3.3.4.1.4 Receiving a Return NL_AUTH_MESSAGE Token
When the client receives the return token, it verifies that:
The NL_AUTH_MESSAGE token is at least 12 bytes in length.
The MessageType is set to 1.
If either of these conditions are not true, the client MUST return SEC_E_INVALID_TOKEN (0x80090308) indicating that an invalid token has been received.
Otherwise, the client initializes ClientSequenceNumber to 0, which is used to detect out-of-order messages.