3.2.5.3 Generating a KERB_VERIFY_PAC_REQUEST Message

The server operating system MUST first assemble the KERB_VERIFY_PAC_REQUEST (section 2.2.4.1) message structure by copying the signature values out of the privilege attribute certificate (PAC) ([MS-PAC] section 2.8) that the server operating system is verifying. The message type field MUST be set to 0x00000003 to make the server operating system ready to contact the DC.

This exchange MUST be layered on top of the Netlogon generic pass-through ([MS-NRPC] section 3.2.4.1). The server operating system MUST supply a KERB_VERIFY_PAC_REQUEST structure, packed as a single buffer, as the LogonData field. The PackageName field MUST be set to a UNICODE_STRING with a buffer of Kerberos.

If the DC cannot be reached, Netlogon ([MS-NRPC] section 3) MUST return the error STATUS_NO_LOGON_SERVERS (section 2.2). The server operating system SHOULD fail the authentication attempt.