| Platform SDK: Logon Authentication |
The AcceptSecurityContext function enables the server component of a transport application to establish a security context between the server and a remote client. The remote client uses the InitializeSecurityContext function to start the process of establishing a security context. The server can require one or more reply tokens from the remote client to complete establishing the security context.
SECURITY_STATUS AcceptSecurityContext( PCredHandle phCredential, // handle to the credentials PCtxtHandle phContext, // handle of partially formed context PSecBufferDesc pInput, // pointer to the input buffers ULONG fContextReq, // required context attributes ULONG TargetDataRep, // data representation on the target PCtxtHandle phNewContext, // receives the new context handle PSecBufferDesc pOutput, // pointer to the output buffers PULONG pfContextAttr, // receives the context attributes PTimeStamp ptsTimeStamp // receives the life span of the security context );
Note Until the last call of the authentication process, the expiration time for the context can be incorrect because more information will be provided during later stages of the negotiation dialog. Therefore, ptsTimeStamp must be NULL until the last call to the function.
If the function succeeds, the return value is one of the following.
| Value | Meaning |
|---|---|
| SEC_E_OK | The security context received from the client was accepted. If an output token was generated by the function, it must be sent to the client process. |
| SEC_I_CONTINUE_NEEDED | The server must send the output token to the client and wait for a returned token. The returned token should be passed in pInput for another call to AcceptSecurityContext. |
| SEC_I_COMPLETE_NEEDED | The server must finish building the message from the client, then call the CompleteAuthToken function. |
| SEC_I_COMPLETE_AND_CONTINUE | The server must call CompleteAuthToken, then pass the output token to the client. The server then waits for a return token from the client, and makes another call to AcceptSecurityContext. |
If the function fails, the return value is one of the following.
| Value | Meaning |
|---|---|
| SEC_E_INVALID_TOKEN | The token passed to the function is invalid. |
| SEC_E_INVALID_HANDLE | The handle passed to the function is invalid. |
| SEC_E_LOGON_DENIED | The logon failed. |
| SEC_E_INTERNAL_ERROR | An error occurred that did not map to an SSPI error code. |
| SEC_E_NO_AUTHENTICATING_AUTHORITY | No authority could be contacted for authentication. This could be due to the domain name of the authenticating party being wrong, the domain being unreachable, or to a trust relationship failure. |
| SEC_E_INSUFFICIENT_MEMORY | One or more of the SecBufferDesc structures passed as an OUT parameter has a buffer that is too small. |
The AcceptSecurityContext function is the server counterpart to the InitializeSecurityContext function.
When the server receives a request from a client, the server uses the fContextReq parameter to specify what it requires of the session. In this fashion, a server can specify that clients must be capable of using a confidential or integrity-checked session, and it can reject clients that cannot meet that demand. Alternatively, a server can require nothing, and whatever the client can provide or requires is returned in the pfContextAttr parameter.
For a package that supports multi-leg authentication such as mutual authentication, the calling sequence is as follows:
The prototype for this function can be found in Sspi.h.
Windows NT/2000: Requires Windows NT 3.51 or later.
Windows 95/98: Requires Windows 95 or later.
Header: Declared in Sspi.h; include Security.h.
Library: Use Secur32.lib.