Client Context Initialization
To establish a secure connection, the client acquires an outbound credentials handle before sending an authentication request to the server. The server creates a security context for the client from the authentication request. There are two client-side SSPI functions involved in authentication setup:
- AcquireCredentialsHandle obtains a reference to previously obtained logon credentials.
- InitializeSecurityContext (General) creates the initial authentication request security tokens.
Code for this process can be seen in the GenClientContext function in Using SSPI with a Windows Sockets Client.
If a client program needs to use credentials in addition to its own logon credentials, such as a different user name, domain name, and password, it provides them in the AcquireCredentialsHandle call with a SEC_WINNT_AUTH_IDENTITY structure specifying the additional credentials. For more information on credentials functions, see Credential Management.
Note
The Flags member of the SEC_WINNT_AUTH_IDENTITY structure can be set to SEC_WINNT_AUTH_IDENTITY_ANSI when strings in the structure are ASCI or OEM. ANSI strings can be used with the Flags member of the SEC_WINNT_AUTH_IDENTITY structure set to SEC_WINNT_AUTH_IDENTITY_UNICODE if they are first converted to Unicode by using the MultiByteToWideChar function.
To initiate the first leg of the authentication, the client calls InitializeSecurityContext (General) to obtain an initial security token to be sent in a connection request message to the server.
The client uses the security token information received in the output buffer descriptor to generate a message to send to the server. The construction of the message, in terms of placement of various buffers and so forth, is part of the application protocol and must be understood by both parties.
The client checks the return status from InitializeSecurityContext (General) to see if authentication will complete in a single call. A return status of SEC_I_CONTINUE_NEEDED indicates that the security protocol requires multiple authentication messages. For more information on context functions, see Context Management.