3.5.4.2 Determining client privileges

To determine access rights, the client access token is retrieved from the RPC transport, as defined for RpcImpersonationAccessToken in [MS-RPCE] section 3.3.3.4.3.

Method Access Control Algorithm: During processing of methods that implement access checks, the server implementing this protocol SHOULD perform access security verification on the client's identity using the algorithm specified by the Access Check Algorithm Pseudocode ([MS-DTYP] section 2.5.3.2). For this protocol, the input parameters of that algorithm are mapped as follows:

  • SecurityDescriptor: This MUST be the NetlogonSecurityDescriptor ADM element.

  • Token / Authorization Context: This MUST be the identity of the client from the ADM element RpcImpersonationAccessToken, retrieved as specified in [MS-RPCE] section 3.3.3.4.3.

  • Access Request mask: This is specified by each method's processing logic and MUST be one or more of the Access Rights specified previously in section 2.2.1.4.18.

  • Object Tree: This parameter MUST be NULL.

  • PrincipalSelfSubst SID: This parameter MUST be NULL.