3.1.4.5 Netlogon Authenticator Computation and Verification

All methods that require a secure channel, except NetrLogonSamLogonEx, will use Netlogon authenticators. If the Netlogon RPC call is using Netlogon authenticators, the following steps are used to calculate the authenticator:

  1. Each time a client sends a new request, it records the current time stamp (expressed as the number of seconds since 00:00:00 on January 1, 1970 (UTC)) in the Timestamp field of the ReturnAuthenticator that is a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5. The client also adds the value of this time stamp to the stored Netlogon client credential and encrypts the result with the session key, using the Netlogon credential computation algorithm defined in section 3.1.4.4. The result of this computation is stored in the Credential field of the NETLOGON_AUTHENTICATOR structure and is then sent to the server.

     SET TimeNow = current time;
     SET ClientAuthenticator.Timestamp = TimeNow; 
     SET ClientStoredCredential = ClientStoredCredential + TimeNow;
     CALL ComputeNetlogonCredential(ClientStoredCredential,
                   Session-Key, ClientAuthenticator.Credential);
      
    
  2. When the server receives a request, the server confirms the validity of the Netlogon authenticator that it received with the request. Validation is achieved by adding the time stamp transmitted in the received Netlogon authenticator to the server's stored copy of the Netlogon credential, and by encrypting the result with the session key, using the algorithm specified in section 3.1.4.4. The server then compares the Netlogon credential that it just calculated with the Netlogon credential transmitted in the received Netlogon authenticator. If the Netlogon credentials do not match, the operation fails, and an error indicating that access is denied is returned to the client.

    If the Netlogon credentials match, the server increments the Netlogon credential in the Netlogon authenticator by one, performs the computation defined in Netlogon Credential Computation, section 3.1.4.4, and stores the new Netlogon credential. The server returns a Netlogon authenticator that contains the new Netlogon credential to the client.

     SET ServerStoredCredential = ServerStoredCredential +
                   ClientAuthenticator.Timestamp;
     CALL ComputeNetlogonCredential(ServerStoredCredential,
                   Session-Key, TempCredential);
     IF TempCredential != ClientAuthenticator.Credential
        THEN return access denied error
      
     SET ServerStoredCredential = ServerStoredCredential + 1;
     CALL ComputeNetlogonCredential(ServerStoredCredential,
                   Session-Key, ServerAuthenticator.Credential);
      
    
  3. The client validates the returned Netlogon authenticator by incrementing its stored Netlogon credential by one, encrypting the result with the session key using the algorithm defined in section 3.1.4.4, and comparing the results. If this is successful, the client stores the Netlogon credential part of the Netlogon authenticator as the new Netlogon credential. If the validation fails, the client SHOULD re-establish its secure channel with the domain controller.

     SET ClientStoredCredential = ClientStoredCredential + 1;
     CALL ComputeNetlogonCredential(ClientStoredCredential,
                   Session-Key, TempCredential);
     IF TempCredential != ServerAuthenticator.Credential
        THEN return abort
      
    

In each of the addition operations previously performed, the least-significant 4 bytes of the credential are added with the 4-byte time stamp value (or the constant 1), and overflow is ignored. This leaves the most-significant 4 bytes of the credential unmodified.