AcquireCredentialsHandle

This function allows applications to acquire a handle to preexisting credentials associated with the user on whose behalf the call is made. These preexisting credentials are established through a system logon not described here. However, this is different from “login to the network” and does not imply gathering of credentials.

At a Glance

Header file: Sspi.h
Windows CE versions: 2.10 and later

Syntax

SECURITY_STATUS AcquireCredentialsHandle(
SEC_CHAR
* pszPrincipal, SEC_CHAR * pszPackage,
ULONG fCredentialUse, PLUID pvLogonID, PVOID pAuthData,
PVOID pGetKeyFn, VOID pvGetKeyArgument, PCredHandle phCredential,
PTimeStamp ptsExpiry );

Parameters

pszPrincipal

[in] Pointer to a null-terminated string that specifies the name of the principal whose credentials the handle will reference. Note that if the process requesting the handle does not have access to the credentials, the function returns an error. A null string indicates that the process requires a handle to the credentials of the user under whose security context it is executing.

pszPackage

[in] Pointer to a null-terminated string that specifies the name of the security package with which these credentials will be used. This is a security package name returned in the Name member of a SecPkgInfo structure returned by the EnumerateSecurityPackages function.

fCredentialUse

[in] Flag that indicates how these credentials will be used. This parameter can one of the following values:

The credentials created with the CRED_INBOUND option can be used only for validating incoming calls. They cannot be used for accessing objects.

pvLogonId

[in] Void pointer to a Windows NT–style logon identifier, an LUID. This parameter is provided for file-system processes such as network redirectors. This parameter can be NULL.

pAuthData

[in] Pointer to package-specific data. This parameter can be NULL, indicating that the default credentials for that package should be used. The NTLM SSP accepts a pointer to a  SEC_WINNT_AUTH_IDENTITY structure, containing the user name, domain name and password.

pGetKeyFn

[in] Pointer to a SEC_GET_KEY_FN function to retrieve the key for the function. The security package can call this function, as provided by the RPC run-time transport application. This parameter can be NULL if the transport application does not support callbacks to retrieve credentials.

pvGetKeyArgument

[in] Specifies the pointer argument that the security provider should pass to the GetKey function. This parameter can be NULL.

phCredential

[out] Pointer to CredHandle structure that receives the credential handle.

ptsExpiry

[out] Pointer to a TimeStamp variable that receives the time at which the returned credentials expire. The value returned in this member depends on the security package. The security provider should always return this value in local time.

Return Values

SEC_E_OK indicates success.

Upon failure, one of the error values described in the following table is returned.

Value Description
SEC_E_UNKNOWN_CREDENTIALS The credentials supplied to the package were not recognized.
SEC_E_NO_CREDENTIALS No credentials are available in the security package.
SEC_E_NOT_OWNER The caller of the function does not own the necessary credentials.
SEC_E_INSUFFICIENT_MEMORY Not enough memory is available to complete this request.
SEC_E_INTERNAL_ERROR The Local Security Authority cannot be contacted.
SEC_E_SECPKG_NOT_FOUND The requested security package does not exist.

Remarks

The AcquireCredentialsHandle function returns a handle to the credentials of a principal (user, client) as used by a specific security package. The handle returned can be used in subsequent calls to the AcceptSecurityContext and InitializeSecurityContext functions.

The AcquireCredentialsHandle function will not let a process obtain a handle to credentials that are not related to the process; in other words, a process cannot get the credentials of another user who is logged on to the same computer. There is no way to determine whether a process is a Trojan horse if it is executed by the user.

The AcquireCredentialsHandle function uses the following algorithm to determine whether to grant the request for a handle to the credentials.

When you no longer need the returned credentials, call the FreeCredentialsHandle function.

See Also

FreeCredentialsHandle