question

beachbear-6886 avatar image
0 Votes"
beachbear-6886 asked FeiXue-MSFT commented

How to specify PeerTokenAccessMask in WSAQuerySocketSecurity?

The PeerTokenAccessMask field is a ULONG in SOCKET_SECURITY_QUERY_TEMPLATE.
I need to set it to some value to get PeerApplicationAccessTokenHandle and/or PeerMachineAccessTokenHandle.
However I cannot find anywhere how that mask field can be set.
There is no constant definitions anywhere and specifying anything except zero gives me error 10022 (invalid argument) from WSAQuerySocketSecurity().
How can I set that PeerTokenAccessMask correctly to be able to get the token handles?

windows-api
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHan-MSFT avatar image
0 Votes"
RitaHan-MSFT answered FeiXue-MSFT commented

Hello @beachbear-6886,

For access mask for token you can refer to "Access Rights for Access-Token Objects" for a complete list.

Thank you!




If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you fro your reply,

I tried all of them starting with TOKEN_ and some other standard flags and none of them make any difference.
The WSAQuerySockstSecurity is still failing with error 10022.

This is what Microsoft online documentation says:
If the SOCKET_SECURITY_QUERY_TEMPLATE structure is specified with the PeerTokenAccessMask member not specified (set to zero), then the WSAQuerySocketSecurity function will not return the PeerApplicationAccessTokenHandle and PeerMachineAccessTokenHandle members in the SOCKET_SECURITY_QUERY_INFO structure.

Could you clarify what exact value must be set to the PeerTokenAccessMask field except zero so the WSAQuerySocketSecurity does not fail and return those handles?

0 Votes 0 ·

Please make sure that:

For a client application using connection-oriented sockets, the WSAQuerySocketSecurity function should be called after the connect, ConnectEx, or WSAConnect function returns. For a server application using connection-oriented sockets, the WSAQuerySocketSecurity function should be called after the accept, AcceptEx, or WSAAccept function returns.

And do your server and client run on two different machines separately?

0 Votes 0 ·

I am calling WSAQuerySocketSecurity in a server application after WSAAccept on a socket from a connected client.
I run the test application elevated to an administrator on a single machine (Windows Server 2016).

The test application is a server using overlapped sockets on an I/O-completion port.
After creation of the listening socket (after the WSASocket call) I call WSASetSocketSecurity to secure the socket with SOCKET_SECURITY_PROTOCOL_DEFAULT and SOCKET_SETTINGS_GUARANTEE_ENCRYPTION. This part works just fine.

It is not specified anywhere in the Microsoft online documentation how to specify the PeerTokenAccessMask member.
I could not find any samples, any articles, any information at all on how to do that properly.

0 Votes 0 ·
Show more comments

@beachbear-6886, I am looking into this issue, may I know the scenario you are using PeerApplicationAccessTokenHandle andPeerMachineAccessTokenHandle?

0 Votes 0 ·
beachbear-6886 avatar image
0 Votes"
beachbear-6886 answered FeiXue-MSFT commented

I was trying to use Secure Socket Extensions to perform integrated Windows authentication on sockets, which was expected to be easier than using SSPI. A client winsock2 application running as some user on computer A connects to a server running on computer B (listening on an overlapped sockets using an I/O completion port). The server must get the user token securely and figure out if the user belongs to certain local user group to allow or disallow the request execution. No encryption is necessary, authentication/authorization is sufficient. Since I could not find how to implement that with Secure Socket Extensions, I had to implement it using SSPI, so technically I solved the problem. However it would be great if Microsoft provided a sample or a more detailed documentation how to achieve the same goal easier and with less code using Secure Socket Extensions. Thank you for your support!

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@beachbear-6886, Thanks for the detailed explanation, I will check with my college about the detailed usage about PeerTokenAccessMask.

0 Votes 0 ·

@beachbear-6886, There is really only 1 value we see for PeerTokenAccessMask and that is TOKEN_IMPERSONATE which is used when calling WSAImpersonateSocketPeer(). Could help confirm if this is helpful? You can also set it 0xFFFFFFFF to get full access, but that would likely be a security hole which is not recommended.

Also, even though the implementation may be simpler in SSE, but it addresses a different layer of security than the orignal secnario. SSE handles things at the IP communication layer, whereas SSPI handles things abstracted at the software level. SSE will likely have some performance hits because it would essentially be encrypting and decrypting all communications.

0 Votes 0 ·