220.127.116.11 Calling Methods Requiring Session-Key Establishment
To call the methods in the following set, the client and the server MUST have performed session-key negotiation. If negotiation has not been completed prior to the time of a call, negotiation MUST be initiated and completed before making the call. Each method that requires a secure channel is described in section 3.5, with the errors specified. For descriptions of the following methods, see section 3.5.
The client follows this sequence of steps.
The client calls the method on the server. If the RPC server denies access, the client SHOULD attempt to re-establish the session key with the target server if the difference between the current time and value of ServerSessionInfo.LastAuthenticationTry (indexed by the name of the target server) is greater than 45 seconds.
The server MUST verify the authenticator, if used, and compute the return authenticator, as specified in section 18.104.22.168.
The client MUST validate the returned authenticator, if used.
The client MAY unbind from the server, or it MAY<102> reuse the binding for multiple RPC calls.
The client and server SHOULD utilize a secure bind.<101>If a secure bind is used, the client instructs the RPC runtime to use the Netlogon SSP ([MS-RPCE] section 22.214.171.124.7) for privacy/integrity of the RPC messages. If the SealSecureChannel setting is TRUE, the client requests the Privacy authentication level from the RPC runtime. If the SealSecureChannel setting is FALSE, then the authentication level requested is Integrity.