220.127.116.11.1 Security Context Handle
Security Context Handle: A security context handle is created and populated by the security provider but is used by the RPC runtime and higher-level protocols, as specified in sections 18.104.22.168.1 and 22.214.171.124.2. The security context handle is obtained by calling an implementation-specific equivalent of the abstract GSS_Accept_sec_context on the server or GSS_Init_sec_context on the client, as specified in [RFC2743]. The handle and associated resources are released by calling the implementation-specific GSS_Delete_sec_context equivalent.
The security context handle can be queried using the implementation-specific equivalent of GSS_Inquire_context as specified in [RFC2743]. The information obtained from the context MUST include the following:
Context Identifier: A value generated by cryptographic hash (and therefore reliably unique), which can be used as a cross-process identifier of the security context negotiated between the client and server during packet protected connectionless RPC. This value is communicated through the key_vers_num described previously in section 126.96.36.199 and in [C706].
Error Value: The error value returned by the security provider if an error results during the construction of the security context.
Security Provider Identifier
Client Credential Identity, as specified in section 188.8.131.52.1.
Impersonation Level, as specified in section 184.108.40.206.9.
Token/Authorization Context, as specified in [MS-DTYP] section 2.5.2. This token is created by the authentication protocols when the RPC client and server authenticate, as specified in [C706] section 13.1 "The Generic RPC Security Model". When the Kerberos authentication protocol is used the token is constructed as in [MS-KILE] section 220.127.116.11 "Processing Authorization Data". When the NTLM authentication protocol is used the token is constructed as in [MS-APDS] section 3.1.5 "Processing Events and Sequencing Rules". This token may be used for impersonation or obtaining the user SID or a group SID related to the RPC caller, as specified in Abstract Interface GetRpcImpersonationAccessToken (section 18.104.22.168.3.1).