Context requirements are expressed as a combination of bit flags passed to either the InitializeSecurityContext or the AcceptSecurityContext function. These flags affect the context many ways: not all flags apply to all contexts, some flags are valid only for the server, and other flags are valid only for the client.
The caller uses the fContextReq parameter of the InitializeSecurityContext or the AcceptSecurityContext function to specify a set of flags that indicate the required capabilities. When the function returns, the pfContextAttr parameter indicates the attributes of the established context. The caller is responsible for determining if the final context attributes are acceptable. For example, if the caller requested mutual authentication, but the security package indicates that it did not perform such authentication, the caller must decide whether to cancel the context or continue without authentication.
The following table shows the various context requirements.
Type |
Description |
| DELEGATE | Indicates that the server in the transport application requires simple delegation rights, that is, impersonation of the client on the node at which the server is executing. |
| MUTUAL_AUTH | Indicates that both client and server must authenticate the peer identity. |
| REPLAY_DETECT | Indicates that the context should be established to enable detection of replayed packets later through the message support functions: MakeSignature and VerifySignature. This context implies INTEGRITY. |
| SEQUENCE_DETECT | Indicates that the context should be established to enable detection of out-of-order delivery of packets later through the message support functions. This context implies INTEGRITY. |
| CONFIDENTIALITY | Indicates that the context should be established to protect data while in transit. This context type is reserved for future use. |
| USE_SESSION_KEY | Indicates that a new session key should be negotiated. |
| PROMPT_FOR_CREDS | Indicates that the security package should prompt the user for the appropriate credentials to use, if possible and if the client is an interactive user. |
| USE_SUPPLIED_CREDS | Indicates that package-specific credential data is available in the input buffer. The security package should use these credentials to authenticate the connection. |
| ALLOCATE_MEMORY | Indicates that the security package should allocate memory. The caller must eventually call the FreeContextBuffer function to free memory allocated by the security package. |
| USE_DCE_STYLE | Indicates that the caller expects a three-transfer authentication transaction. |
| DATAGRAM | Indicates datagram semantics should be used. |
| CONNECTION | Indicates connection semantics should be used. |
| STREAM | Indicates stream semantics should be used. |
| EXTENDED_ERROR | Indicates that if the context fails, the application will generate an error reply message for the peer. |
| INTEGRITY | Indicates that buffer integrity can be verified, but no sequencing or reply detection is enabled. |