Platform SDK: Logon Authentication |
Context requirements are expressed as a combination of bit flags passed to either the InitializeSecurityContext or AcceptSecurityContext function. These flags affect the context in a number of ways. Not all flags apply to all contexts. Some are valid only for the server, others only for the client.
The caller uses the fContextReq parameter of the InitializeSecurityContext or AcceptSecurityContext call to specify a set of flags that indicate the required capabilities. When the function returns, the pfContextAttr parameter indicates the attributes of the established context. The caller determines whether the final context attributes are acceptable.
For example, if the caller requests mutual authentication, but the security package indicates that it cannot be performed, the caller must decide whether to cancel the context or continue.
The following table describes the various context requirement flags.
Flag | Description |
---|---|
DELEGATE | The server in the transport application can build new security contexts impersonating the client that will be accepted by other servers as the client's contexts. |
MUTUAL_AUTH | The communicating parties must authenticate their identities to each other. Without MUTUAL_AUTH, the client authenticates its identity to the server. With MUTUAL_AUTH, the server also must authenticate its identity to the client. |
REPLAY_DETECT | The security package detects replayed packets and notifies the caller if a packet has been replayed. The use of this flag implies all of the conditions specified by the INTEGRITY flag. |
SEQUENCE_DETECT | The context must be allowed to detect out-of-order delivery of packets later through the message support functions. Use of this flag implies all of the conditions specified by the INTEGRITY flag. |
CONFIDENTIALITY | The context must protect data while in transit. CONFIDENTIALITY is supported for NTLM with Microsoft® Windows NT® version 4.0, SP4 and later and with the Kerberos protocol in Microsoft® Windows® 2000 and later. |
USE_SESSION_KEY | A new session key must be negotiated. |
PROMPT_FOR_CREDS | If the client is an interactive user, the security package must, if possible, prompt the user for the appropriate credentials. |
USE_SUPPLIED_CREDS | Package-specific credential information is available in the input buffer. The security package can use these credentials to authenticate the connection. |
ALLOCATE_MEMORY | The security package must allocate memory. The caller must eventually call the FreeContextBuffer function to free memory allocated by the security package. |
USE_DCE_STYLE | The caller expects a three-leg authentication transaction. |
DATAGRAM | Datagram semantics must be used. For more information, see Datagram Contexts. |
CONNECTION | Connection semantics must be used. For more information, see Connection-oriented Contexts. |
STREAM | Stream semantics must be used. For more information, see Stream Contexts. |
EXTENDED_ERROR | Error reply messages for the peer must be generated if the context fails. |
INTEGRITY | Buffer integrity can be verified but no sequencing or reply detection is enabled. |