3.4.5.3.2 Calling NetrLogonSamLogonEx
The client MUST do the following:
Have a secure channel established with a domain controller in the domain identified by domain-name and pass its name as the LogonServer parameter.
Pass the client name as the ComputerName parameter.
If the LogonLevel is NetlogonInteractiveInformation or NetlogonInteractiveTransitiveInformation, the client SHOULD<111> encrypt the LmOwfPassword and NtOwfPassword members in the NETLOGON_INTERACTIVE_INFO structure.
If the LogonLevel is NetlogonServiceInformation or NetlogonServiceTransitiveInformation, encrypt<112> the LmOwfPassword and NtOwfPassword members in the NETLOGON_SERVICE_INFO structure.
If the LogonLevel is NetlogonGenericInformation, then encrypt<113> the LogonData member in the NETLOGON_GENERIC_INFO structure.
Call the method using Secure RPC, as specified in [MS-RPCE] section 3.3.1.5.2.1.
If the NegotiateFlags bit V is not set, then the read-only domain controller (RODC) does not set ExtraFlags C or D.
If the NegotiateFlags bit P is set, then the client converts the following:
NetlogonInteractiveInformation to NetlogonInteractiveTransitiveInformation
NetlogonNetworkInformation to NetlogonNetworkTransitiveInformation
NetlogonServiceInformation to NetlogonServiceTransitiveInformation
If the NegotiateFlags bit G is not set and LogonLevel is not NetlogonGenericInformation, then the ValidationLevel parameter MUST be set to 2 (NETLOGON_VALIDATION_SAM_INFO (section 2.2.1.4.11)).
The LogonLevel, LogonInformation, ValidationLevel, and ValidationInformation parameters are specified in [MS-APDS] for NTLM, Kerberos, and Digest, and in [MS-RCMP] for TLS/SSL.
To call for Generic-Passthrough to authentication packages, the LogonLevel parameter MUST be set to 4 (NetlogonGenericInformation), and the ValidationLevel parameter MUST be set to 5 (NetlogonValidationGenericInfo2). The LogonInformation parameter MUST be a NETLOGON_GENERIC_INFO structure, as specified in section 2.2.1.4.2.
After the method returns, the client MUST:
If the LogonLevel is NetlogonNetworkInformation or NetlogonNetworkTransitiveInformation, the client MUST decrypt the UserSessionKey and the first two elements of the ExpansionRoom array in the NETLOGON_VALIDATION_SAM_INFO (section 2.2.1.4.11) or in the NETLOGON_VALIDATION_SAM_INFO2 (section 2.2.1.4.12) structure.
Verify that it received an authoritative response by checking the Authoritative parameter. If the Authoritative parameter is TRUE, the client MUST treat the result as final. If the Authoritative parameter is FALSE, the client retries the call at a later time or at a different domain controller.
On receiving STATUS_ACCESS_DENIED, the client SHOULD<114> re-establish the secure channel with the DC.