Calling Methods Requiring Session-Key Establishment

To call the methods in the following set, the client and the server MUST have performed session-key negotiation. If negotiation has not been completed prior to the time of a call, negotiation MUST be initiated and completed before making the call. Each method that requires a secure channel is described in section 3.5, with the errors specified. For descriptions of the following methods, see section 3.5.

  • NetrGetForestTrustInformation

  • NetrLogonGetCapabilities

  • NetrLogonSamLogon

  • NetrLogonSamLogonEx

  • NetrLogonSamLogonWithFlags

  • NetrLogonSamLogoff

  • NetrLogonSendToSam

  • NetrServerPasswordGet

  • NetrServerPasswordSet

  • NetrServerPasswordSet2

  • NetrServerGetTrustInfo

  • NetrServerTrustPasswordsGet

  • NetrLogonGetDomainInfo

  • NetrDatabaseDeltas

  • NetrDatabaseSync2

  • NetrDatabaseSync

  • NetrDatabaseRedo

  • NetrAccountDeltas

  • NetrAccountSync

  • NetrLogonDummyRoutine1

The client follows this sequence of steps.

  1. The client binds to the RPC server.<70>

    The client and server SHOULD<71> utilize a secure bind. If a secure bind is used, the client instructs the RPC runtime to use the Netlogon SSP ([MS-RPCE] section for  privacy/integrity of the RPC messages. If the SealSecureChannel setting is TRUE, the client requests the Privacy authentication level from the RPC runtime. If the SealSecureChannel setting is FALSE, then the authentication level requested is Integrity.

  2. If the call to be made uses Netlogon authenticators, the client MUST compute the Netlogon authenticator to be passed as a parameter to the RPC method, as specified in section

  3. The client calls the method on the server. If the RPC server denies access, the client can attempt to re-establish the session key with the target server if the difference between the current time and value of ServerSessionInfo.LastAuthenticationTry (indexed by the name of the target server) is greater than 45 seconds.

  4. The server MUST verify the authenticator, if used, and compute the return authenticator, as specified in section

  5. The client MUST validate the returned authenticator, if used.

  6. The client MAY unbind from the server, but it SHOULD<72> reuse the binding for multiple RPC calls.