Platform SDK: Logon Authentication

Using QueryContextAttributes

An application retrieves information about a specified connection by calling QueryContextAttributes. All data returned by this function becomes property of the calling application. The calling application must free memory buffers returned by this function using FreeContextBuffer and must release any certificate contexts returned.

The attributes to be queried include:

Note  The SECPKG_ATTR_CONNECTION_INFO and SECPKG_ATTR_REMOTE_CERT_CONTEXT attributes can only be retrieved after a secure connection has been established.

SECPKG_ATTR_CONNECTION_INFO

Querying this attribute returns a SecPkgContext_ConnectionInfo structure which provides detailed information on the established connection.

SECPKG_ATTR_ISSUER_LIST_EX

Some protocols allow a server to specify to a client the list of certificate issuers that are acceptable. This allows the client to narrow the selection of credentials it presents to the user, possibly down to one. (The SSL3 and TLS1 protocols support this.)

Querying this attribute returns a SecPkgContext_IssuerListInfoEx structure. This structure returns the list of credentials that are acceptable to the server as an array of CryptoAPI CERT_NAME_BLOB structures.

When a protocol that does not support this functionality is used, this attribute returns an empty list.

Note  This attribute can be queried before the secure connection is completed if the call to InitializeSecurityContext or AcceptSecurityContext returns SEC_I_INCOMPLETE_CREDENTIAL.

SECPKG_ATTR_REMOTE_CERT_CONTEXT

Querying this attribute returns a pointer to a CryptoAPI CERT_CONTEXT structure containing the certificate context for the leaf certificate belonging to the remote party. This certificate context contains a reference to the certificate store in which the rest of the certificates in the chain can be found. This certificate chain can be walked by using CryptoAPI calls with the issuer name of each consecutive certificate, and the certificate store within that certificate.

The certificate context must be freed using the CertFreeCertificateContext function once the application is finished using it.