3.1.5.16 RemoteCallKerbDestroyKeyAgreement

The RemoteCallKerbDestroyKeyAgreement call uses the Kerberos DestroyKeyAgreement message (section 2.2.2.1.16) to clean up system resources associated with a previously created DH key agreement. CredSSP servers that use either RemoteCallKerbCreateDHKeyAgreement or RemoteCallKerbCreateECDHKeyAgreement SHOULD perform a RemoteCallKerbDestroyKeyAgreement message exchange to ensure no resources are leaked. Otherwise, the key agreement resources will be leaked on CredSSP client until the connection is broken.

To perform this message exchange, the CredSSP server MUST send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbDestroyKeyAgreement, and the DestroyKeyAgreement member of the union MUST be populated.

To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbDestroyKeyAgreement, and the DestroyKeyAgreement member of the union MUST be populated.