3.5.4.4.2 NetrServerAuthenticate3 (Opnum 26)

The NetrServerAuthenticate3 method SHOULD<174> mutually authenticate the client and the server and establish the session key to be used for the secure channel message protection between the client and the server. It is called after the NetrServerReqChallenge method, as specified in section 3.5.4.4.1.

 NTSTATUS NetrServerAuthenticate3(
   [in, unique, string] LOGONSRV_HANDLE PrimaryName,
   [in, string] wchar_t* AccountName,
   [in] NETLOGON_SECURE_CHANNEL_TYPE SecureChannelType,
   [in, string] wchar_t* ComputerName,
   [in] PNETLOGON_CREDENTIAL ClientCredential,
   [out] PNETLOGON_CREDENTIAL ServerCredential,
   [in, out] ULONG * NegotiateFlags,
   [out] ULONG * AccountRid
 );

PrimaryName: The custom binding handle, as defined in section 3.5.4.1.

AccountName: A null-terminated Unicode string that identifies the name of the account that contains the secret key (password) that is shared between the client and the server.<175>

SecureChannelType: A NETLOGON_SECURE_CHANNEL_TYPE enumerated value, as specified in section 2.2.1.3.13, that indicates the type of the secure channel being established by this call.

ComputerName: A null-terminated Unicode string that contains the NetBIOS name of the client computer calling this method.

ClientCredential: A pointer to a NETLOGON_CREDENTIAL structure, as specified in section 2.2.1.3.4, that contains the supplied client credentials, as specified in section 3.1.4.4.

ServerCredential: A pointer to a NETLOGON_CREDENTIAL structure, as specified in section 2.2.1.3.4, that contains the returned server credentials.

NegotiateFlags: A pointer to a 32-bit set of bit flags in little-endian format that indicate features supported. As input, the flags are those requested by the client and are the same as ClientCapabilities. As output, they are the bit-wise AND of the client's requested capabilities and the server's ServerCapabilities. For more details, see section 3.1.4.2.

AccountRid: A pointer that receives the RID of the account specified by the AccountName parameter. ([MS-ADTS] section 3.1.1.5.2.4 specifies how this RID is assigned at account creation time.) This value is stored in the AccountRid ADM element within the ClientSessionInfo table.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Apply Common Error Processing Rule A, specified in section 3.

  • Apply Common Error Processing Rule B, specified in section 3, to the PrimaryName parameter.

If the AccountName parameter is the name of a domain trust object, and there is a period at the end of the parameter name, the period is ignored during processing.

The server SHOULD<176> check the SecureChannelType parameter.

The server MUST compute the mask of supported Netlogon Options.

If RejectDES is set to TRUE and neither flag O nor flag W is specified by the client, the server MUST fail the session-key negotiation and return STATUS_DOWNGRADE_DETECTED.

If RejectMD5Clients is set to TRUE and flag W is not specified by the client, the server MUST fail the session-key negotiation and return STATUS_DOWNGRADE_DETECTED.

The server MUST set ClientStoredCredential to 0.

The server MUST set ServerStoredCredential to the value of the ClientCredential parameter.

The server MUST compute or retrieve the NTOWFv1 (as specified in NTLM v1 Authentication in [MS-NLMP] section 3.3.1) of the client computer password and use it to compute a session key, as specified in section 3.1.4.3. If the server cannot compute or retrieve the NTOWFv1 of the client computer password, it MUST return STATUS_NO_TRUST_SAM_ACCOUNT.

The server MUST compute the client Netlogon credential as specified in section 3.1.4.4 and compare the result with the client Netlogon credential passed from the client for verification. The computation is performed using the ClientChallenge from the ChallengeTable. If the comparison fails, session-key negotiation fails, and the server MUST return STATUS_ACCESS_DENIED.

The server MUST compute the server Netlogon credential to be returned to the client.

The server MUST obtain the RID to be returned in the AccountRid parameter by performing external behavior consistent with locally invoking SamrLookupNamesInDomain ([MS-SAMR] section 3.1.5.11.2), using the following parameters:

  • DomainHandle is set to the value received by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

  • Count is set to the value of 1.

  • Names is set to an array with a length of 1 and is the only array element set to the value of <AccountName>.

If the call returns any error code other than STATUS_SUCCESS, the server MUST return that error code.

The server MUST obtain the value of the DomainHandle parameter used when invoking SamrLookupNamesInDomain by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5), using the following parameters:

  • ServerHandle is set to the value returned by performing external behavior consistent with locally invoking SamrConnect ([MS-SAMR] section 3.1.5.1.4).

  • DesiredAccess is set to the value DOMAIN_LOOKUP.

  • DomainId is set to the value of DomainSid (section 3.5.1).

If the call returns any error code other than STATUS_SUCCESS, the server MUST return that error code.

The server MUST obtain the value of the ServerHandle parameter used when invoking SamrOpenDomain by performing external behavior consistent with locally invoking SamrConnect ([MS-SAMR] section 3.1.5.1.4), using the following parameters:

  • ServerName is set to the value of the NetBIOS form of the server computer name.

  • DesiredAccess is set to the value SAM_SERVER_LOOKUP_DOMAIN.

If the call returns any error code other than STATUS_SUCCESS, the server MUST return that error code.