Platform SDK: Logon Authentication

Validating Credentials

Schannel supports authentication for both sides of the connection. In server authentication (required by all Schannel protocols), a server proves its identity to a client. In client authentication, a client proves its identity to a server. Client authentication is optional and can be requested by the server application at any time.

For each type of authentication, client or server, there are two sides. One side supplies credentials to the other side. The receiver of a credential verifies the credentials by confirming that the remote party possesses the private key matching the public key embedded within the remote party's certificate. Responsibility for validating the other information contained within the certificate belongs to the application. Validation is done using the CryptoAPI functions.

To validate the remote certificate chain, the application can use the QueryContextAttributes function to obtain the SECPKG_ATTR_REMOTE_CERT_CONTEXT property. This property consists of a certificate context (CERT_CONTEXT) containing the end certificate supplied by the remote party. The hCertStore member of this certificate context can be used to obtain the certificate of the issuer of the end certificate. The hCertStore member of the issuer's certificate context can be used to obtain the certificate of the issuer of that issuer's certificate, and so on back to the root certificate.

Typically, the application must verify that:

By default, the Windows 2000 Schannel SSP calls CertGetCertificateChain to verify the acceptability of the server certificate. If the certificate has expired, was issued by a non-trusted certification authority (CA), or is not satisfactory for some other reason, the InitializeSecurityContext function fails.