AuthzrInitializeContextFromSid (Opnum 1)

The AuthzrInitializeContextFromSid method (opnum 1) creates a client context from a given security identifier (SID). For domain SIDs, token group and claim attributes will be retrieved from Active Directory through Kerberos.

 DWORD AuthzrInitializeContextFromSid(
         [in] handle_t Binding,
         [in] DWORD Flags,
         [in] RPC_SID* Sid,
         [in] [unique] LARGE_INTEGER* pExpirationTime,
         [in] LUID Identifier,
         [out] AUTHZR_HANDLE* ContextHandle);

Binding: A primitive RPC handle that identifies a particular client/server binding.

Flags:  Indicates the type of logon behavior when initializing the client context. The following flags are defined.




When no flags are set, AuthzInitializeContextFromSid attempts to retrieve the user's token group information by performing an S4U logon.


AuthzInitializeContextFromSid retrieves privileges for the new context. If this function performs an S4U logon, it retrieves privileges from the token. Otherwise, it retrieves privileges from all SIDs in the context.

All other bits MUST be set to zero.

Sid:  A pointer to the SID of the principal for whom a remote client context will be created. This MUST be a valid user or computer account.

pExpirationTime:  Reserved. This parameter MUST be set to NULL when sent and MUST be ignored when received.

Identifier:  Reserved. This parameter MUST be set to zero when sent and MUST be ignored when received.

ContextHandle: A pointer to an AUTHZR_HANDLE structure, as defined in section

Return Values:

If the function succeeds, the function MUST return 0x00000000.

If the function fails, it MUST return a nonzero error code.

When a RAZA server receives this message, the server MUST perform the following:

  1. If any bits other than 0x00000008 are set in Flags, the server MUST return ERROR_INVALID_PARAMETER.

  2. Call LsarOpenPolicy ([MS-LSAT] section with the following as input:

    • SystemName: NULL.

    • DesiredAccess: Contains the bit value 0x00000800 for POLICY_LOOKUP_NAMES.

  3. Call LsarLookupSids ([MS-LSAT] section on the returned PolicyHandle.

    • PolicyHandle: The PolicyHandle returned from the aforementioned LsarOpenPolicy.

    • SidEnumBuffer: The SidInfo part of this structure contains the Sid parameter. The Entries part of this structure is set to 1. LookupLevel is set to LsapLookupWksta.

      The return values from LsarLookupSids are as follows:

    • ReferencedDomains list: The domain name is found as follows:

      1. Locate the entry in the TranslatedNames list that corresponds to the SID in question. This entry contains a Names structure with a DomainIndex.

      2. Find the ReferencedDomains list entry with an index that matches the DomainIndex from the structure in the preceding step. The domain name is found in the Name field of the Domains structure.

    • TranslatedNames: Contains the UserName in the Name field of the Names structure of the entry in the list corresponding to the SID in question (from the SidEnumBuffer input list).

  4. Perform a Kerberos S4U2Self service ticket request using the S4U2self KRB_TGS_REQ/KRB_TGS_REP protocol extension as specified in [MS-SFU] section

    • The userName MUST be set to the user name obtained in step 2.

    • The userRealm MUST be set to the domain name of the obtained in step 2.

    • The chksum MUST be set as specified in [MS-SFU] section 2.2.2.

    • The auth-package MUST be set to "Kerberos".

  5. Initialize and populate an ImpersonationAccessToken as specified in [MS-KILE] section

  6. Allocate and initialize a new AUTHZR_HANDLE structure, as defined in section, and assign ContextHandle to the new structure.

  7. Allocate memory for a new ClientContext object, set the RPCClient member to the AUTHZR_HANDLE initialized in step 6, and set AuthzContext to the ImpersonationAccessToken initialized in step 5.

  8. Append the ClientContext object created in step 7 to the ClientContextList.