3.2.4.1 Application Invocation of the .NET NegotiateStream Protocol

The .NET NegotiateStream Protocol is triggered by an invocation from the application while the Stream State is set to Uninitialized. If an application invocation is received when the Stream State is not equal to Uninitialized, an error MUST be returned to the application. The application specifies an underlying TCP connection to the client, the desired name to be used for server authentication, an expected channel binding, a required protection level, and a required impersonation level. The Underlying TCP Connection, Expected Channel Binding, Required Protection Level, and Required Impersonation Level MUST be set based on these inputs. The application-specified desired_name MUST be passed to the GSS_Acquire_cred function ([RFC2743] section 2.1.1). The implementation MUST pass a desired_mechs parameter indicating the SPNEGO mechanism. The cred_usage parameter MUST be set to ACCEPT-ONLY, and the lifetime_req parameter MUST be set to 0.

If the function returns a major_status other than GSS_S_COMPLETE, the implementation MUST notify the application of the failure without writing anything to the Underlying TCP Connection. Otherwise, the implementation MUST store the returned credential handle as the Server Credentials and set the Stream State to WaitingForHandshakeMessage.