typedef struct _KerbCredIsoRemoteInput
     // CallId determines the call being sent over the wire.
     RemoteGuardCallId CallId;
     // Input paramters are held in a union so that each call can be sent over the
     // wire in the same type of KerbCredIsoRemoteInput structure.
     [switch_type(RemoteGuardCallId), switch_is(CallId)] union
             // Used to negotiate the protocol version that will be used.
         // Server sends the maximum version it supports; client replies
         // with the version that will actually be used.
         [case(RemoteCallKerbNegotiateVersion)] struct
             ULONG MaxSupportedVersion;
         } NegotiateVersion;
         // Create an AS_REQ message authenticator.
         [case(RemoteCallKerbBuildAsReqAuthenticator)] struct
             KERB_RPC_ENCRYPTION_KEY* EncryptionKey;
             KERB_RPC_ENCRYPTION_KEY* ArmorKey; // optional
             PLARGE_INTEGER TimeSkew;
         } BuildAsReqAuthenticator;
         // Verify that the given service ticket is valid within the given skew.
         // The encrypted part of the reply data is decrypted for the caller.
         [case(RemoteCallKerbVerifyServiceTicket)] struct
             KERB_ASN1_DATA* PackedTicket;
             KERB_RPC_ENCRYPTION_KEY* ServiceKey;
             PLARGE_INTEGER TimeSkew; // optional
         } VerifyServiceTicket;
         // Create an authenticator for an KRB_AP_REQ message.
         [case(RemoteCallKerbCreateApReqAuthenticator)] struct
             KERB_RPC_ENCRYPTION_KEY* EncryptionKey;
             ULONG SequenceNumber;
             KERB_RPC_INTERNAL_NAME* ClientName;
             PRPC_UNICODE_STRING ClientRealm;
             PLARGE_INTEGER SkewTime;
             KERB_RPC_ENCRYPTION_KEY* SubKey; // optional
             KERB_ASN1_DATA* AuthData; // optional
             KERB_ASN1_DATA* GssChecksum; // optional
             ULONG KeyUsage;
         } CreateApReqAuthenticator;
         // Decrypt the encrypted part of an AP_REP.
         [case(RemoteCallKerbDecryptApReply)] struct
             KERB_ASN1_DATA* EncryptedReply;
             KERB_RPC_ENCRYPTION_KEY* Key;
         } DecryptApReply;
         // Decrypt the encrypted part of a KRB_KDC_REP from the KDC. The type of reply
         // is indicated by the PDU - either KERB_ENCRYPTED_AS_REPLY_PDU or 
         // KERB_ENCRYPTED_TGS_REPLY_PDU. Key usage allows the caller to specify either
         // the TGS or AS REP key derivation types. This is done to allow back-compatibility
         // with a previous release of the Windows Server operating system
         // which returned the wrong PDU for an AS_REP.
         [case(RemoteCallKerbUnpackKdcReplyBody)] struct
             KERB_ASN1_DATA* EncryptedData;
             KERB_RPC_ENCRYPTION_KEY* Key;
             KERB_RPC_ENCRYPTION_KEY* StrengthenKey;
             ULONG Pdu;
             ULONG KeyUsage;
         } UnpackKdcReplyBody;
         // Calculate the MAC for a KRB_TGS_REQ. It is referred to as a "Checksum" in RFC 4120
         // and thus the terminology is maintained.
         [case(RemoteCallKerbComputeTgsChecksum)] struct
             KERB_ASN1_DATA* RequestBody;
             KERB_RPC_ENCRYPTION_KEY* Key;
             ULONG ChecksumType;
         } ComputeTgsChecksum;
         // Encrypt the given authorization data which is to be included within the 
         // request body of a message to be sent to the KDC.
         [case(RemoteCallKerbBuildEncryptedAuthData)] struct
             ULONG KeyUsage;
             KERB_RPC_ENCRYPTION_KEY* Key;
             KERB_ASN1_DATA* PlainAuthData;
         } BuildEncryptedAuthData;
         // Pack up and encrypt a KRB_AP_REP message using the given session key.
         [case(RemoteCallKerbPackApReply)] struct
             KERB_ASN1_DATA* Reply;
             KERB_ASN1_DATA* ReplyBody;
             KERB_RPC_ENCRYPTION_KEY* SessionKey;
         } PackApReply;
         // Create a MAC for S4U pre-authentication data to be include in a KRB_TGS_REQ
         // when requestiong an S4U service ticket for another principal.
         [case(RemoteCallKerbHashS4UPreauth)] struct
             KERB_ASN1_DATA* S4UPreauth;
             KERB_RPC_ENCRYPTION_KEY* Key;
             LONG ChecksumType;
         } HashS4UPreauth;
         // Create a MAC for S4U pre-authentication data that is for certificate-based
         // users. This pa-data is added to KRB_TGS_REQ when requesting an S4U service
         // ticket.
         [case(RemoteCallKerbSignS4UPreauthData)] struct
             KERB_RPC_ENCRYPTION_KEY* Key;
             BOOL IsRequest;
             KERB_ASN1_DATA* UserId;
             PLONG ChecksumType;
         } SignS4UPreauthData;
         // Calculate a MAC from the given data and compare it to the given expected
         // value. Used to detect mismatches which may indicate tampering with the PAC
         // which is sent by the KDC to the client inside a KRB_KDC_REP.
         [case(RemoteCallKerbVerifyChecksum)] struct
             KERB_RPC_ENCRYPTION_KEY* Key;
             ULONG ChecksumType;
             ULONG ExpectedChecksumSize;
             [size_is(ExpectedChecksumSize)] const UCHAR* ExpectedChecksum;
             ULONG DataToCheckSize;
             [size_is(DataToCheckSize)] const UCHAR* DataToCheck;
         } VerifyChecksum;
         // Decrypt the supplemental credentials which are contained with the PAC sent
         // back by the KDC in a KRB_KDC_REP.
         [case(RemoteCallKerbDecryptPacCredentials)] struct
             KERB_RPC_ENCRYPTION_KEY* Key;
             ULONG Version;
             ULONG EncryptionType;
             ULONG DataSize;
             [size_is(DataSize)] UCHAR* Data;
         } DecryptPacCredentials;
         // Create a new ECDH key agreement handle with the given ECC key bit length
         [case(RemoteCallKerbCreateECDHKeyAgreement)] struct
             ULONG KeyBitLen;
         } CreateECDHKeyAgreement;
         [case(RemoteCallKerbCreateDHKeyAgreement)] struct
             // This [case(RemoteCallKerb)] struct has no input parameters, but for 
             // simplicity and consistency with the other parameters, let's define
             // this as a [case(RemoteCallKerb)] struct with a single ignored value.
             UCHAR Ignored;
         } CreateDHKeyAgreement;
         // Destry a key agreement handle which was previously constructed with either
         // CreateECDHKeyAgreement or CreateDHKeyAgreement.
         [case(RemoteCallKerbDestroyKeyAgreement)] struct
             KEY_AGREEMENT_HANDLE KeyAgreementHandle;
         } DestroyKeyAgreement;
         // Generate a nonce for use with the given key agreement. This nonce is part of
         // the Diffie-Hellman agreement that is part of Kerberos PKINIT (RFC 4556)
         [case(RemoteCallKerbKeyAgreementGenerateNonce)] struct
             KEY_AGREEMENT_HANDLE KeyAgreementHandle;
         } KeyAgreementGenerateNonce;
         // Finish a Kerberos PKINIT (RFC 4556) key agreement.
         [case(RemoteCallKerbFinalizeKeyAgreement)] struct
             KEY_AGREEMENT_HANDLE* KeyAgreementHandle;
             ULONG KerbEType;
             ULONG RemoteNonceLen;
             [size_is(RemoteNonceLen)] PBYTE RemoteNonce;
             ULONG X509PublicKeyLen;
             [size_is(X509PublicKeyLen)] PBYTE X509PublicKey;
         } FinalizeKeyAgreement;
 } KerbCredIsoRemoteInput, *PKerbCredIsoRemoteInput;