3.4.5.2.11 Calling NetrLogonGetCapabilities

The client SHOULD<105> do the following:

• Have a secure channel established with a domain controller in the domain identified by domain-name and pass its name as the ServerName parameter.

• Pass a valid client Netlogon authenticator as the Authenticator parameter.

After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5 and compares the received Capabilities with the negotiated flags of the current secure channel. If the negotiated flags and the requested flags do not match, then the client SHOULD<106> re-establish the secure channel with the DC.

On successful comparison of received Capabilities with negotiated flags, client also compares the capabilities sent in the negotiate request with the flags received by the server. If the negotiated flags and requested flags do not match, then the client SHOULD<107> re-establish the secure channel with the DC.

Upon receiving STATUS_NOT_IMPLEMENTED, the client MUST treat this as successful confirmation that the DC does not support AES [FIPS197].<108>

On receiving STATUS_ACCESS_DENIED, the client SHOULD<109> re-establish the secure channel with the DC.