How to specify PeerTokenAccessMask in WSAQuerySocketSecurity?

beachbear 1

The PeerTokenAccessMask field is a ULONG in SOCKET_SECURITY_QUERY_TEMPLATE.
I need to set it to some value to get PeerApplicationAccessTokenHandle and/or PeerMachineAccessTokenHandle.
However I cannot find anywhere how that mask field can be set.
There is no constant definitions anywhere and specifying anything except zero gives me error 10022 (invalid argument) from WSAQuerySocketSecurity().
How can I set that PeerTokenAccessMask correctly to be able to get the token handles?

2 answers

Rita Han - MSFT 2,161 Reputation points

2020-09-15T01:56:54.353+00:00

Hello @beachbear ,

For access mask for token you can refer to "Access Rights for Access-Token Objects" for a complete list.

Thank you!

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
beachbear 1 Reputation point

2020-09-15T03:48:11.017+00:00

Thank you fro your reply,

I tried all of them starting with TOKEN_ and some other standard flags and none of them make any difference.
The WSAQuerySockstSecurity is still failing with error 10022.

This is what Microsoft online documentation says:
If the SOCKET_SECURITY_QUERY_TEMPLATE structure is specified with the PeerTokenAccessMask member not specified (set to zero), then the WSAQuerySocketSecurity function will not return the PeerApplicationAccessTokenHandle and PeerMachineAccessTokenHandle members in the SOCKET_SECURITY_QUERY_INFO structure.

Could you clarify what exact value must be set to the PeerTokenAccessMask field except zero so the WSAQuerySocketSecurity does not fail and return those handles?

Rita Han - MSFT 2,161 Reputation points

2020-09-15T09:22:17.66+00:00

Please make sure that:

For a client application using connection-oriented sockets, the WSAQuerySocketSecurity function should be called after the connect, ConnectEx, or WSAConnect function returns. For a server application using connection-oriented sockets, the WSAQuerySocketSecurity function should be called after the accept, AcceptEx, or WSAAccept function returns.

And do your server and client run on two different machines separately?

beachbear 1 Reputation point

2020-09-15T18:57:52.517+00:00

I am calling WSAQuerySocketSecurity in a server application after WSAAccept on a socket from a connected client.
I run the test application elevated to an administrator on a single machine (Windows Server 2016).

The test application is a server using overlapped sockets on an I/O-completion port.
After creation of the listening socket (after the WSASocket call) I call WSASetSocketSecurity to secure the socket with SOCKET_SECURITY_PROTOCOL_DEFAULT and SOCKET_SETTINGS_GUARANTEE_ENCRYPTION. This part works just fine.

It is not specified anywhere in the Microsoft online documentation how to specify the PeerTokenAccessMask member.
I could not find any samples, any articles, any information at all on how to do that properly.

RLWA32 45,476 Reputation points

2020-09-15T21:05:57.177+00:00

When calling AccessCheck the function accepts MAXIMUM_ALLOWED as the access mask and will return the maximum rights allowed. Perhaps passing MAXIMUM_ALLOWED to WSAQuerySocketSecurity as the PeerTokenAccessMask parameter is worth a try.

Rita Han - MSFT 2,161 Reputation points

2020-09-16T02:28:44.927+00:00

@beachbear I can reproduce the same error. Maybe the document need some update to include guidelines for how to set PeerTokenAccessMask parameter. @RLWA32 MAXIMUM_ALLOWED doesn't work for me.

RLWA32 45,476 Reputation points

2020-09-16T09:44:35.603+00:00

Thanks for giving MAXIMUM_ALLOWED a try.

An update is definitely needed to explain the use of PeerTokenAccessMask parameter. Its interesting to note that the SDK securesocket sample mentions using WSAQuerySocketSecurity to obtain a token but doesn't demonstrate usage.

Fei Xue - MSFT 1,111 Reputation points

2020-09-30T03:10:57.273+00:00

@beachbear , I am looking into this issue, may I know the scenario you are using PeerApplicationAccessTokenHandle andPeerMachineAccessTokenHandle?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
beachbear 1 Reputation point

2020-09-30T04:27:01.023+00:00

I was trying to use Secure Socket Extensions to perform integrated Windows authentication on sockets, which was expected to be easier than using SSPI. A client winsock2 application running as some user on computer A connects to a server running on computer B (listening on an overlapped sockets using an I/O completion port). The server must get the user token securely and figure out if the user belongs to certain local user group to allow or disallow the request execution. No encryption is necessary, authentication/authorization is sufficient. Since I could not find how to implement that with Secure Socket Extensions, I had to implement it using SSPI, so technically I solved the problem. However it would be great if Microsoft provided a sample or a more detailed documentation how to achieve the same goal easier and with less code using Secure Socket Extensions. Thank you for your support!
Please sign in to rate this answer.
Fei Xue - MSFT 1,111 Reputation points

2020-09-30T07:42:43.037+00:00

@beachbear , Thanks for the detailed explanation, I will check with my college about the detailed usage about PeerTokenAccessMask.

Fei Xue - MSFT 1,111 Reputation points

2020-10-09T01:17:48.17+00:00

@beachbear , There is really only 1 value we see for PeerTokenAccessMask and that is TOKEN_IMPERSONATE which is used when calling WSAImpersonateSocketPeer(). Could help confirm if this is helpful? You can also set it 0xFFFFFFFF to get full access, but that would likely be a security hole which is not recommended.

Also, even though the implementation may be simpler in SSE, but it addresses a different layer of security than the orignal secnario. SSE handles things at the IP communication layer, whereas SSPI handles things abstracted at the software level. SSE will likely have some performance hits because it would essentially be encrypting and decrypting all communications.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to specify PeerTokenAccessMask in WSAQuerySocketSecurity?

2 answers

Your answer