3.5.1 Client Generation of SSL_CERT_LOGON_REQ Message

The client constructs the SSL_CERT_LOGON_REQ message by setting the user's X.509 certificate, the mapping method by which the server looks up the user's account (expressed via Flags as specified in section 2.2.1) and the X.509 certificate issuing authorities (expressed via PayLoad as specified in section 2.2.1). The issuing authorities are set in anchor last order. Anchor last order is defined as the leaf certification authority that issued the client's X.509 certificate is first, followed by the next certification authority in the certificate chain, and the next certification authority, and so on. The name of the root certification authority SHOULD be included in the SSL_CERT_LOGON_REQ message when the user's certificate has been directly issued by the root certification authority.

The Remote Certificate Mapping Protocol client request message is packed as a contiguous buffer and the encoded data is sent in the LogonData field in the NETLOGON_GENERIC_INFO structure, as specified in [MS-NRPC] section 2.2.1.4.2, via the generic passthrough capability of Netlogon, as specified in [MS-NRPC] section 3.2.4.1. The PackageName field in the NETLOGON_GENERIC_INFO structure, as specified in [MS-NRPC], MUST be a RPC_UNICODE_STRING structure with the string value being "Microsoft Unified Security Protocol Provider".