Share via

3.2.4 Message Processing Events and Sequencing Rules

  • Article

The BackupKey Remote Protocol client receives requests from a higher layer, requesting a protocol operation to be executed against a specified Active Directory domain and supplying user credentials valid for authentication in that domain. Requests for client-side wrapping of secrets MUST be processed as specified in section 3.2.4.1. All other requests MUST be passed directly to a server.

For all operations, if the client needs to connect to a server, it MUST first locate the server by using the DC Locator protocol (as specified in [MS-ADTS] section 6.3.6) to locate a writable Domain Controller in that domain. It MUST then connect to the server using the supplied user credentials, as follows. First, the client SHOULD<14> attempt to connect to the \\pipe\protected_storage endpoint on the server. If connecting to the \\pipe\protected_storage endpoint is not attempted or if it fails, the client MUST attempt to connect to the \\pipe\ntsvcs endpoint on the same server.

The client MUST configure each RPC connection to the server as follows:

  • The client MUST indicate to the RPC runtime that it is to perform a strict NDR data consistency check at target level 6.0, as specified in [MS-RPCE] section 3.1.1.5.3.3.

  • The client MUST indicate to the RPC runtime that it is to reject a NULL unique or full pointer with nonzero conformant value, as specified in [MS-RPCE] section 3.1.1.5.3.3.1.2.

  • The client MUST instruct the RPC runtime to negotiate a security context using the SPNEGO Protocol [MS-RPCE] section 2.2.1.1.7.

  • The client MUST also instruct the RPC runtime to negotiate the use of the packet privacy authentication level, which provides both message confidentiality and integrity ([MS-RPCE] section 2.2.1.1.8).<15>

  • The client MUST instruct the RPC runtime to use the RPC_C_IMPL_LEVEL_IMPERSONATE impersonation level specified in [MS-RPCE] section 2.2.1.1.9.

  • Finally, the client SHOULD request the RPC runtime to perform mutual authentication<16> with the server.<17>

A client MUST support at least one of these ClientWrap and ServerWrap subprotocols completely. In addition, if a client supports the wrapping operation of either subprotocol, it MUST also support calling the corresponding unwrap operation. Thus, if a client supports BACKUPKEY_BACKUP_GUID, it MUST also support BACKUPKEY_RESTORE_GUID_WIN2K. Similarly, if a client supports BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, it MUST also support BACKUPKEY_RESTORE_GUID. Client implementations SHOULD support both subprotocols completely.<18>

The client SHOULD set the dwParam parameter of the BackuprKey method to zero in all invocations.

The client MUST treat all server errors (that is, nonzero return codes from the server) identically. When a protocol method fails, the client MUST attempt to locate another server and repeat the same operation. If no other server can be located, or if the second server also returns an error, the client MUST return an error to the caller.