Was this page helpful?
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All Security Context Handle

Security Context Handle: A security context handle is created and populated by the security provider but is used by the RPC runtime and higher-level protocols, as specified in sections and The security context handle is obtained by calling an implementation-specific equivalent of the abstract GSS_Accept_sec_context on the server or GSS_Init_sec_context on the client, as specified in [RFC2743]. The handle and associated resources are released by calling the implementation-specific GSS_Delete_sec_context equivalent.

The security context handle can be queried using the implementation-specific equivalent of GSS_Inquire_context as specified in [RFC2743]. The information obtained from the context MUST include the following:

  • Context Identifier: A value generated by cryptographic hash (and therefore reliably unique), which can be used as a cross-process identifier of the security context negotiated between the client and server during packet protected connectionless RPC. This value is communicated through the key_vers_num described previously in section and in [C706].

  • Error Value: The error value returned by the security provider if an error results during the construction of the security context.

  • Security Provider Identifier

  • Client Credential Identity, as specified in section

  • Authentication Level

  • Impersonation Level, as specified in section

  • Token/Authorization Context, as specified in [MS-DTYP] section 2.5.2. This token is created by the authentication protocols when the RPC client and server authenticate, as specified in [C706] section 13.1 "The Generic RPC Security Model". When the Kerberos authentication protocol is used the token is constructed as in [MS-KILE] section "Processing Authorization Data". When the NTLM authentication protocol is used the token is constructed as in [MS-APDS] section 3.1.5 "Processing Events and Sequencing Rules". This token may be used for impersonation or obtaining the user SID or a group SID related to the RPC caller, as specified in Abstract Interface GetRpcImpersonationAccessToken (section

© 2016 Microsoft