3.1.4.6 Calling Methods Requiring Session-Key Establishment

  • Article

To call the methods in the following set, the client and the server MUST have performed session-key negotiation. If negotiation has not been completed prior to the time of a call, negotiation MUST be initiated and completed before making the call. Each method that requires a secure channel is defined in section 3.5, with the errors specified. For descriptions of the following methods, see section 3.5.

  • NetrGetForestTrustInformation

  • NetrLogonGetCapabilities

  • NetrLogonSamLogon

  • NetrLogonSamLogonEx

  • NetrLogonSamLogonWithFlags

  • NetrLogonSamLogoff

  • NetrLogonSendToSam

  • NetrServerPasswordGet

  • NetrServerPasswordSet

  • NetrServerPasswordSet2

  • NetrServerGetTrustInfo

  • NetrServerTrustPasswordsGet

  • NetrLogonGetDomainInfo

  • NetrDatabaseDeltas

  • NetrDatabaseSync2

  • NetrDatabaseSync

  • NetrDatabaseRedo

  • NetrAccountDeltas

  • NetrAccountSync

  • NetrLogonDummyRoutine1

The client and server follow this sequence of steps.<77>

  1. The client SHOULD<78> bind to the RPC server using TCP/IP.

    The client and server MUST utilize a secure bind. If a secure bind is used, the client instructs the RPC runtime to use the Netlogon SSP ([MS-RPCE] section 2.2.1.1.7) for privacy/integrity of the RPC messages. Clients MUST request the Privacy authentication level.

  2. If the call to be made uses Netlogon authenticators, the client MUST compute the Netlogon authenticator to be passed as a parameter to the RPC method, as specified in section 3.1.4.5.

  3. The client calls the method on the server. If the RPC server denies access, the client attempts to re-establish the session key with the target server if the difference between the current time and value of ServerSessionInfo.LastAuthenticationTry (indexed by the name of the target server) is greater than 45 seconds.

  4. If secure bind is not used or the client is using RPC Integrity instead of RPC Privacy, the server MUST deny the request unless client is in the VulnerableChannelAllowList setting.<79>

  5. The server MUST verify the authenticator, if used, and compute the return authenticator, as specified in section 3.1.4.5.

  6. If none of the first 5 bytes of the ClientStoredCredential computation result (step 1, section 3.1.4.5) is unique, the server MUST fail session-key negotiation without further processing of the following steps.<80>

  7. The client MUST validate the returned authenticator, if used.

  8. The client MAY unbind from the server, but it SHOULD<81> reuse the binding for multiple RPC calls.