3.1.5.3 GSS_Init_sec_context Returns While in the ProcessingFinalToken State

If GSS_Init_sec_context returns a major_status of GSS_S_COMPLETE, the Negotiated Protection Level and Negotiated Impersonation Level MUST be set based on the returned state flags. If the Negotiated Impersonation Level is not equal to the Allowed Impersonation Level or the Negotiated Protection Level is less than the Required Protection Level, the value 0x000006FE MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeError (as specified in section 2.2) and transmitted to the server. The Security Provider Context MUST be deleted, and the Stream State MUST be set to Uninitialized. Otherwise, the Stream State MUST be set to Authenticated and the client application MUST be notified of the successful authentication.

If the function returns any other major_status, an HRESULT describing the error MUST be wrapped in a Handshake message with the HandshakeId set to HandshakeError (as specified in section 2.2) and transmitted to the server. The Security Provider Context MUST be deleted and the Stream State MUST be set to Uninitialized. The application MUST be notified of the authentication failure.