SEC_WINNT_AUTH_IDENTITY_EX2 structure (sspi.h)
Contains information about an authentication identity. The SEC_WINNT_AUTH_IDENTITY_EX2 structure contains authentication data that is provided to the AcquireCredentialsHandle function.
typedef struct _SEC_WINNT_AUTH_IDENTITY_EX2 {
unsigned long Version;
unsigned short cbHeaderLength;
unsigned long cbStructureLength;
unsigned long UserOffset;
unsigned short UserLength;
unsigned long DomainOffset;
unsigned short DomainLength;
unsigned long PackedCredentialsOffset;
unsigned short PackedCredentialsLength;
unsigned long Flags;
unsigned long PackageListOffset;
unsigned short PackageListLength;
} SEC_WINNT_AUTH_IDENTITY_EX2, *PSEC_WINNT_AUTH_IDENTITY_EX2;
Version
The version number of the structure. This must be SEC_WINNT_AUTH_IDENTITY_VERSION_2.
cbHeaderLength
The size, in bytes, of the structure header.
cbStructureLength
The size, in bytes, of the structure.
UserOffset
The offset from the beginning of the structure to the beginning of the user name string.
UserLength
The size, in bytes, of the user name string.
DomainOffset
The offset from the beginning of the structure to the beginning of the domain name string.
An identity credential should contain the identity provider name instead of the domain name.
DomainLength
The size, in bytes, of the domain name string.
PackedCredentialsOffset
The offset from the beginning of the structure to the beginning of the packed credentials.
The packed credential is a SEC_WINNT_AUTH_PACKED_CREDENTIALS structure that contains a credential type that uniquely specifies the credential type.
PackedCredentialsLength
The size, in bytes, of the packed credentials string.
Flags
An unsigned long flag that indicates the type used by negotiable security packages.
Value | Meaning |
---|---|
|
All data is in one buffer. |
|
Used with the Kerberos security support provider (SSP). Credentials are for identity only. The Kerberos package is directed to not include authorization data in the ticket. |
|
Credentials are in ANSI form. |
|
Credentials are in Unicode form. |
|
When the credential type is password, the presence of this flag specifies that the structure is an online ID credential. The DomainOffset and DomainLength members correspond to the online ID provider name.
Windows Server 2008 R2 and Windows 7: This flag is not supported. |
|
The structure is encrypted by the SspiEncryptAuthIdentity function or by the SspiEncryptAuthIdentityEx function with the SEC_WINNT_AUTH_IDENTITY_ENCRYPT_SAME_PROCESS option. It can only be decrypted by the same process.
Windows Server 2008 R2 and Windows 7: This flag is not supported. |
|
The structure is encrypted by the SspiEncryptAuthIdentityEx function with the SEC_WINNT_AUTH_IDENTITY_ENCRYPT_SAME_LOGON option under the SYSTEM security context. It can only be decrypted by a thread running as SYSTEM.
Windows Server 2008 R2 and Windows 7: This flag is not supported. |
|
The structure is encrypted by the SspiEncryptAuthIdentityEx function with the SEC_WINNT_AUTH_IDENTITY_ENCRYPT_SAME_LOGON option under a non-SYSTEM security context. It can only be decrypted by a thread running in the same logon session in which it was encrypted.
Windows Server 2008 R2 and Windows 7: This flag is not supported. |
|
The authentication identity buffer is cbStructureLength + 8 padding bytes that are necessary for in-place encryption or decryption of the identity. |
PackageListOffset
The offset from the beginning of the structure to the beginning of the list of supported packages.
PackageListLength
The size, in bytes, of the supported package list.
This authentication identity buffer can be returned from several credential APIs, for example, the GetSerialization method and the CredUIPromptForWindowsCredential and SspiPromptForCredentials functions.
The structure describes a header of the authentication identity buffer and the data is appended at the end of the structure. Although the buffer size is specified by the cbStructureLength member, the actual buffer size can be larger or smaller than cbStructureLength. Some functions, such as SspiValidateAuthIdentity, take a pointer, but not the buffer size, to the identity structure as input. As a result, those functions can validate the internal buffer data but cannot verify the buffer size. This can result in reading or writing data outside of the buffer range. To avoid buffer overruns when handling an untrusted identity buffer, applications should call SspiUnmarshalAuthIdentity to obtain a pointer to an identity structure with a validated size and then pass that pointer to the functions.
The SEC_WINNT_AUTH_IDENTITY_EX2 structure can be returned by QueryContextAttributes(CredSSP) and consumed by AcquireCredentialsHandle(CredSSP), LsaLogonUser, and other identity provider interfaces.
SEC_WINNT_AUTH_PACKED_CREDENTIALS can contain a password credential type, defined as SEC_WINNT_AUTH_DATA_TYPE_PASSWORD. This credential type describes password credentials of a domain user as well as other online identities. Applications must define _SEC_WINNT_AUTH_TYPES to compile code that references this credential type as well as other definitions of the SEC_WINNT_AUTH_PACKED_CREDENTIALS structure.
Applications should not query or set the Flags member directly. Use the SspiIsAuthIdentityEncrypted, SspiEncryptAuthIdentityEx, and SspiDecryptAuthIdentityEx functions to manage the encryption and decryption of the SEC_WINNT_AUTH_IDENTITY_EX2 structure.
Identity providers must explicitly check or set SEC_WINNT_AUTH_IDENTITY_FLAGS_ID_PROVIDER and the domain name fields to differentiate their password credential from a domain password and another identity provider's password.
The CredPackAuthenticationBuffer function can be called with the CRED_PACK_ID_PROVIDER_CREDENTIALS option to create a SEC_WINNT_AUTH_IDENTITY_EX2 structure with the authentication data of SEC_WINNT_AUTH_DATA_TYPE_PASSWORD credential type, a Flags member that contains the SEC_WINNT_AUTH_IDENTITY_FLAGS_ID_PROVIDER value, and a DomainOffset member set to the provider name.
Requirement | Value |
---|---|
Minimum supported client | Windows 7 [desktop apps only] |
Minimum supported server | Windows Server 2008 R2 [desktop apps only] |
Header | sspi.h |