3.2.2.1.6 Determining DC Support for Signing

  • Article

The processing rules in this section are used to determine whether the domain controller (DC) supports signing or not.

Input Parameters:

InputADConnectionHandle: An ADConnection handle (see [MS-ADTS] section 7.2 for more information about ADConnection).

Output Parameters:

True or False, depending on whether the DC supports signing or not.

Processing Rules:

  1. Invoke the "Establishing an ADConnection" task ([MS-ADTS] section 7.6.1.3) with the following parameter:

    TaskInputADConnection: InputADConnectionHandle

  2. If the TaskReturnStatus returned is FALSE, return FALSE.

  3. Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:

    • TaskInputADConnection: InputADConnectionHandle

    • TaskInputRequestMessage: LDAP SearchRequest message ([RFC2251] section 4.5.1) as follows:

      • baseObject: NULL

      • scope: baseObject

      • filter: (objectClass=*)

      • attributes: The CA SHOULD use the following attributes:

        • supportedCapabilities

      • sizeLimit: 10000

      • timeLimit: 120

      • derefAliases: neverDerefAliases

      • typesOnly: FALSE

    • TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.

  4. If the TaskReturnStatus returned is not 0, return FALSE.

  5. If TaskOutputResultMessage contains 1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID_W), then return TRUE, else return FALSE.