3.1.5.1 GSS_Init_sec_context Returns While in the CreatingSecurityToken State

If GSS_Init_sec_context returns a major_status of GSS_S_COMPLETE, the Negotiated Protection Level and Negotiated Impersonation Level MUST be set based on the returned state flags. The Security Provider Context MUST be set to the output_context_handle. If the Negotiated Impersonation Level is not equal to the Allowed Impersonation Level or the Negotiated Protection Level is lower than the Required Protection Level, the value 0x000006FE MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeError (as specified in section 2.2) and transmitted to the server. The Security Provider Context MUST be deleted and the Stream State MUST be set to Uninitialized. Otherwise, the output_token MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeDone (as specified in section 2.2) and transmitted to the server. In this case, the Stream State MUST be set to WaitingForHandshakeDone.

If GSS_Init_sec_context returns a major status of GSS_S_CONTINUE_NEEDED, the Security Provider Context MUST be set to the output_context_handle and the output_token MUST be wrapped in the AuthPayload field of a Handshake message with the HandshakeId set to HandshakeInProgress (as specified in section 2.2) and sent to the server. The Stream State MUST be set to WaitingForHandshakeMessage.

If any other major_status is returned, an HRESULT error code describing the error MUST be wrapped in the AuthPayload of a Handshake message with the HandshakeId set to HandshakeError (as specified in section 2.2) and sent to the server. The Stream State MUST be set to Uninitialized.