3.1.5.17 RemoteCallKerbKeyAgreementGenerateNonce
The RemoteCallKerbKeyAgreementGenerateNonce call uses the Kerberos KeyAgreementGenerateNonce message (section 2.2.2.1.17) to generate a nonce value for inclusion in the DHNonce in a Kerberos PKINIT message exchange ([RFC4556] Section 3.2.1).
To perform this message exchange, the CredSSP server MUST send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbKeyAgreementGenerateNonce, and the KeyAgreementGenerateNonce member of the union MUST be populated.
To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbKeyAgreementGenerateNonce, and the KeyAgreementGenerateNonce member of the union MUST be populated.