This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have implemented Kerberos using Windows SSPI. The authentication was successful.
We want to store the Kerberos token for the future use.
How could we extract the token from the SecBufferDesc returned by the InitializeSecurityContext?
Also, how to check the token is correct or not?
bool bHaveCtxtHandle = false;
CtxtHandle contextHandle = { 0 };
SecBufferDesc outSecBufDesc;
SecBuffer outSecBuf;
SecBufferDesc inSecBufDesc;
ULONG ContextAttributes = 0U;
PBYTE pOutBuf = new BYTE[pkgInfo->cbMaxToken];
outSecBufDesc.ulVersion = 0;
outSecBufDesc.cBuffers = 1;
outSecBufDesc.pBuffers = &outSecBuf;
outSecBuf.cbBuffer = pkgInfo->cbMaxToken;
outSecBuf.BufferType = SECBUFFER_TOKEN;
outSecBuf.pvBuffer = pOutBuf;
lSecStatus = InitializeSecurityContext(&stCredHandle,
bHaveCtxtHandle ? &contextHandle : NULL,
pcPrincipalName,
ISC_REQ_USE_SUPPLIED_CREDS,
0,
SECURITY_NATIVE_DREP,
bHaveCtxtHandle ? &inSecBufDesc : NULL,
0,
&contextHandle,
&outSecBufDesc,
&ContextAttributes,
&SecurityContextLifetime);
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 23%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
hi, @Vishnu Gopalakrishnan could i know how you implement the Kerberos authentication using SSPI, could you share your sample code? i want to use SSPI to set up secure communication, but when do authentication, it always downgraded to NTLM, am not sure why. i have used setspn to register the SPN name and set it as target name, but still failed. could you help me? thank you so much!
We have taken 
as a reference.
yes, thanks for your reply, i have seen this article. And what's the parameter do you use for target name in InitializeSecurityContext? just use domain user name? do you do some additional configuration for domain? because when i use domain user in this authentication function, it still uses NTLM protocol.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
Sorry, how I use SECBUFFER_TOKEN ? i.e in which way we store it? Decrypt? or binary or char? Any samples please.
Can i use QueryContextAttributes(&contextHandle, SECPKG_ATTR_ACCESS_TOKEN, pBuffer); On my checking it failed with 0x8009030b
0x8009030B is SEC_E_NO_IMPERSONATION. And you may try the char token.
Here is the error source.
If the security context is for a server or is incomplete, the returned handle may be NULL. Depending on the security package, QueryContextAttributes (General) may return SEC_E_NO_IMPERSONATION for these cases.
Thanks for the reply. This I could see. Is there any cpp samples available to fetch the Kerberos token?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 78%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFX%3C/text%3E%3C/svg%3E)
@Vishnu Gopalakrishnan , It is recommend that to open a ticket for this issue so that our engineer could work closely with you to resolve this issue as soon as possible since it is complex. Please visit the below link below and get the technical support for Windows SDK by submit the incident:
https://developer.microsoft.com/en-us/windows/support/