Hi,

I understand the authentication part of this solution. How the authorization piece works? If the user is authenticated how can I get the group membership back?

Thank you,
-Zoltan

Can I get the authZ information back directly from the token or should I impersonate the authenticated client?
I think if the authenticated client is impersonated I can extract the group membership from the access token. But this looks like a bit complicated direction.
Theoretically how the authZ works? Is it part of the SSPI? I don't think so.

OK, I solved this. :) It is easy.

1. Impersonation is required
2. Once it is impersonated in that thread we have to open the thread (OpenThread function)
3. Once the Thread is opened we have to open the thread token (OpenThreadToken)
4. Once we have the thread token we have to duplicate it (DuplicateTokenEx or DuplicateToken)
5. With this duplicated token we can call the AccessCheck API to get the authorization result back

I have a working prototype it is working fine. This is not SSPI function so I go and close this.

This is not part of the SSPI so I go and close it. For authorization we should use the AccessCheck (https://msdn.microsoft.com/en-us/library/windows/desktop/aa374815(v=vs.85).aspx) function or the AuthZ.dll.