3.2.5.2 GSS_Accept_sec_context Returns While in the CreatingSecurityToken State

If GSS_Accept_sec_context returns a major_status of GSS_S_COMPLETE, the Negotiated Protection Level and Negotiated Impersonation Level MUST be set based on the returned state flags. The Security Provider Context MUST be set to the output_context_handle. If the Negotiated Impersonation Level is less than the Required Impersonation Level or the Negotiated Protection Level is less than the Required Protection Level, the value 0x000006FE MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeError (as specified in section 2.2) and transmitted to the client. The Security Provider Context MUST be deleted, and the Stream State MUST be set to Uninitialized. Otherwise, the output_token MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeDone (as specified in section 2.2) and transmitted to the client. The Stream State MUST be set to Authenticated, and the server application MUST be notified of a successful authentication.

If the function returns a major_status of GSS_S_CONTINUE_NEEDED, the output_token MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeInProgress (as specified in section 2.2) and transmitted to the client. If the Security Provider Context has not yet been set, it MUST be set to the output_context_handle. The Stream State MUST be set to WaitingForHandshakeMessage.

If the function returns any other major_status, an HRESULT describing the error MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeError (as specified in section 2.2) and transmitted to the client. The Security Provider Context MUST be deleted, and the Stream State MUST be set to Uninitialized.