3.2.5.2 Active Directory Based Attestation

The SecurityIdentifier of the client is validated against clients in SecureClientList that are known to be secure.

If the SecurityIdentifier is not valid, the client is not issued with AttestationHealthCertificate by the server.

The client MUST initiate Active Directory–based attestation by sending ADRequest to the server upon successful validation of SecurityIdentifier.

If the response received is ErrorReply, the client MUST process as specified in section 3.2.5.4.

If the response received is HealthCertificateReply, the client is successfully authenticated and allowed to use the resources of the server.