3.1.5 Message Processing Events and Sequencing Rules
In the TLS negotiation, the client provides the "Local Certificate" exposed by [MS-BPAU] section 3.2.1.1. Whenever the client establishes a TLS session in order to send a message, it MUST verify that the server certificate has the following characteristics:
It was provided by the server.
It is within its period of validity.
It contains the "id-kp-serverAuth" extended key usage (EKU) specified in [RFC3280] section 4.2.1.13.
The issuer and subject names are in the form of a security identifier (SID), as defined in [MS-DTYP] section 2.4.2.1, representing a machine account in the recipient host's Active Directory domain.
If any verification test fails, the client MUST terminate the TLS session as detailed in [RFC2246] section 7.3 and react as to a connection failure.