1.5 Prerequisites/Preconditions
The CredSSP Protocol assumes the following:
The CredSSP client has access to the user's credentials (the CredSSP Protocol delegates these credentials to the CredSSP server).<2>
A source of cryptographically useful random numbers MUST be available on the client and server for generating a nonce that is used by the TLS Protocol as well as the client/server identity validation.
The CredSSP server has an X.509 certificate (as specified in [RFC3280]) for use in TLS. The certificate can be self-signed or issued by a third-party certification authority. The CredSSP Protocol does not assume a common certification authority root between the client and the server.
The CredSSP Protocol uses the SPNEGO protocol for mutual client/server authentication; at least one other GSS-compatible authentication protocol, in addition to the CredSSP Protocol, MUST be present for it to work.<3>