Some security packages may support extended error messages, by which one side of a communication link could communicate to the other side the reasons for a failure. For example, Kerberos could fail because of a time skew. However, by returning the information to the client, the client could resynchronize its clock and generate a new connection message.
For security packages that support extended error messages, the security provider must set the SECPKG_FLAG_EXTENDED_ERROR flag in the fCapabilities member of the SecPkgInfo structure.
Applications that require extended error messages must specify the ISC_REQ_EXTENDED_ERROR flag when they call the InitializeSecurityContext function. When calling the AcceptSecurityContext function, the application must specify the ASC_REQ_EXTENDED_ERROR flag.