3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129)

The LsarCreateTrustedDomainEx3 method is invoked to create a new TDO.<109>

 NTSTATUS
 LsarCreateTrustedDomainEx3(
     [in] LSAPR_HANDLE PolicyHandle,
     [in] PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation,
     [in] PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES AuthenticationInformation,
     [in] ACCESS_MASK  DesiredAccess,
     [out] LSAPR_HANDLE* TrustedDomainHandle
     );

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy3 (section 3.1.4.4.9),  LsarOpenPolicy2 (section 3.1.4.4.1), or LsarOpenPolicy (section 3.1.4.4.2).

TrustedDomainInformation: Information about the new TDO to be created.

AuthenticationInformation: Encrypted authentication information for the new TDO encrypted to specification per AES Cipher Usage (section 5.1.5).

DesiredAccess: An access mask (section 2.2.1.1) specifying the desired access to the TDO handle.

TrustedDomainHandle: Used to return the handle for the newly created TDO.

Return Values: The same as LsarCreateTrustedDomainEx2 (section 3.1.4.7.10).

Processing instructions:

The processing is the same as LsarCreateTrustedDomainEx2 (section 3.1.4.7.10) with the following exception:

AuthenticationInformation: A structure containing encrypted LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication information for the trusted domain.

If the length of cbCipher in AuthenticationInformation is less than (512 + IncomingAuthInfoSize + OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER.

The server MUST first decrypt this data structure using the algorithm specified in AES Cipher Usage (section 5.1.5) with the key being the session key negotiated by the transport. Next, the server MUST unmarshal the data inside this structure and store it in a structure, the format of which is specified in section 2.2.7.11. This structure MUST then be stored in Trust Incoming and Outgoing Password properties (section 3.1.1.5).