Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

3.4.5.3.4 Calling NetrLogonSamLogon

The client MUST do the following:

If the NegotiateFlags bit P is set, then the client SHOULD convert:

  • NetlogonInteractiveInformation to NetlogonInteractiveTransitiveInformation

  • NetlogonNetworkInformation to NetlogonNetworkTransitiveInformation

  • NetlogonServiceInformation to NetlogonServiceTransitiveInformation

If the NegotiateFlags bit G is not set and LogonLevel is not NetlogonGenericInformation, then the ValidationLevel parameter MUST be set to 2 (NETLOGON_VALIDATION_SAM_INFO (section 2.2.1.4.11)).

The LogonLevel, LogonInformation, ValidationLevel, and ValidationInformation parameters are specified in [MS-APDS] for NTLM, Kerberos, and Digest, and in [MS-RCMP] for TLS/SSL.

To call for Generic-Passthrough to authentication packages, the LogonLevel parameter MUST be set to 4 (NetlogonGenericInformation), and the ValidationLevel parameter MUST be set to 5 (NetlogonValidationGenericInfo2). The LogonInformation parameter MUST be a NETLOGON_GENERIC_INFO structure, as specified in section 2.2.1.4.2.

After the method returns, the client MUST:

  • Verify the ReturnAuthenticator, as specified in section 3.1.4.5.

  • Verify that it received an authoritative response by checking the Authoritative parameter. If the Authoritative parameter is TRUE, the client MUST treat the result as final. If the Authoritative parameter is FALSE, the client SHOULD retry the call at a later time or at a different domain controller.

On receiving STATUS_ACCESS_DENIED, the client SHOULD reestablish the secure channel with the DC.<135>

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.