1.5 Prerequisites/Preconditions
The BackupKey Remote Protocol is an RPC interface and, as a result, has the prerequisites specified in [MS-RPCE] as common to RPC interfaces.
The BackupKey Remote Protocol is used between clients and servers. The BackupKey Remote protocol server must run on a Domain Controller in an Active Directory domain. The client of the Backup Key RPC interface must possess credentials that are valid for authentication in the server's domain.
In order to use the BackupKey Remote Protocol, the client must first establish an SMB session [MS-SMB] [MS-SMB2] to the well-known endpoint on the server. The client and server must possess appropriate credentials to set up such a session and to establish a mutually authenticated RPC connection over the session.
The BackupKey Remote Protocol requires the use of secure RPC. Both client and server must support mutual authentication through the SPNEGO Protocol and must support security packages that implement support for impersonation as well as packet privacy and integrity.
The server must maintain a database of all the cryptographic keys used for secret wrapping, so that it can perform the corresponding unwrapping operation when required. The contents of this database must be protected from disclosure, except to authorized administrators of the server. The server must either be configured with the required keys manually at startup or have a method for generating them when required. The server must also have a method of generating cryptographically strong random numbers for use as nonces in this protocol.