您做一个NTLM / Kerberos的/协商的 SSPI交换回路。有两个在客户和MSDN AA上的全样本服务器。需要明确的是：你做的没有的使用任何类型的LDAP访问explictily。是LSA（本地安全机构），与LDAP会谈，并建立了客户端的身份。如果是成功的在做整个SSPI循环中，认证成功已经和客户身份的 alread 的验证根据LDAP。如果你的服务器需要知道客户的身份（例如，以了解使用RNAME）它检索它从安全上下文使用导致SSPI循环的QueryContextAttributes(..., SECPKG_ATTR_NAMES，...） 并检索从SecPkgContext_Names$c$c>结构。

You do an NTLM/Kerberos/Negotiate SSPI exchange loop. There is a a full sample on MSDN for both the client and the server. To be clear: you do not use any sort of LDAP access explictily. Is the LSA (Local Security Authority) that talks with LDAP and establishes the identity of the client. If you are succesful in doing the entire SSPI loop, the authentication has succeeded already and the client identity is alread authenticated against the LDAP. If your server needs to know the client identity (eg. to know the use rname) it retrieves it from the security context resulted in the SSPI loop using the QueryContextAttributes(..., SECPKG_ATTR_NAMES,...) and retrieves the user name from the SecPkgContext_Names structure.