1.5 Prerequisites/Preconditions

To use EFSRPC with a remote server, the client is required to possess valid credentials recognized by the server and be able to pass authentication and authorization checks for access to the encrypted data on the server. If secure operation is desired, the server is required to register an appropriate server principal name/authentication service pair that supports a protection level that provides packet integrity. Additionally, the client needs to be configured to associate the appropriate server principal name and authentication, and authorization and protection level with its binding, when connecting to the server.<1>

The User-Certificate Binding interface described in section 3.1.1.1 stores user keys protected to the user credentials and requires that the EFSRPC server be joined to the domain and configured for Kerberos delegation.<2> Alternatively, the server can be configured for Kerberos constrained delegation (as specified in [MS-SFU]) for only the services used for user key storage.