3.5.4.4.3 NetrServerAuthenticateKerberos (Opnum 59)

The NetrServerAuthenticateKerberos method SHOULD<176> mutually authenticate the client and the server using Kerberos as the security support provider instead of netlogon as specified in [MS-RPCE] section 4.1.

 NTSTATUS NetrServerAuthenticateKerberos(
        [in,unique,string] LOGONSRV_HANDLE PrimaryName,
        [in,string] wchar_t * AccountName,
        [in] NETLOGON_SECURE_CHANNEL_TYPE AccountType,
        [in, string] wchar_t * ComputerName,
        [in,out] PULONG NegotiateFlags,
        [out] PULONG AccountRid
        );

PrimaryName: The custom binding handle, as defined in section 3.5.4.1.

AccountName: A null-terminated Unicode string that identifies the name of the account with which to authenticate.

SecureChannelType: A NETLOGON_SECURE_CHANNEL_TYPE enumerated value, as defined in section 2.2.1.3.13, that indicates the type of the secure channel being established by this call.

ComputerName: A null-terminated Unicode string that contains the NetBIOS name of the client computer calling this method.

NegotiateFlags: A pointer to a 32-bit set of bit flags in little-endian format that indicate features supported. As input, the flags are those requested by the client and are the same as ClientCapabilities. As output, they are the bit-wise AND of the client's requested capabilities and the server's ServerCapabilities. For more details, see section 3.1.4.2.

AccountRid: A pointer that receives the RID of the account specified by the AccountName parameter. ([MS-ADTS] section 3.1.1.5.2.4 specifies how this RID is assigned at account creation time.) This value is stored in the AccountRid ADM element within the ClientSessionInfo table.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Apply Common Error Processing Rule A, defined in section 3.

  • Apply Common Error Processing Rule B, defined in section 3, to the PrimaryName parameter.

The server SHOULD check the SecureChannelType parameter.

The server MUST compute the mask of supported Netlogon Options.

The server MUST obtain the RID to be returned in the AccountRid parameter by performing external behavior that is consistent with locally invoking SamrLookupNamesInDomain ([MS-SAMR] section 3.1.5.11.2), using the following parameters:

  • DomainHandle is set to the value received by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

  • Count is set to the value of 1.

  • Names is set to an array with a length of 1 and is the only array element set to the value of <AccountName>.

If the call returns any error code other than STATUS_SUCCESS, the server MUST return that error code.

The server MUST obtain the value of the DomainHandle parameter used when invoking SamrLookupNamesInDomain by performing external behavior that is consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5), using the following parameters:

  • ServerHandle is set to the value returned by performing external behavior consistent with locally invoking SamrConnect ([MS-SAMR] section 3.1.5.1.4).

  • DesiredAccess is set to the value DOMAIN_LOOKUP.

  • DomainId is set to the value of DomainSid (section 3.5.1).

If the call returns any error code other than STATUS_SUCCESS, the server MUST return that error code.

The server MUST obtain the value of the ServerHandle parameter used when invoking SamrOpenDomain by performing external behavior that is consistent with locally invoking SamrConnect ([MS-SAMR] section 3.1.5.1.4), using the following parameters:

  • ServerName is set to the value of the NetBIOS form of the server computer name.

  • DesiredAccess is set to the value SAM_SERVER_LOOKUP_DOMAIN.

If the call returns any error code other than STATUS_SUCCESS, the server MUST return that error code.

The server MUST verify that the RID obtained from SamrLookupNamesInDomain matches the RID obtained from the token as specified in [MS-RPCE] section 3.1.1.1.1.

The server MUST store the NegotiateFlags sent by the client to detect a downgrade in negotiated flags

When Kerberos is used as the security support provider, the server MUST always require an authentication level of RPC_C_AUTHN_LEVEL_PKT_PRIVACY or higher as specified in [MS-RPCE] section 2.2.1.1.8.

The server must register a targetname for use by the client with RPC_C_AUTHN_GSS_KERBEROS as specified in [MS-RPCE] .<177>