3.2.2.1.6 Determining DC Support for Signing
The processing rules in this section are used to determine whether the domain controller (DC) supports signing or not.
Input Parameters:
InputADConnectionHandle: An ADConnection handle (see [MS-ADTS] section 7.2 for more information about ADConnection).
Output Parameters:
-
True or False, depending on whether the DC supports signing or not.
Processing Rules:
Invoke the "Establishing an ADConnection" task ([MS-ADTS] section 7.6.1.3) with the following parameter:
TaskInputADConnection: InputADConnectionHandle
If the TaskReturnStatus returned is FALSE, return FALSE.
Invoke the "Perform an LDAP Operation on an ADConnection" task ([MS-ADTS] section 7.6.1.6) with the following parameters:
TaskInputADConnection: InputADConnectionHandle
TaskInputRequestMessage: LDAP SearchRequest message ([RFC2251] section 4.5.1) as follows:
baseObject: NULL
scope: baseObject
filter: (objectClass=*)
attributes: The CA SHOULD use the following attributes:
supportedCapabilities
sizeLimit: 10000
timeLimit: 120
derefAliases: neverDerefAliases
typesOnly: FALSE
TaskOutputResultMessage: Upon successful return from the task, this parameter will contain the results of the LDAP search.
If the TaskReturnStatus returned is not 0, return FALSE.
If TaskOutputResultMessage contains 1.2.840.113556.1.4.1791 (LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID_W), then return TRUE, else return FALSE.