3.2.4.2 Retrieving a Group Key from a Server

To retrieve a group key from the server, the client MUST perform a GetKey call, as specified in section 3.1.4.1. However, before making this call, the client MUST first perform the following:

  1. Locate a DC.

    The client MUST locate a suitable DC by using the method specified in [MS-NRPC] section 3.5.4.3.1, with the DomainName parameter set to the specified domain name, Flags set to the bitwise OR of the R and U bits, and all other parameters set to zero or NULL.

  2. The client MUST connect to this server over RPC with supplied user credentials. Each RPC connection to the server MUST be configured as follows:

    • The client MUST indicate to the RPC runtime that it is to perform a strict NDR data consistency check at target level 6.0, as specified in [MS-RPCE] section 3.1.1.5.3.3.

    • The client MUST indicate to the RPC runtime that it is to reject a NULL unique or full pointer with nonzero conformant value, as specified in [MS-RPCE] section 3.1.1.5.3.3.1.2.

    • The client MUST instruct the RPC runtime to negotiate a security context by using the SPNEGO protocol [MS-SPNG], as specified in [MS-RPCE] section 2.2.1.1.7.

    • The client MUST also instruct the RPC runtime to negotiate the use of the packet privacy authentication level, which provides both message confidentiality and integrity ([MS-RPCE] section 2.2.1.1.8).

    • If the server returned is a writable DC, the client MUST instruct the RPC runtime to use the SECURITY_IMPERSONATION impersonation level, as specified in [MS-RPCE] section 2.2.1.1.9. If the server returned is an RODC, the client MUST instruct the RPC runtime to use the SECURITY_IDENTIFICATION impersonation level, as specified in [MS-RPCE] section 2.2.1.1.9.

    • Lastly, the client SHOULD request the RPC runtime to perform mutual authentication with the server.

  3. Perform the GetKey call.

    After establishing and configuring the DC connection, the client MUST perform the GetKey call (section 3.1.4.1) with parameters specified by the caller. The client MUST treat all server errors (non-zero return codes) identically. If the GetKey method fails, the client MUST return an error to the caller.