220.127.116.11 Netlogon Authenticator Computation and Verification
All methods that require a secure channel, except NetrLogonSamLogonEx, will use Netlogon authenticators. If the Netlogon RPC call is using Netlogon authenticators, the following steps are used to calculate the authenticator:
Each time a client sends a new request, it records the current time stamp (expressed as the number of seconds since 00:00:00 on January 1, 1970 (UTC)) in the TimeStamp field of the NETLOGON_AUTHENTICATOR structure, as specified in section 18.104.22.168.5. The client also adds the value of this time stamp to the stored Netlogon client credential and encrypts the result with the session key, using the Netlogon credential computation algorithm described in section 22.214.171.124. The result of this computation is stored in the Credential field of the NETLOGON_AUTHENTICATOR structure and is then sent to the server.
SET TimeNow = current time; SET ClientAuthenticator.Timestamp = TimeNow; SET ClientStoredCredential = ClientStoredCredential + TimeNow; CALL ComputeNetlogonCredential(ClientStoredCredential, Session-Key, ClientAuthenticator.Credential);
When the server receives a request, the server confirms the validity of the Netlogon authenticator that it received with the request. Validation is achieved by adding the time stamp transmitted in the received Netlogon authenticator to the server's stored copy of the Netlogon credential, and by encrypting the result with the session key, using the algorithm specified in section 126.96.36.199. The server then compares the Netlogon credential that it just calculated with the Netlogon credential transmitted in the received Netlogon authenticator. If the Netlogon credentials do not match, the operation fails, and an error indicating that access is denied is returned to the client.
If the Netlogon credentials match, the server increments the Netlogon credential in the Netlogon authenticator by one, performs the computation described in section 188.8.131.52, Netlogon Credential Computation, and stores the new Netlogon credential. The server returns a Netlogon authenticator that contains the new Netlogon credential to the client.
SET ServerStoredCredential = ServerStoredCredential + ClientAuthenticator.Timestamp; CALL ComputeNetlogonCredential(ServerStoredCredential, Session-Key, TempCredential); IF TempCredential != ClientAuthenticator.Credential THEN return access denied error SET ServerStoredCredential = ServerStoredCredential + 1; CALL ComputeNetlogonCredential(ServerStoredCredential, Session-Key, ServerAuthenticator.Credential);
The client validates the returned Netlogon authenticator by incrementing its stored Netlogon credential by one, encrypting the result with the session key using the algorithm described in section 184.108.40.206, and comparing the results. If this is successful, the client stores the Netlogon credential part of the Netlogon authenticator as the new Netlogon credential. If the validation failed, the client SHOULD re-establish its secure channel with the domain controller.
SET ClientStoredCredential = ClientStoredCredential + 1; CALL ComputeNetlogonCredential(ClientStoredCredential, Session-Key, TempCredential); IF TempCredential != ServerAuthenticator.Credential THEN return abort
In each of the addition operations previously performed, the least-significant 4 bytes of the credential are added with the 4-byte time stamp value (or the constant 1), and overflow is ignored. This leaves the most-significant 4 bytes of the credential unmodified.