CreateToken function

The CreateToken function is used by SSP/APs to create tokens while processing calls to SpAcceptLsaModeContext.


NTSTATUS CreateToken(
  _In_  PLUID                        LogonId,
  _In_  PTOKEN_SOURCE                TokenSource,
  _In_  SECURITY_LOGON_TYPE          LogonType,
  _In_  LSA_TOKEN_INFORMATION_TYPE   TokenInformationType,
  _In_  PVOID                        TokenInformation,
  _In_  PTOKEN_GROUPS                TokenGroups,
  _In_  PUNICODE_STRING              AccountName,
  _In_  PUNICODE_STRING              AuthorityName,
  _In_  PUNICODE_STRING              Workstation,
  _In_  PUNICODE_STRING              ProfilePath,
  _Out_ PHANDLE                      Token,
  _Out_ PNTSTATUS                    SubStatus


LogonId [in]

Pointer to a logon session identifier for the new token. This identifier is obtained from a previous call to CreateLogonSession.

TokenSource [in]

Pointer to a TOKEN_SOURCE structure that specifies the source for this token. Specify the package name.

LogonType [in]

A SECURITY_LOGON_TYPE value that indicates the type of logon.

ImpersonationLevel [in]

A SECURITY_IMPERSONATION_LEVEL value that indicates the extent to which a server process can impersonate a client process.

TokenInformationType [in]

Specifies the type of structure in the TokenInformation parameter.






TokenInformation [in]

Pointer to the token information. The type of structure pointed to by TokenInformation is indicated by the TokenInformationType parameter.

If the structure pointed to by this parameter is an LSA_TOKEN_INFORMATION_V1 structure, the caller must allocate the memory for the Groups member of that structure by calling the AllocatePrivateHeap function.

TokenGroups [in]

Pointer to a TOKEN_GROUPS structure that specifies groups not contained in TokenInformation.

AccountName [in]

Pointer to a UNICODE_STRING structure that contains the name of the security principal. This information is used for auditing and name searches.

AuthorityName [in]

Pointer to a UNICODE_STRING structure that contains the name of the authority that validated the logon credentials, normally the Windows domain name.

Workstation [in]

Pointer to a UNICODE_STRING structure that contains the name of the client's workstation, normally a NetBIOS name.

ProfilePath [in]

Pointer to a UNICODE_STRING structure that contains the path to the user's profile, if any.

Token [out]

Pointer that receives the address of a handle to the new token. When you have finished using the handle, close it by calling the CloseHandle function.

SubStatus [out]

Pointer to a variable that receives error information.

Return value

If the function succeeds, the return value is STATUS_SUCCESS.

If the function fails, the return value is an NTSTATUS code that indicates the reason it failed.


A pointer to the CreateToken function is available in the LSA_SECPKG_FUNCTION_TABLE structure received by the SpInitialize function.


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]



See also