Creating an Schannel Security Context

To establish a security context that will protect communications between a client and server, both must participate in the following information exchange process:


  1. The client calls the InitializeSecurityContext (General) function.
  2. Schannel begins creating a security context according to the rules of the selected security protocol. The function's return code indicates whether the client must call the function again. InitializeSecurityContext (General) may return a token that represents the context.
  3. If a token was returned, the client sends it to the server.
  4. When InitializeSecurityContext (General) returns SEC_E_OK, the client is done. If the function returns SEC_I_CONTINUE_NEEDED, the client must wait for the server to send it a token. When the client has the token from the server, it must call the InitializeSecurityContext (General) function again. (Return to step 2.)


  1. The server waits for a client to send a message that contains a security token. The server passes the token received from the client into the AcceptSecurityContext (General) function.
  2. Schannel builds on the partial security context represented by the token. Schannel returns a token to the server, and a return code indicating whether the server must call the function again.
  3. If a token was returned, the server sends it to the client.
  4. When AcceptSecurityContext (General) returns SEC_E_OK, the server is done. If the function returns SEC_I_CONTINUE_NEEDED, then the server must wait for the client to send it a token. When the server has the token from the client, it must call the AcceptSecurityContext (General) function again. (Return to step 2.)

If either function returns a value other than SEC_E_OK, SEC_I_CONTINUE_NEEDED, or SEC_E_INCOMPLETE_MESSAGE (see the following paragraph) an error has occurred. The client and server should call the DeleteSecurityContext function to delete the partially established security context.

A special case that can alter client and server processing is when too little or too much information is sent to the client or server from the other party. In the case of too little information, both functions return SEC_E_INCOMPLETE_MESSAGE. For information about recognizing and handling insufficient or excess information, see Extra buffers Returned by Schannel.

Performing Authentication Using Schannel

Mapping Certificates

Manually Validating Schannel Credentials