Edit

Share via

SeCreateClientSecurityFromSubjectContext function (ntifs.h)

  • Article

The SeCreateClientSecurityFromSubjectContext routine retrieves the access token for a security subject context and uses the result to initialize a security client context with the information needed to call SeImpersonateClientEx.

Syntax

NTSTATUS SeCreateClientSecurityFromSubjectContext(
  [in]  PSECURITY_SUBJECT_CONTEXT    SubjectContext,
  [in]  PSECURITY_QUALITY_OF_SERVICE ClientSecurityQos,
  [in]  BOOLEAN                      ServerIsRemote,
  [out] PSECURITY_CLIENT_CONTEXT     ClientContext
);

Parameters

[in] SubjectContext

Pointer to the security subject context of the client to be impersonated.

[in] ClientSecurityQos

Pointer to a caller-allocated SECURITY_QUALITY_OF_SERVICE structure indicating what form of impersonation is to be performed.

[in] ServerIsRemote

Set to TRUE if the server of the client's request is remote.

[out] ClientContext

Pointer to a caller-allocated SECURITY_CLIENT_CONTEXT structure to be initialized.

Return value

SeCreateClientSecurityFromSubjectContext returns STATUS_SUCCESS when it successfully initializes the security client context.

It returns STATUS_BAD_IMPERSONATION_LEVEL when the client to be impersonated is currently impersonating a client of its own, and one of the following is true:

  • The client's effective token cannot be passed on for use by another server, because its impersonation level is SecurityAnonymous or SecurityIdentification.

  • ServerIsRemote is TRUE, and the client thread is impersonating its client at other than SecurityDelegation level.

Remarks

SeCreateClientSecurityFromSubjectContext initializes a client security context block to represent a client's security context.

If the ContextTrackingMode member of ClientSecurityQos is set to SECURITY_DYNAMIC_TRACKING and ServerIsRemote is set to FALSE, SeCreateClientSecurityFromSubjectContext uses a reference to the client's effective token. Otherwise, SeCreateClientSecurityFromSubjectContext creates a copy of the client's token.

Each call to SeCreateClientSecurityFromSubjectContext must be matched by a subsequent call to SeDeleteClientSecurity.

For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.

Requirements

Requirement Value
Minimum supported client Windows 2000
Target Platform Universal
Header ntifs.h (include Ntifs.h)
Library NtosKrnl.lib
DLL NtosKrnl.exe
IRQL PASSIVE_LEVEL

See also

[SECURITY_SUBJECT_CONTEXT/(/windows-hardware/drivers/kernel/eprocess##security_subject_context)

[SeDeleteClientSecurity/(nf-ntifs-sedeleteclientsecurity.md)

[SeImpersonateClientEx/(nf-ntifs-seimpersonateclientex.md)