Hi,

I wrote a server and a client application. The client tries to connect to the server by using some credentials. I'm using the security context SSPI API to achieve this, i.t. I call AcceptSecurityContext on the server side and InitializeSecurityContext on the client side. I'm using sockets to exchange data packages between client and server.
The problem is I want to be notified on the client side if the server cannot authenticate it but I have problems to achieve this. On the server side AcceptSecurityContext fails as expected but on the client side InitializeSecurityContext returns no error.
How can I get an error on the client from InitializeSecurityContext if AcceptSecurityContext fails on the server side? (now, I'm disconnecting the client socket on the server side).

Server:
=====
ULONG attribs = 0;
AcceptSecurityContext(&cred, NULL, &inBuf, attribs, SECURITY_NATIVE_DREP, &ctxt, &outBuf, &attribs, &time);
.....
// data package exchange via sockets
....
// this second call returns a negative error code when client uses bad credentials
AcceptSecurityContext(&cred, &ctxt, &inBuf, attribs, SECURITY_NATIVE_DREP, &ctxt, &outBuf, &attribs, &time);

Client:
=====
ULONG attribs;
InitializeSecurityContext(&cred, &ctxt, target, ISC_REQ_CONFIDENTIALITY, 0, SECURITY_NATIVE_DREP, &inBuf, 0, &ctxt, &outBuf, &attribs, &time);
....
// data package exchange via sockets
....
InitializeSecurityContext(&cred, NULL, target, ISC_REQ_CONFIDENTIALITY, 0, SECURITY_NATIVE_DREP, NULL, 0, &ctxt, &outBuf, &attribs, &time);

Thanx!

I don't know the structure of your server/client, but why not sending an application defined notification to your client and then close the connection on server site?

I don't know the structure of your server/client, but why not sending an application defined notification to your client and then close the connection on server site?
this is what i do now, i close the socket, but i don't like this solution. i thought there is another way to do this.

I can't see any reason why this solution is not clean or unsafe; but you can give the client more tries. E.g. that he is capable of trying up to five times to complete an authentification before this connection gets closed (and maybe banned for some minuites). Closing a connection which fails to login after five times is a point of security: You prevent yourself from being brute forced.

The reason is I wrote an interface for the transport protocol and this interface can be implemented in terms of a socket, DCOM, RPC, pipes or other transport protocol (everyone can decide about the desired transport protocol). So, I cannot use a closesocket call because this is socket specific.