SeCreateClientSecurity function (ntifs.h)

Article
09/28/2023

The SeCreateClientSecurity routine initializes a security client context structure with the information needed to call SeImpersonateClientEx.

Syntax

NTSTATUS SeCreateClientSecurity(
  [in]  PETHREAD                     ClientThread,
  [in]  PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
        BOOLEAN                      RemoteSession,
  [out] PSECURITY_CLIENT_CONTEXT     ClientContext
);

Parameters

[in] ClientThread

Pointer to the thread of the client to be impersonated.

[in] ClientSecurityQos

Pointer to a caller-allocated SECURITY_QUALITY_OF_SERVICE structure indicating what form of impersonation is to be performed.

RemoteSession

Set to TRUE if the server of the client's request is remote.

[out] ClientContext

Pointer to a caller-allocated SECURITY_CLIENT_CONTEXT structure to be initialized.

Return value

Return code	Description
STATUS_SUCCESS	The security client context was successfully initialized.
STATUS_BAD_IMPERSONATION_LEVEL	The client to be impersonated is currently impersonating a client of its own, and one of the following is true: (1) The client's effective token cannot be passed on for use by another server, because its impersonation level is SecurityAnonymous or SecurityIdentification. (2) ServerIsRemote is TRUE, and the client thread is impersonating its client at other than SecurityDelegation level.

Return code

Description

STATUS_SUCCESS

The security client context was successfully initialized.

STATUS_BAD_IMPERSONATION_LEVEL

The client to be impersonated is currently impersonating a client of its own, and one of the following is true: (1) The client's effective token cannot be passed on for use by another server, because its impersonation level is SecurityAnonymous or SecurityIdentification. (2) ServerIsRemote is TRUE, and the client thread is impersonating its client at other than SecurityDelegation level.

Remarks

SeCreateClientSecurity initializes a client security context block to represent a client's security context.

If the ContextTrackingMode member of ClientSecurityQos is set to SECURITY_DYNAMIC_TRACKING and ServerIsRemote is set to FALSE, SeCreateClientSecurity uses a reference to the client's effective token. Otherwise, SeCreateClientSecurity creates a copy of the client's token.

Each call to SeCreateClientSecurity must be matched by a subsequent call to SeDeleteClientSecurity.

For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.

Requirements

Requirement	Value
Target Platform	Universal
Header	ntifs.h (include Ntifs.h)
Library	NtosKrnl.lib
DLL	NtosKrnl.exe
IRQL	PASSIVE_LEVEL

Share via

SeCreateClientSecurity function (ntifs.h)

Syntax

Parameters

Return value

Remarks

Requirements

See also

Feedback

Additional resources