2.1.2.2 Client Security Settings

The RPC client for RASRPC RPC interface MUST use ncacn_np as the RPC protocol sequence. The client SHOULD<6> specify "Simple and Protected GSS-API Negotiation Mechanism" (0x09) as the authentication service, as specified in [MS-RPCE] section 2.2.1.1.7. The client MAY<7> use "NT LAN Manager (NTLM)" or "Kerberos" as the authentication services specifically to connect to the server. The client SHOULD supply a service principal name (SPN) (for more information, see [SPNNAMES]) of "host/hostname" where "hostname" is the actual name of the server to which the client is connecting. "host/" is the literal string "host/". The RPC client MUST first bind to the named pipe mentioned in section 2.1 and use the binding handle obtained (as a part of the binding process) to further communicate with the server, as specified in section 2 of [C706]. The client SHOULD negotiate RPC_C_AUTHN_LEVEL_PKT_PRIVACY<8> as the authentication level in order to have a secure connection to the RPC server with data confidentiality also. The client MUST enable the server to impersonate the client identity by specifying RPC_C_IMPL_LEVEL_IMPERSONATE as the impersonation level as specified in [MS-RPCE] section 2.2.1.1.9.