Using an access token to acquire users' group information (Windows)

An access token is an object that describes the security context of a process or thread. The information in an access token includes the identity and privileges of the user account associated with the process or thread.

When you log on, the system verifies your password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process run on your behalf uses a copy of this access token.

An access token can also be acquired based on cached credentials. After you have been authenticated to the system, your credentials are cached by the operating system. The access token of the last logon can be referenced in the cache when it is not possible to contact the domain controller.

The access token includes information about all of the groups you belong to: local groups and various domain groups (global groups, domain local groups, and universal groups).

Note: Group lookup using client authentication is not supported using a remote connection even though access token support is enabled.
To enable access token support, you must use the db2set command to update the DB2_GRP_LOOKUP registry variable. DB2_GRP_LOOKUP can have up to two parameters, separated by a comma:
  • The first parameter is for conventional group lookup and can take the values: "", "LOCAL", or "DOMAIN".
  • The second parameter is for token style group lookup and can take the values: "TOKEN", "TOKENDOMAIN", or "TOKENLOCAL".
If the second parameter (TOKEN, TOKENDOMAIN, or TOKENLOCAL) is specified, it takes precedence over conventional group enumeration. If token group enumeration fails, conventional group lookup occurs, if the first parameter of DB2_GRP_LOOKUP was specified.
The meaning of the values TOKEN, TOKENDOMAIN, and TOKENLOCAL are as follows:
  • TOKENLOCAL

    The token is used to enumerate groups at the local machine (this is equivalent to conventional "LOCAL" group lookup).

  • TOKENDOMAIN

    The token is used to enumerate groups at the location where the user is defined (at local machine for a local user and at the domain for a domain user). This is equivalent to conventional "", or "DOMAIN" group lookup.

  • TOKEN

    The token is used to enumerate groups at both the domain and on the local machine. For a local user, the groups returned will contain local groups. For a domain user, the groups returned will contain both domain and local groups. There is no equivalent in conventional group lookup.

For example, the following setting of DB2_GRP_LOOKUP enables access token support for enumerating local groups:
   db2set DB2_GRP_LOOKUP=LOCAL,TOKENLOCAL
The next example enables access token support for enumerating groups at both the local machine as well as the location where the user ID is defined (if the account is defined at the domain):
   db2set DB2_GRP_LOOKUP=,TOKEN
This final example enables access token support for enumerating domain groups at the location where the user ID is defined:
   db2set DB2_GRP_LOOKUP=DOMAIN,TOKENDOMAIN
Note: Access token support can be enabled with all authentications types except CLIENT authentication.