3.1.4.2 Netlogon Negotiable Options
As part of the session-key negotiation, the client and server use the NegotiateFlags parameter of NetrServerAuthenticate2 or NetrServerAuthenticate3 to negotiate support for the following options. The client offers a set of capabilities through the NegotiateFlags parameter to the server, and the server selects the capabilities acceptable to it. The capabilities that are supported by the server are combined with the capabilities supported by the client by performing a bit-wise AND and are returned to the client, as detailed in sections 3.5.4.3.2 and 3.5.4.3.3. The client MUST inspect the returned negotiation capabilities to determine whether server-selected capabilities are supported by the client, and that all of the capabilities required by the client are returned by the server. For example, a client could be configured outside the protocol to require strong-key support; if the server did not offer strong-key support, the client SHOULD reject the server.
The following options are negotiable between the client and the server as part of the session-key negotiation. An option is TRUE (or set) if its value is equal to 1.
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 2 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 3 0 | 1 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
0 |
X |
W |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
V |
U |
T |
S |
R |
Q |
P |
O |
N |
M |
L |
K |
J |
I |
H |
G |
F |
E |
D |
C |
B |
A |
Where the negotiable options are defined as the following:
| Option | Meaning |
|---|---|
|
A |
Supports account lockout. |
|
B |
Windows NT 3.5 BDCs "persistently" try to update their database to the PDC's version once they get a notification indicating that their database is out-of-date. Presence of this flag indicates support for this behavior. |
|
C |
Supports RC4 encryption. |
|
D |
Supports promotion count. |
|
E |
Supports BDCs handling CHANGELOGs. |
|
F |
Supports restarting of full synchronization between DCs. |
|
G |
Supports handling of multiple SIDs. |
|
H |
Supports the REDO functionality. |
|
I |
Supports refusal of password changes. |
|
J |
Supports sending password information to the PDC.<82> |
|
K |
Supports generic pass-through authentication.<83> |
|
L | |
|
M |
Supports avoiding of account database replication.<85> |
|
N |
Supports avoiding of Security Authority database replication.<86> |
|
O |
Supports strong keys.<87> |
|
P |
Supports transitive trusts.<88> |
|
Q | |
|
R |
Supports the NetrServerPasswordSet2 functionality.<90> |
|
S |
Supports the NetrLogonGetDomainInfo functionality.<91> |
|
T | |
|
U |
Supports neutralizing Windows NT 4.0 emulation.<93> |
|
V | |
|
W |
Supports authenticated RPC calls to \pipe\lsass.<96> |
|
X |
Supports authenticated RPC.<97> |
All other bits MUST be set to zero and MUST be ignored on receipt.
