3.1.4.3 Request Context
When the HTTP server invokes the RMS server to process a request, it MUST provide a RequestContext containing additional context about the HTTP request. The isAuthenticated field MUST indicate whether the request was authenticated. If MWBF authentication was used, authenticationType MUST be MWBF and authenticatedAccount MUST be a FederatedAccount containing the values of the EmailAddress and ProxyAddresses claims.
Otherwise, authenticationType SHOULD contain the authentication type used by the HTTP server and authenticatedAccount MUST be a DomainAccount. If the HTTP server supports the Negotiate protocol, the server SHOULD authenticate the client using SPNEGO-based Kerberos and NTLM HTTP Authentication [RFC4559]. The server establishes a security context as specified in [RFC4178] section 3.2 by calling the implementation-specific equivalent of GSS_Accept_sec_context as specified in [RFC2743] section 2.2.2. If the HTTP server does not support the Negotiate authentication protocol, the server authenticates the client using NTLM Over HTTP [MS-NTHT]. The server establishes a security context as specified in [MS-NLMP] section 3.2.4 by calling the implementation-specific equivalent of GSS_Accept_sec_context as specified in [RFC2743] section 2.2.2.
The security context can be queried using the implementation-specific equivalent of GSS_Inquire_context as specified in [RFC2743] section 2.2.6. The information obtained from the context includes a Token/Authorization Context ([MS-DTYP] section 2.5.2). The server obtains the SID of the user from the value of the element Token.Sids[Token.UserIndex]. The SID SHOULD be stored in the SID field of the DomainAccount.
If the authentication protocol negotiated by SPNEGO-based Kerberos and NTLM HTTP Authentication [RFC4559] was Kerberos, the server obtains the EffectiveName and LogonDomainName from the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) returned by the KDC as specified in [MS-KILE] section 3.3.5.6.4.1. The name field of the DomainAccount SHOULD be set to the string value made by constructing "LogonDomainName\EffectiveName".
If the authentication protocol negotiated by SPNEGO-based Kerberos and NTLM HTTP Authentication [RFC4559] was NTLM, or the server authenticated the client using NTLM Over HTTP [MS-NTHT], the server obtains the UserName and DomainName from the AUTHENTICATE_MESSAGE sent by the client as specified in [MS-NLMP] section 3.2.5.1.2. The name field of the DomainAccount SHOULD be set to the string value made by constructing "DomainName\UserName".