared secret that is used to authenticate when using preshared key methods.

wszProxyServer: A pointer to a Unicode string specifying the fully qualified domain name (FQDN) of the Kerberos proxy server. This field MUST be set if and only if the FW_AUTH_SUITE_FLAGS_ALLOW_PROXY flag is set.

If the method is machine certificate or user certificate, the wszCAName string MUST NOT be NULL, MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, MUST NOT contain the pipe(|) character, and MUST be a valid Name as defined in [X501] section 9.2. If the method is SHKEY, the wszSHKey string MUST NOT be NULL, MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

If the Method is not FW_AUTH_METHOD_MACHINE_CERT or FW_AUTH_METHOD_USER_CERT then the pCertCriteria field MUST be NULL.