3.1.5.18 RemoteCallKerbFinalizeKeyAgreement

The RemoteCallKerbFinalizeKeyAgreement call uses the Kerberos FinalizeKeyAgreement message (section 2.2.2.1.18) to perform the final step in a key agreement operation, resulting in a shared secret between the Kerberos client and the KDC. Upon completion, the KeyAgreementHandle used in this message exchange is no longer valid in any further message exchanges.

The resulting SharedKey from this exchange is only valid for use with same CredSSP session [MS-CSSP] connection over which the key was created.

To perform this message exchange, the CredSSP server must send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbFinalizeKeyAgreement, and the FinalizeKeyAgreement member of the union MUST be populated.

To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbFinalizeKeyAgreement, and the FinalizeKeyAgreement member of the union MUST be populated.