3.3 Netlogon as a Security Support Provider

In addition to other functionality, Netlogon also serves as a limited private SSP<84> for use by Netlogon and RPC ([MS-RPCE] section 2.2.1.1.7) when encrypting and signing data during communication.<85> Central to this capability is the use of the session key, as specified in section 3.1. This section specifies the behavior of the security provider role for both client and server.

Netlogon implements a service that allows the RPC runtime to perform a security context negotiation between the client and the server and to use per-message calls to protect the data being passed over the network. For Netlogon to be able to perform this functionality, a session key MUST have been established between the client and the server as specified in section 3.1. Netlogon registers with the RPC runtime as a security provider with the auth_type value (as specified in [MS-RPCE] section 2.2.2.11) of 0x44.

When serving as its own generic SSP, Netlogon always provides the following service features:

  • Integrity: Signed messages are constructed so that they cannot be tampered with while in transit. The generation and receipt of the Netlogon Signature token will always provide integrity protection for the messages.

  • Sequence Detect: Signed messages are constructed such that out-of-order sequences can be detected. The generation and receipt of the Netlogon Signature token will always detect out-of-sequence messages.