This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 72%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
The PeerTokenAccessMask field is a ULONG in SOCKET_SECURITY_QUERY_TEMPLATE.
I need to set it to some value to get PeerApplicationAccessTokenHandle and/or PeerMachineAccessTokenHandle.
However I cannot find anywhere how that mask field can be set.
There is no constant definitions anywhere and specifying anything except zero gives me error 10022 (invalid argument) from WSAQuerySocketSecurity().
How can I set that PeerTokenAccessMask correctly to be able to get the token handles?
Hello @beachbear ,
For access mask for token you can refer to "Access Rights for Access-Token Objects" for a complete list.
Thank you!
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you fro your reply,
I tried all of them starting with TOKEN_ and some other standard flags and none of them make any difference.
The WSAQuerySockstSecurity is still failing with error 10022.
This is what Microsoft online documentation says:
If the SOCKET_SECURITY_QUERY_TEMPLATE structure is specified with the PeerTokenAccessMask member not specified (set to zero), then the WSAQuerySocketSecurity function will not return the PeerApplicationAccessTokenHandle and PeerMachineAccessTokenHandle members in the SOCKET_SECURITY_QUERY_INFO structure.
Could you clarify what exact value must be set to the PeerTokenAccessMask field except zero so the WSAQuerySocketSecurity does not fail and return those handles?
Please make sure that:
For a client application using connection-oriented sockets, the
WSAQuerySocketSecurityfunction should be called after theconnect,ConnectEx, orWSAConnectfunction returns. For a server application using connection-oriented sockets, theWSAQuerySocketSecurityfunction should be called after theaccept,AcceptEx, orWSAAcceptfunction returns.
And do your server and client run on two different machines separately?
I am calling WSAQuerySocketSecurity in a server application after WSAAccept on a socket from a connected client.
I run the test application elevated to an administrator on a single machine (Windows Server 2016).
The test application is a server using overlapped sockets on an I/O-completion port.
After creation of the listening socket (after the WSASocket call) I call WSASetSocketSecurity to secure the socket with SOCKET_SECURITY_PROTOCOL_DEFAULT and SOCKET_SETTINGS_GUARANTEE_ENCRYPTION. This part works just fine.
It is not specified anywhere in the Microsoft online documentation how to specify the PeerTokenAccessMask member.
I could not find any samples, any articles, any information at all on how to do that properly.
When calling AccessCheck the function accepts MAXIMUM_ALLOWED as the access mask and will return the maximum rights allowed. Perhaps passing MAXIMUM_ALLOWED to WSAQuerySocketSecurity as the PeerTokenAccessMask parameter is worth a try.
@beachbear I can reproduce the same error. Maybe the document need some update to include guidelines for how to set PeerTokenAccessMask parameter. @RLWA32 MAXIMUM_ALLOWED doesn't work for me.
Thanks for giving MAXIMUM_ALLOWED a try.
An update is definitely needed to explain the use of PeerTokenAccessMask parameter. Its interesting to note that the SDK securesocket sample mentions using WSAQuerySocketSecurity to obtain a token but doesn't demonstrate usage.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 78%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFX%3C/text%3E%3C/svg%3E)
@beachbear , I am looking into this issue, may I know the scenario you are using PeerApplicationAccessTokenHandle andPeerMachineAccessTokenHandle?
I was trying to use Secure Socket Extensions to perform integrated Windows authentication on sockets, which was expected to be easier than using SSPI. A client winsock2 application running as some user on computer A connects to a server running on computer B (listening on an overlapped sockets using an I/O completion port). The server must get the user token securely and figure out if the user belongs to certain local user group to allow or disallow the request execution. No encryption is necessary, authentication/authorization is sufficient. Since I could not find how to implement that with Secure Socket Extensions, I had to implement it using SSPI, so technically I solved the problem. However it would be great if Microsoft provided a sample or a more detailed documentation how to achieve the same goal easier and with less code using Secure Socket Extensions. Thank you for your support!
@beachbear , Thanks for the detailed explanation, I will check with my college about the detailed usage about PeerTokenAccessMask.
@beachbear , There is really only 1 value we see for PeerTokenAccessMask and that is TOKEN_IMPERSONATE which is used when calling WSAImpersonateSocketPeer(). Could help confirm if this is helpful? You can also set it 0xFFFFFFFF to get full access, but that would likely be a security hole which is not recommended.
Also, even though the implementation may be simpler in SSE, but it addresses a different layer of security than the orignal secnario. SSE handles things at the IP communication layer, whereas SSPI handles things abstracted at the software level. SSE will likely have some performance hits because it would essentially be encrypting and decrypting all communications.