3.3.5.2 Request Processing and Generating DIGEST_VALIDATION_RESP Message

If the AlgType field of the DIGEST_VALIDATION_REQ (section 2.2.5.1) is not set to 0x03, the DC SHOULD<26> return SEC_E_QOP_NOT_SUPPORTED.

Using the Username field in the Payload field of the DIGEST_VALIDATION_REQ (section 2.2.5.1) message, the DC MUST look up the user's password. If the account is not found and Bit A of the Flags field of the DIGEST_VALIDATION_REQ message is set to:

0: The DC SHOULD return STATUS_NO_SUCH_USER.

1: If the domain name in the Realm field matches the DC's domain name, then fail with STATUS_LOGON_FAILURE. Otherwise, using the Realm field in the Payload field of the DIGEST_VALIDATION_REQ message to determine the domain, the DC SHOULD send the DIGEST_VALIDATION_REQ message to a DC in that domain.

The DC MUST verify the keyed hash contained in the Payload buffer's Response field of the DIGEST_VALIDATION_REQ (section 2.2.5.1) message. The algorithm to perform this validation MUST be as specified in [RFC2617] section 3.2.2.1 and [RFC2831] section 2.1.2.1.

If validation is successful, a DIGEST_VALIDATION_RESP (section 2.2.5.2) message with Status [MS-ERREF] indicating successful authentication (that is, STATUS_SUCCESS) and authorization information for the user's account (the PAC) MUST be sent back to the Digest server. If unsuccessful, the DC MUST return an error code as an error status in NRPC API. It MUST NOT send back the DIGEST_VALIDATION_RESP message.

The Digest validation response message DIGEST_VALIDATION_RESP MUST be packed as a contiguous buffer, and the encoded data SHOULD be sent by using the generic pass-through mechanism ([MS-NRPC] section 3.2.4.1). The encoding of DIGEST_VALIDATION_RESP is as specified in section 2.2.5.2. The Digest validation response message is sent by using the generic pass-through mechanism, as specified in [MS-NRPC] section 3.2.4.1.