3.5.4.5.4 NetrLogonSamLogoff (Opnum 3)

  • Article

The NetrLogonSamLogoff method SHOULD<217> update the user lastLogoff attribute for the SAM accounts. 

 NTSTATUS NetrLogonSamLogoff(
   [in, unique, string] LOGONSRV_HANDLE LogonServer,
   [in, string, unique] wchar_t* ComputerName,
   [in, unique] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out, unique] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] NETLOGON_LOGON_INFO_CLASS LogonLevel,
   [in, switch_is(LogonLevel)] PNETLOGON_LEVEL LogonInformation
 );

LogonServer: The custom binding handle, as defined in section 3.5.4.1.

ComputerName: The Unicode string that contains the NetBIOS name of the client computer calling this method.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator.

LogonLevel: A NETLOGON_LOGON_INFO_CLASS structure, as specified in section 2.2.1.4.16, that identifies the type of logon information in the LogonInformation union.

LogonInformation: A pointer to a NETLOGON_LEVEL structure, as specified in section 2.2.1.4.6, that describes the logon information.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • The pointer contained in the LogonInformation parameter MUST not be NULL; otherwise, the server MUST return STATUS_INVALID_PARAMETER.

  • Apply Common Error Processing Rule A, specified in section 3.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

The server MUST check the following parameters, and if any of them are NULL, it MUST return STATUS_INVALID_PARAMETER:

  • LogonServer

  • ComputerName

  • Authenticator

  • ReturnAuthenticator

The server MUST check the LogonLevel parameter, and the server MUST return STATUS_INVALID_INFO_CLASS if it is not set to 1 (NetlogonInteractiveInformation).

If the request is not for the domain of which the server is a member and the server is a DC, then the server MUST perform external behavior consistent with locally invoking LsarQueryTrustedDomainInfoByName ([MS-LSAD] section 3.1.4.7.5), using the following parameters (policy handle is not needed locally):

  • TrustedDomainName is set to the value of the LogonInformation.LogonInteractive.Identity.LogonDomainName parameter

  • InformationClass is set to the value of TrustedDomainInformationEx.

If the call returns STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034) the server MUST return STATUS_NO_SUCH_DOMAIN. If the call returns any other error code other than STATUS_SUCCESS the server MUST return that error code.

Additionally, the server MUST also verify that:

  • The securityIdentifier (Sid) field ([MS-ADTS] section 6.1.6.7.8) is not NULL,

  • The trustType field ([MS-ADTS] section 6.1.6.7.15) is 1 or 2

  • The trustAttributes field ([MS-ADTS] section 6.1.6.7.9) does not contain TRUST_ATTRIBUTE_UPLEVEL_ONLY.

If LsarQueryTrustedDomainInfoByName succeeds and returns the domain information in TrustedDomainInformation, the server MUST check if it has established a secure channel with the domain. If there is not an established secure channel, then the server MUST return the error code STATUS_NO_SUCH_DOMAIN. If there is an established secure channel, then the server MUST call NetrLogonSamLogoff using LogonLevel and LogonInformation to the DC with which it has established a secure channel.

Otherwise, if the server's account database is for the domain specified by LogonInformation.LogonInteractive.Identity.LogonDomainName, then it MAY update the lastLogoff attribute ([MS-ADA1] section 2.350) on the account object specified by the LogonInformation.LogonInteractive.Identity.UserName field.<218>

This method SHOULD only be called by a machine that has established a secure channel with the server.