3.1.1.1.1 Security Context Handle

Security Context Handle: A security context handle is created and populated by the security provider but is used by the RPC runtime and higher-level protocols, as specified in sections 3.2.1.4.1 and 3.3.1.5.2. The security context handle is obtained by calling an implementation-specific equivalent of the abstract GSS_Accept_sec_context on the server or GSS_Init_sec_context on the client, as specified in [RFC2743]. The handle and associated resources are released by calling the implementation-specific GSS_Delete_sec_context equivalent.

The security context handle can be queried using the implementation-specific equivalent of GSS_Inquire_context as specified in [RFC2743]. The information obtained from the context MUST include the following:

  • Context Identifier: A value generated by cryptographic hash (and therefore reliably unique), which can be used as a cross-process identifier of the security context negotiated between the client and server during packet protected connectionless RPC. This value is communicated through the key_vers_num described previously in section 2.2.3.4 and in [C706].

  • Error Value: The error value returned by the security provider if an error results during the construction of the security context.

  • Security Provider Identifier

  • Client Credential Identity, as specified in section 3.2.1.4.1.

  • Authentication Level

  • Impersonation Level, as specified in section 2.2.1.1.9.

  • Token/Authorization Context, as specified in [MS-DTYP] section 2.5.2. This token is created by the authentication protocols when the RPC client and server authenticate, as specified in [C706] section 13.1 "The Generic RPC Security Model". When the Kerberos authentication protocol is used the token is constructed as in [MS-KILE] section 3.4.5.3 "Processing Authorization Data". When the NTLM authentication protocol is used the token is constructed as in [MS-APDS] section 3.1.5 "Processing Events and Sequencing Rules". This token can be used for impersonation or obtaining the user SID or a group SID related to the RPC caller, as specified in Abstract Interface GetRpcImpersonationAccessToken (section 3.3.3.4.3.1).