LSA_TOKEN_INFORMATION_V3 structure (ntsecpkg.h)
The LSA_TOKEN_INFORMATION_V3 structure adds claim support to the LSA token and contains information an authentication package can place in a Version 3 Windows token object and has superceded LSA_TOKEN_INFORMATION_V1.
A Version 3 Windows token object stores all the information needed to build a token from the authentication package to the Local Security Authority (LSA). The LSA passes this information into the kernel to create a token object and to return a handle to that token object to the caller of LsaLogonUser. LSA assumes that the first member of this structure are identical to those in the LSA_TOKEN_INFORMATION_V1 structure.
Syntax
typedef struct _LSA_TOKEN_INFORMATION_V3 {
LARGE_INTEGER ExpirationTime;
TOKEN_USER User;
PTOKEN_GROUPS Groups;
TOKEN_PRIMARY_GROUP PrimaryGroup;
PTOKEN_PRIVILEGES Privileges;
TOKEN_OWNER Owner;
TOKEN_DEFAULT_DACL DefaultDacl;
TOKEN_USER_CLAIMS UserClaims;
TOKEN_DEVICE_CLAIMS DeviceClaims;
PTOKEN_GROUPS DeviceGroups;
} LSA_TOKEN_INFORMATION_V3, *PLSA_TOKEN_INFORMATION_V3;
Members
ExpirationTime
Time at which the security context becomes not valid. Use a value in the distant future if the context never expires. The current version of the operating system kernel does not enforce this expiration time.
User
TOKEN_USER structure that contains the SID of the user logging on. The security identifier SID value is in a separately allocated block of memory.
Groups
TOKEN_GROUPS structure that contains the SIDs of groups the user is a member of. This should not include WORLD or other system-defined and system-assigned SIDs. These will be added automatically by the LSA.
Each SID is expected to be in a separately allocated block of memory. The TOKEN_GROUPS structure is also expected to be in a separately allocated block of memory. All of these memory blocks should be allocated by calling the AllocatePrivateHeap function.
PrimaryGroup
TOKEN_PRIMARY_GROUP structure that is used to establish the primary group of the user. This value does not have to correspond to one of the SIDs assigned to the user.
The SID pointed to by this structure is expected to be in a separately allocated block of memory.
This member is mandatory and must be filled in.
Privileges
TOKEN_PRIVILEGES structure that contains the privileges assigned to the user. This list of privileges will be augmented or overridden by any local security policy assigned privileges.
Each privilege is expected to be in a separately allocated block of memory. The TOKEN_PRIVILEGES structure is also expected to be in a separately allocated block of memory.
If there are no privileges to assign to the user, this member may be set to NULL.
Owner
TOKEN_OWNER structure. This member may be used to establish an explicit default owner. Normally, the user ID is used as the default owner. If another value is desired, it must be specified here.
The Owner.Sid member may be set to NULL to indicate there is no alternate default owner value.
DefaultDacl
TOKEN_DEFAULT_DACL structure. This member may be used to establish a default protection for the user. If no value is provided, a default protection that grants everyone all access will be established.
The DefaultDacl.DefaultDacl member may be set to NULL to indicate there is no default protection.
UserClaims
TOKEN_USER_CLAIMS structure. This member stores the opaque user claims BLOB for the token. The UserClaims member may be set to NULL to indicate there are no additional user claims in the token. Claims are allow-only entities so omitting claims may restrict access.
DeviceClaims
TOKEN_DEVICE_CLAIMS structure. This member stores the opaque device claims BLOB for the token. The DeviceClaims member may be set to NULL to indicate there are no additional device claims in the token. Claims are allow-only entities so omitting claims may restrict access.
DeviceGroups
TOKEN_GROUPS structure that contains the SIDs of the groups for the authenticating device member. As with user groups, this should not include WORLD or other system defined or assigned SIDs. The DeviceGroups member may be set to NULL to indicate that no compounding should occur. If DeviceGroups are present, LSA will add WORLD and other assigned SIDs.
Unlike user groups, there is no notion of a primary device group.
Each SID is expected to be in a separately allocated block of memory. The TOKEN_GROUPS structure is also expected to be in a separately allocated block of memory.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 8 [desktop apps only] |
| Minimum supported server | Windows Server 2012 [desktop apps only] |
| Header | ntsecpkg.h |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for