4 Protocol Examples
Figure 2: Obtaining a PAC that corresponds to an X.509 certificate
A web server requires clients to authenticate via an X.509 certificate. During the Transport Layer Security (TLS) handshake, the client sends the user's X.509 certificate to the server and proves knowledge of the corresponding private key. On completing the handshake, the server side of the TLS implementation builds the SSL_CERT_LOGON_REQ message (which contains the user's X.509 certificate) and sends it to the Remote Certificate Mapping Protocol server, in this example, located on a domain controller.
The Remote Certificate Mapping Protocol server on the domain controller parses the incoming request and uses the X.509 certificate attributes to look up the user's account in Active Directory. On a successful lookup, the domain controller generates the SSL_CERT_LOGON_RESP message, which includes the user's PAC, as specified in [MS-PAC], and sends the message back via the Netlogon Remote Protocol. On receiving this message, the server will generate a Windows access token ([MS-DTYP] section 2.5.2) for the client, which it can then use to access resources on the user's behalf.