LSA_TOKEN_INFORMATION_V3 structure (ntsecpkg.h)

The LSA_TOKEN_INFORMATION_V3 structure adds claim support to the LSA token and contains information an authentication package can place in a Version 3 Windows token object and has superceded LSA_TOKEN_INFORMATION_V1.

A Version 3 Windows token object stores all the information needed to build a token from the authentication package to the Local Security Authority (LSA). The LSA passes this information into the kernel to create a token object and to return a handle to that token object to the caller of LsaLogonUser. LSA assumes that the first member of this structure are identical to those in the LSA_TOKEN_INFORMATION_V1 structure.

Syntax

typedef struct _LSA_TOKEN_INFORMATION_V3 {
  LARGE_INTEGER       ExpirationTime;
  TOKEN_USER          User;
  PTOKEN_GROUPS       Groups;
  TOKEN_PRIMARY_GROUP PrimaryGroup;
  PTOKEN_PRIVILEGES   Privileges;
  TOKEN_OWNER         Owner;
  TOKEN_DEFAULT_DACL  DefaultDacl;
  TOKEN_USER_CLAIMS   UserClaims;
  TOKEN_DEVICE_CLAIMS DeviceClaims;
  PTOKEN_GROUPS       DeviceGroups;
} LSA_TOKEN_INFORMATION_V3, *PLSA_TOKEN_INFORMATION_V3;

Members

ExpirationTime

Time at which the security context becomes not valid. Use a value in the distant future if the context never expires. The current version of the operating system kernel does not enforce this expiration time.

User

TOKEN_USER structure that contains the SID of the user logging on. The security identifier SID value is in a separately allocated block of memory.

Groups

TOKEN_GROUPS structure that contains the SIDs of groups the user is a member of. This should not include WORLD or other system-defined and system-assigned SIDs. These will be added automatically by the LSA.

Each SID is expected to be in a separately allocated block of memory. The TOKEN_GROUPS structure is also expected to be in a separately allocated block of memory. All of these memory blocks should be allocated by calling the AllocatePrivateHeap function.

PrimaryGroup

TOKEN_PRIMARY_GROUP structure that is used to establish the primary group of the user. This value does not have to correspond to one of the SIDs assigned to the user.

The SID pointed to by this structure is expected to be in a separately allocated block of memory.

This member is mandatory and must be filled in.

Privileges

TOKEN_PRIVILEGES structure that contains the privileges assigned to the user. This list of privileges will be augmented or overridden by any local security policy assigned privileges.

Each privilege is expected to be in a separately allocated block of memory. The TOKEN_PRIVILEGES structure is also expected to be in a separately allocated block of memory.

If there are no privileges to assign to the user, this member may be set to NULL.

Owner

TOKEN_OWNER structure. This member may be used to establish an explicit default owner. Normally, the user ID is used as the default owner. If another value is desired, it must be specified here.

The Owner.Sid member may be set to NULL to indicate there is no alternate default owner value.

DefaultDacl

TOKEN_DEFAULT_DACL structure. This member may be used to establish a default protection for the user. If no value is provided, a default protection that grants everyone all access will be established.

The DefaultDacl.DefaultDacl member may be set to NULL to indicate there is no default protection.

UserClaims

TOKEN_USER_CLAIMS structure. This member stores the opaque user claims BLOB for the token. The UserClaims member may be set to NULL to indicate there are no additional user claims in the token. Claims are allow-only entities so omitting claims may restrict access.

DeviceClaims

TOKEN_DEVICE_CLAIMS structure. This member stores the opaque device claims BLOB for the token. The DeviceClaims member may be set to NULL to indicate there are no additional device claims in the token. Claims are allow-only entities so omitting claims may restrict access.

DeviceGroups

TOKEN_GROUPS structure that contains the SIDs of the groups for the authenticating device member. As with user groups, this should not include WORLD or other system defined or assigned SIDs. The DeviceGroups member may be set to NULL to indicate that no compounding should occur. If DeviceGroups are present, LSA will add WORLD and other assigned SIDs.

Unlike user groups, there is no notion of a primary device group.

Each SID is expected to be in a separately allocated block of memory. The TOKEN_GROUPS structure is also expected to be in a separately allocated block of memory.

Requirements

Requirement Value
Minimum supported client Windows 8 [desktop apps only]
Minimum supported server Windows Server 2012 [desktop apps only]
Header ntsecpkg.h