ITSGPolicyEngine::AuthorizeConnection method

Determines whether the specified connection is authorized to connect to Remote Desktop Gateway (RD Gateway).

RD Gateway calls this method after a user has been successfully authenticated. The authorization plug-in should then use the ITSGAuthorizeConnectionSink interface to notify RD Gateway about the result of authorization.


HRESULT AuthorizeConnection(
  [in] GUID                        mainSessionId,
  [in] BSTR                        username,
  [in] AAAuthSchemes               authType,
  [in] BSTR                        clientMachineIP,
  [in] BSTR                        clientMachineName,
  [in] BYTE                        *sohData,
  [in] ULONG                       numSOHBytes,
  [in] BYTE                        *cookieData,
  [in] ULONG                       numCookieBytes,
  [in] HANDLE_PTR                  userToken,
  [in] ITSGAuthorizeConnectionSink *pSink


mainSessionId [in]

A unique identifier assigned to the connection request by RD Gateway.

username [in]

The user name.

authType [in]

A value of the AAAuthSchemes enumeration type that specifies the type of authentication used to connect to RD Gateway.

clientMachineIP [in]

The IP address of the user's computer.

clientMachineName [in]

The name of the user's computer.

sohData [in]

A pointer to a BYTE that contains the statement of health (SoH) provided by the user's computer. If the authorization plug-in does not require a statement of health, this parameter is NULL. For more information, see the IsQuarantineEnabled method.

numSOHBytes [in]

The number of bytes referenced by the sohData parameter.

cookieData [in]

A pointer to a BYTE that contains the cookie provided by the user. If the authType parameter is not set to AA_AUTH_COOKIE, this parameter is NULL.

numCookieBytes [in]

The number of bytes referenced by the cookieData parameter.

userToken [in]

A pointer to a HANDLE that specifies the user token of the user. If the user is not running Windows, this parameter is NULL.

pSink [in]

A pointer to an ITSGAuthorizeConnectionSink interface that the authorization plug-in must use to notify RD Gateway about the result of authorization.

Return value

If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.


If this method returns S_OK, RD Gateway waits for the authorization plug-in to call a method of the ITSGAuthorizeConnectionSink interface. If any other value is returned, RD Gateway immediately denies the authorization request.

If authorization requires more than 1 second, we recommend starting a separate thread to perform authorization.


For an example that uses the AuthorizeConnection method, see Remote Desktop Gateway Pluggable Authentication and Authorization Sample.


Minimum supported client

Windows 7

Minimum supported server

Windows Server 2008 R2





See also