2.1.4.1.4 SSL/TLS Protocol

The identity of the application client has been authenticated using the SSL/TLS (see [MS-TLSP]) and RCMP (see [MS-RCMP]) protocols, as described in [MS-AUTHSOD] section 2.1.2.4.

On a successful authentication, the domain controller generates the SSL_CERT_LOGON_RESP message, which includes the user's PAC, as specified in [MS-PAC], and sends the message back via the Netlogon Remote Protocol ([MS-NRPC]). On receipt of this message, the server generates an access token.

The application server impersonates the user using this access token, and invokes the access check function in the authorization system (through the resource manager) by passing the access token, access mask, and security descriptor of the requested object. The authorization system executes the access check algorithm as described in [MS-DTYP] section 2.5.3.2 to verify whether the requested identity has sufficient access permissions to access the object.