Calling NetrServerPasswordGet

The client calling this method MUST be a BDC. The client MUST do the following:

The client MUST decrypt the EncryptedNtOwfPassword return parameter that was encrypted (as described in [MS-SAMR] section with the Session-Key for the secure channel as the specified key.

After the method returns, the client MUST verify the ReturnAuthenticator as defined in section

On receiving STATUS_ACCESS_DENIED, the client SHOULD<99> reestablish the secure channel with the domain controller.