3.5.4.4.11 NetrLogonGetCapabilities (Opnum 21)

  • Article

The NetrLogonGetCapabilities method is used by clients to confirm the server capabilities after a secure channel has been established.<196> 

 NTSTATUS NetrLogonGetCapabilities(
   [in, string] LOGONSRV_HANDLE ServerName,
   [in, string, unique] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [in, out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] DWORD QueryLevel,
   [out, switch_is(QueryLevel)] PNETLOGON_CAPABILITIES Capabilities
 );

ServerName: A LOGONSRV_HANDLE Unicode string handle of the server that is handling the request.

ComputerName: A string that contains the name of the computer.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure that contains the server return authenticator.

QueryLevel: Specifies the level of information to return from the domain controller being queried. A value of 0x00000001 causes return of a NETLOGON_CAPABILITIES structure that contains server capabilities.

A value of 0x00000002 causes the return of a NETLOGON_CAPABILITIES structure that contains client capabilities received by server when a negotiation request is made from the client.

Capabilities: A pointer to a 32-bit set of bit flags that identify the server's capabilities or client’s capabilities received by server during negotiation.<197>

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

Upon receiving this call, the server MUST perform the following validation steps:<198>

  • Apply Common Error Processing Rule A, specified in section 3.

  • Verify that the QueryLevel parameter is set to 1 or 2. All other values are invalid, and STATUS_INVALID_LEVEL MUST be returned.<199>

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

If ServerCapabilities bit 1 is true, then Capabilities MUST be set to the ServerSessionInfo.NegotiateFlags being used by the secure channel of the calling client.

If ServerCapabilities bit 2 is true, then Capabilities MUST be set to the ServerSessionInfo.RequestedFlags which would be captured by server when client sends the negotiation request.

Otherwise, the server MUST return STATUS_NOT_IMPLEMENTED.