SpAcceptLsaModeContextFn callback function (ntsecpkg.h)

Server dispatch function used to create a security context shared by a server and client.

The SpAcceptLsaModeContext function is called when the server calls the AcceptSecurityContext (General) function of the Security Support Provider Interface.

Syntax

SpAcceptLsaModeContextFn Spacceptlsamodecontextfn;

NTSTATUS Spacceptlsamodecontextfn(
  [in]  LSA_SEC_HANDLE CredentialHandle,
  [in]  LSA_SEC_HANDLE ContextHandle,
  [in]  PSecBufferDesc InputBuffer,
  [in]  ULONG ContextRequirements,
  [in]  ULONG TargetDataRep,
  [out] PLSA_SEC_HANDLE NewContextHandle,
  [out] PSecBufferDesc OutputBuffer,
  [out] PULONG ContextAttributes,
  [out] PTimeStamp ExpirationTime,
  [out] PBOOLEAN MappedContext,
  [out] PSecBuffer ContextData
)
{...}

Parameters

[in] CredentialHandle

Optional. Handle to the credentials to use for the context.

[in] ContextHandle

Optional. Handle to the current context.

[in] InputBuffer

Pointer to a SecBufferDesc structure containing information from the client.

[in] ContextRequirements

Flags indicating the context requirements. The following table lists the valid values.

Value Meaning
ASC_REQ_DELEGATE
The server is allowed to impersonate the client.
ASC_REQ_MUTUAL_AUTH
Both the client and the server are required to prove their identity.
ASC_REQ_REPLAY_DETECT
The security context will support the detection of replayed packets.
ASC_REQ_SEQUENCE_DETECT
The security context will support the detection of out-of-order messages.
ASC_REQ_USE_SESSION_KEY
A new session key must be negotiated.
ASC_REQ_PROMPT_FOR_CREDS
If the client is an interactive user, the package must, if possible, prompt the user for the appropriate credentials.
ASC_REQ_USE_SUPPLIED_CREDS
The input buffer contains package-specific credential information which should be used to authenticate the connection.
ASC_REQ_ALLOCATE_MEMORY
The package must allocate memory. The caller must eventually call the FreeContextBuffer function to free memory allocated by the security package.
ASC_REQ_USE_DCE_STYLE
The caller expects a three-leg mutual authentication transaction.
ASC_REQ_DATAGRAM
A datagram-type communications channel should be used. For more information, see Datagram Contexts.
ASC_REQ_CONNECTION
A connection-type communications channel should be used. For more information see Connection-Oriented Contexts.
ASC_REQ_EXTENDED_ERROR
If the context fails, generate an error reply message to send back to the client.
ASC_REQ_STREAM
A stream-type communications channel should be used. For more information, see Stream Contexts.
ASC_REQ_INTEGRITY
Buffer integrity can be verified; however, replayed and out-of-sequence messages will not be detected.

[in] TargetDataRep

Flag indicating the data representation, such as byte ordering, to use. Contains SECURITY_NATIVE_DREP or SECURITY_NETWORK_DREP.

[out] NewContextHandle

Pointer to an LSA_SEC_HANDLE. On the first call to AcceptSecurityContext, this pointer receives the new context handle. On subsequent calls, NewContextHandle can be the same as the handle specified in the ContextHandle parameter.

[out] OutputBuffer

Pointer to a SecBufferDesc structure that receives information to be sent to the client.

[out] ContextAttributes

Pointer to flags specifying the context attributes that the server supports. For a list of valid values, see the ContextRequirements parameter.

[out] ExpirationTime

Pointer to a TimeStamp that receives the expiration time for the context.

[out] MappedContext

Pointer to a Boolean value. Set MappedContext to TRUE if the security package implements the user-mode SSP/AP functions.

[out] ContextData

Optional. Pointer to a SecBuffer structure that receives context-specific data to copy when creating the user-mode security context. Memory for ContextData must be allocated using the AllocateLsaHeap function. The Local Security Authority (LSA) will free the memory.

Return value

If the SpAcceptLsaModeContext function succeeds and no more processing is required to establish the security context, return STATUS_SUCCESS. If additional processing is required, the function should return SEC_I_CONTINUE_NEEDED.

If the function fails to create the security context for any other reason, return an NTSTATUS code indicating the reason.

Remarks

SpInitLsaModeContext is the client-side function for creating a security context.

SSP/APs must implement the SpAcceptLsaModeContext function. The actual name given to the implementation is up to the developer.

A pointer to the SpAcceptLsaModeContext function is available in the SECPKG_FUNCTION_TABLE structure received from the SpLsaModeInitialize function.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header ntsecpkg.h

See also

AllocateLsaHeap

SpInitLsaModeContext

SpLsaModeInitialize