2.5.2 Token/Authorization Context

  • Article

msdn link

For a server implementation of an authenticated protocol, the result of the authentication produces a variety of data. Some of the data is related to the authentication protocol, such as keys for encrypted communication, and is covered in the relevant authentication protocol specification. Additionally, after the identity of the client is determined, additional data corresponding to authorization of the client to the server is derived. This additional information can be from the domain controller, server-local information, or a combination of the two, depending on implementation choices. This additional information is termed an authorization context.

The authorization context, also referred to as a Token, is a collection of the groups associated with the client principal, as well as additional optional policy information. The authorization context is central to determining access through the evaluation of a security descriptor, as shown in section 2.5.3. Note that the Token is never passed directly across the network; tokens are local information and the actual representation is up to the implementation. This Token is represented as an abstract data structure as follows:

  • Sids[]: An array of SIDs that indicate the SID of the user account, the SIDs of all groups to which the user belongs, and SIDs that indicate contextual information such as logon type. The Sids[] array always contains at least the SID of the account; it is an error to have an empty set. The order of the SIDs is not specified, nor is it required that the array be treated logically as a set of SIDs. For the purposes of this document, the SIDs can be considered instances of the RPC_SID structure.

  • UserClaims[]: An optional array of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 (defined in section 2.4.10.1) which have been issued to the user. The UserClaims[] array can be empty. The order of the Claims is not specified or required.

  • LocalClaims[]: An optional array of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 (defined in section 2.4.10.1) which have been issued to the authenticated principal. The LocalClaims[] array can be empty. The order of the Claims is not specified or required.

  • Privileges[]: An array of LUIDs that is a set of administrative or security-relevant privileges associated with this authorization context. A set of logical privileges associated with the user, the privileges are administrative or security relevant in nature. It might be convenient to an implementation to represent a privilege as a LUID.

  • DeviceSids[]: An optional array of SIDs that indicate the SID of the account of the computer which the user is connecting from, the SIDs of all groups to which that computer account belongs, and SIDs that indicate contextual information such as logon type. If the DeviceSids[] array is present, it always contains at least the SID of the computer account. The order of the SIDs is neither specified nor required. For the purposes of this document, the SIDs can be considered instances of the RPC_SID structure.

  • DeviceClaims[]: An optional array of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 (defined in section 2.4.10.1) which have been issued to the account of the computer which the user is connecting from. The DeviceClaims[] array can be empty. The order of the DeviceClaims is not specified or required.

  • UserIndex: An unsigned __int32 that is an index into the Sids[] array that indicates which SID is the SID that represents the user account.

  • OwnerIndex: An unsigned __int32 that is an index into the Sids[] array that indicates which SID to assign as the owner for new objects. This value is determined by local policy in an implementation-specific manner. Ownership is often used, by way of example, for accounting for file storage space on a file server. This value can be the same as the UserIndex attribute, but is not required to be; this allows, for example, quota or ownership of objects to be assigned to groups rather than individuals.<93>

  • PrimaryGroup: An unsigned __int32 that is an index into the Sids[] array that indicates which SID to use as the primary group of the user.

  • DefaultDACL: A DACL, as defined in section 2.4.5, that can be applied to new objects when there is no parent security descriptor for inheritance and no explicit new security descriptor was supplied by the client.

An Authorization context can optionally include mandatory integrity information and policy. This is not required for all instances, and can depend on the ability of the authentication protocol used to carry the necessary information. If an implementation also chooses to implement mandatory integrity in the same way as Windows does, the following additional fields are necessary.

  • IntegrityLevelSID: A separate SID, not used for general access decisions like the Sids[] array above, that indicates the mandatory integrity level of this principal.

  • MandatoryPolicy: An unsigned __int32, the access policy for principals with a mandatory integrity level lower than the object associated with the SACL that contains this ACE. The possible values of this field are the same as those specified for the Policy field of TOKEN_MANDATORY_POLICY (section 2.4.8).

Note For more information about tokens in Windows, see [MSDN-ACCTOKENS].