3.4.5.2.2 Calling NetrServerAuthenticate3
To call NetrServerAuthenticate3, the client MUST have called NetrServerReqChallenge and have a local copy of the server challenge (SC).
The client MUST set ClientStoredCredential to 0.
The client MUST set ServerStoredCredential to 0.
The client MUST compute a Netlogon credential using the algorithm defined in section 3.1.4.4. The result MUST be computed using the client challenge used in the call to NetrServerReqChallenge. The computed credential is passed as the ClientCredential parameter.
If the server returns STATUS_ACCESS_DENIED and the client used AES:
If RejectMD5Servers is set to FALSE and the NegotiateFlags parameter bit flag W is not set, the client retries to establish the session with the MD5/DES algorithm.
If RejectMD5Servers is set to TRUE, the client MUST fail session-key negotiation.
If RequireStrongKey is set to TRUE, and the server did not specify bit O in the NegotiateFlags output parameter as specified in section 3.1.4.2, the client MUST fail session-key negotiation.
If RequireSignOrSeal is set to TRUE, and the server did not specify bit Y in the NegotiateFlags output parameter as specified in section 3.1.4.2, the client MUST fail session-key negotiation.
After the call to NetrServerAuthenticate3 completes successfully, the client MUST compute the server Netlogon credential (as specified in section 3.1.4.4) and compare it with the one passed from the server for verification. The result MUST be computed using the server challenge. If the comparison fails, the client MUST fail session-key negotiation.
If the return value indicates that the method is not available on the server, the client MUST retry with a call to NetrServerAuthenticate2. If that call also fails with the method not available on the server, the client MUST retry with a call to NetrServerAuthenticate.
The client MUST compute a session key to use for encrypting further communications, as specified in section 3.1.4.3.
The client sets ConnectionStatus (section 3.4.5.3.1) if changed.